150 likes | 271 Views
UTF8String Deployment Status and Migration Plan. Akira KANAOKA < a-kanaoka@secom.co.jp> Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency, Japan. Agenda. Problem statement Project : Survey of UTF8String Problem in PKI Certificates
E N D
UTF8String Deployment Status and Migration Plan Akira KANAOKA <a-kanaoka@secom.co.jp> Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency, Japan
Agenda • Problem statement • Project : Survey of UTF8String Problem in PKI Certificates • UTF8String Deployment Status in Asia • Ongoing Works • Migration plan for UTF8String • Test case design for UTF8String implementation UTF8String Deployment Statement and Migration Plan
Problem statement • Deadline for migration in RFC 3280 • 31st Dec. 2003 • Canceled in 3280bis • Lack of description to migrate in 3280. • Detailed string matching • Migration Plan • Certificate and CRL/ARL issuance during migration • Gap between CA and client implementation UTF8String Deployment Statement and Migration Plan
Survey of UTF8String Problem in PKI Certificates • Explanation of the problem • Proposal for UTF8String migration • Survey • Product implementation • UTF8String deployment status in Asia • IETF activity around UTF8String • Test case design for UTF8String implementation • Migration Plan for UTF8String UTF8String Deployment Statement and Migration Plan
UTF8String Deployment Status in Asia • Examined whether they use UTF8String for directoryName in certificates • Examined whether they use local characters in UTF8String • Local character : e.g. CJK (Chinese, Japanese, Korean) • Asked by the prepared questionnaire • Asked to “the Asia PKI Forum (APKI-F)” members. • 9 Countries and Regions UTF8String Deployment Statement and Migration Plan
Sent to 9 countries and regions Replies from 3 countries and regions (11 CAs) Replies to the Questionnaire Countries and Regions CA Type UTF8String Deployment Statement and Migration Plan
Encoding Used in Each Field *U:UTF8String (except country. P:PrintableString, I:IA5String, B:BMPString -:not used *CRLDP/iDP: use directoryName with U or P and URI with I to describe distributionPoint :local character used ) UTF8String Deployment Statement and Migration Plan
Encoding Use in Each Field (cont.) *U:UTF8String (except country. P:PrintableString, I:IA5String, B:BMPString -:not used *CRLDP/iDP: use directoryName with U or P and URI with I to describe distributionPoint :local character used ) • Most CAs already use UTF8String. • Most CAs use local character. UTF8String Deployment Statement and Migration Plan
Compliance with RFC 3280 and its Migration Plan UTF8String Deployment Statement and Migration Plan
Additional Survey • UTF8String use in MS Windows Root Certificate Store • OS:Windows XP (Japanese) • as of January 2005 • No certificate use UTF8String. • 107 certificates in the certificate store • No certificate issued after 31st Dec. 2003 UTF8String Deployment Statement and Migration Plan
Conclusion : UTF8String Deployment Status in Asia • Contrast between Government CAs and Commercial CAs • Most Government CAs use UTF8String (by Questionnaire) • No Commercial CA use UTF8String (by MS Windows Certificate Stores) • Asian Government CAs hope to use local character. • Most governments use local character for register information. UTF8String Deployment Statement and Migration Plan
Conclusion (cont.) :UTF8String Deployment Status in Asia • Few CA has a Migration Plan to UTF8String • Most Government CAs use UTF8String from the beginning. • There is only one case having a migration plan. • Deadline of the case : November, 2005 • Best Practice for using/migration to UTF8String is needed. • We don’t have any guideline. UTF8String Deployment Statement and Migration Plan
Ongoing Project • Migration Plan • CA certificate • Re-issue or re-build • CRL encoding after migration of CA certs • ‘Keeping legacy encoding’ or ‘Using UTF8String’ • Need to publish this as informational RFC? • Test Case Designing • Typical case of: • path building (‘different encoding’ and ‘comparison rules’) • Revocation checking • Providing the Test data of: • Sample Certificate and CRL • Available by the end of this month on our web site UTF8String Deployment Statement and Migration Plan
Reference • JNSA Challenge PKI Project • http://www.jnsa.org/mpki/ • RFC 3454 - Preparation of Internationalized Strings ("stringprep") • http://www.ietf.org/rfc/rfc3454.txt • 3280bis • http://csrc.nist.gov/pki/documents/PKIX/draft-ietf-pkix-rfc3280bis-00.txt UTF8String Deployment Statement and Migration Plan
Appendix :Questionnaire outline • Certificate and CRL/ARL • Kind of local character (e.g. CJK) • Kind of encoding for directoryName • Kind of CCS • Difference between CA self-signed certificate and EE certificate • Migration Plan to UTF8String • Plan existence • Migration deadline, reason • Migration reference existence UTF8String Deployment Statement and Migration Plan