130 likes | 269 Views
Memorandum for multi-domain PKI interoperability http://www.jnsa.org/mpki/draft-shimaoka-multidomain-pki-00.txt. http://www.jnsa.org/mpki/ mpki@jnsa.org Masaki SHIMAOKA shimaoka@secom.ne.jp. Motivations (Actual operational issues). Japanese GPKI is based on Bridge CA architecture.
E N D
Memorandum for multi-domain PKI interoperabilityhttp://www.jnsa.org/mpki/draft-shimaoka-multidomain-pki-00.txt http://www.jnsa.org/mpki/ mpki@jnsa.org Masaki SHIMAOKA shimaoka@secom.ne.jp
Motivations(Actual operational issues) • Japanese GPKI is based on Bridge CA architecture. • Needed various interoperability experiments • Raised not only technical issues, but many operational issues. • Bridge CA MUST be neutral and strict. • Needs domain certification criteria. • MUST restrict connecting with irregular trust model which has not interoperability. • Some confusing example • CA-X cross-certifies subordinate CA-Y of another domain. • Does CA-X trust not the superior CA-Z of CA-Y, though the ARL of CA-Y is issued by CA-Z? • How does CA-X trust and verify the ARL issued by CA-Z? • CA-X and CA-Y cross-certify each other mutually. • When CA-X updates cross-certificate, does CA-Y re-generate not crossCertificatePair? • CA-X only populate self-signed certificate to own domain internally. • This CA-X looks like subordinate CA from outside.
What’s issue?(Theoretical issues) • How does Relying-Party (RP) trust other CA? • Cross-Certification from Trust Anchor of RP. • Single trust point model • Trust the other CA directly. • Multi trust point model • What is PKI domain? • Which CA SHOULD be recognized as same PKI domain? • How should we trust other PKI domain?
Objectives & Scope • Objectives • To Achieve multi-domain PKI interoperability • We have No standard for multi-domain PKI. • To limit irregular PKI in multi-domain PKI • What kind of PKI does have interoperability, or not have? • Scope • To Establish the guideline for PKI domain certification criteria • Establish a trust relationship between CAs • Establish a trust model for multi-domain PKI • As Best Current Practice, not specification
Contents of the Document • Introduction • Terminology • Trust Relationship • Define the trust relationship between CAs • Single-domain PKI • Define the model for single-domain PKI • Multi-domain PKI • Define the model for multi-domain PKI • Considerations
Section 3: Trust Relationship • Trust List • List of trusted CA certificate • User Trust List is managed by individual user • Authority Trust List is managed by trusted authority (CA) • Cross-Certification • Unilateral cross-certification • Bi-lateral cross-certification • Subordination • Peculiar unilateral cross-certification • Subordinate CA has no self-signed certificate.
Section 4: Single-domain PKI • Define the suitable models for participant to multi-domain PKI • Simple PKI • Hierarchy PKI • Mesh PKI : CAs (translucent is not Trust Anchor) : EEs colored the same as their trust anchor : issued certificate : issued self-signed certificate Mesh Hierarchy Simple
Section 5: Multi-domain PKI Trust List • Multi-trust point model • Trust List • Single-trust point model • Peer-to-Peer model • based on cross-certification • Super domain model • based on unilateral cross-certification • Hub model • a.k.a Bridge CA model RP Peer-to-Peer RP Super Domain Hub RP RP
Section 6: Considerations • Certificate & CRL Profile • Consider some extensions for achieving multi-domain PKI interoperability • Repository • Consider how to obtain the required information for path construction and validation in multi-domain PKI • Path Validation • Consider the path validation algorithm and parameters for multi-domain PKI • Inter-domain consensus for cross-certification • Policy mapping • Validity of each cross-certificate • validity of self-signed certificate • Consider each CA key update
To Do • To concretize a relation between PKI domain and domain policy • To consider more about Hub model • Too complex • To clear a relation with other dependent specification • To consider about hybrid (heterogeneous) trust model • CA-X trusts CA-Y by unilateral cross-certification • CA-Y trusts CA-X by trust list • I want co-authors
Related Resources • Challenge PKI project Homepage • Multi-domain PKI Interoperability Framework • http://www.jnsa.org/mpki/ • Internet-Draft for this • http://www.jnsa.org/mpki/draft-shimaoka-multidomain-pki-00.txt • Implementation Problems on PKI • http://www.ipa.go.jp/security/fy13/report/pki_interop/chalange2001.html • Interoperability Issues for multi-domain PKI • http://www.jnsa.org/mpki/Interoperability_mPKI.pdf
Interoperability experimentsI had joined • Japanese GPKI interoperability experiments • Interconnecting GPKI BCA with some governmental CA and private CA • Path validation and path control using some constraints • http://www.gpki.go.jp/ [Sorry, Japanese only] • JKST-IWG (JP,KR,SG,CTInteroperability WG of ASIA PKI Forum) • International CA-CA interoperability experiments • Path processing experiments • PKCS#11 API interoperability experiments • http://www.japanpkiforum.jp/JKSHT-02/index.htm • English available, but not enough yet • JNSA/IPA Challenge PKI 200x • CA-CA Interoperability Experiments (2001) • PKI Interoperability Test Suite (2002) • http://www.jnsa.org/mpki/ • Ready for English
Thank you. Masaki SHIMAOKA shimaoka@secom.ne.jp http://www.jnsa.org/mpki/