Memorandum for multi-domain PKI interoperability http://www.jnsa.org/mpki/draft-shimaoka-multidomain-pki-00.txt - PowerPoint PPT Presentation
Title:
Memorandum for multi-domain PKI interoperability http://www.jnsa.org/mpki/draft-shimaoka-multidomain-pki-00.txt
Description:
Title: Memorandum for multi-domain PKI interoperability Author: shima Last modified by: Rebecca Bunch Created Date: 7/3/2003 5:45:29 AM Document presentation format – PowerPoint PPT presentation
Number of Views:134
Avg rating:3.0/5.0
Title: Memorandum for multi-domain PKI interoperability http://www.jnsa.org/mpki/draft-shimaoka-multidomain-pki-00.txt
1
Memorandum for multi-domain PKI interoperability
http//www.jnsa.org/mpki/draft-shimaoka-multidomai
n-pki-00.txt
- http//www.jnsa.org/mpki/
- mpki_at_jnsa.org
- Masaki SHIMAOKA
- shimaoka_at_secom.ne.jp
2
Motivations(Actual operational issues)
- Japanese GPKI is based on Bridge CA architecture.
- Needed various interoperability experiments
- Raised not only technical issues, but many
operational issues. - Bridge CA MUST be neutral and strict.
- Needs domain certification criteria.
- MUST restrict connecting with irregular trust
model which has not interoperability. - Some confusing example
- CA-X cross-certifies subordinate CA-Y of another
domain. - Does CA-X trust not the superior CA-Z of CA-Y,
though the ARL of CA-Y is issued by CA-Z? - How does CA-X trust and verify the ARL issued by
CA-Z? - CA-X and CA-Y cross-certify each other mutually.
- When CA-X updates cross-certificate, does CA-Y
re-generate not crossCertificatePair? - CA-X only populate self-signed certificate to own
domain internally. - This CA-X looks like subordinate CA from outside.
3
Whats issue?(Theoretical issues)
- How does Relying-Party (RP) trust other CA?
- Cross-Certification from Trust Anchor of RP.
- Single trust point model
- Trust the other CA directly.
- Multi trust point model
- What is PKI domain?
- Which CA SHOULD be recognized as same PKI domain?
- How should we trust other PKI domain?
4
Objectives Scope
- Objectives
- To Achieve multi-domain PKI interoperability
- We have No standard for multi-domain PKI.
- To limit irregular PKI in multi-domain PKI
- What kind of PKI does have interoperability, or
not have? - Scope
- To Establish the guideline for PKI domain
certification criteria - Establish a trust relationship between CAs
- Establish a trust model for multi-domain PKI
- As Best Current Practice, not specification
5
Contents of the Document
- Introduction
- Terminology
- Trust Relationship
- Define the trust relationship between CAs
- Single-domain PKI
- Define the model for single-domain PKI
- Multi-domain PKI
- Define the model for multi-domain PKI
- Considerations
6
Section 3 Trust Relationship
- Trust List
- List of trusted CA certificate
- User Trust List is managed by individual user
- Authority Trust List is managed by trusted
authority (CA) - Cross-Certification
- Unilateral cross-certification
- Bi-lateral cross-certification
- Subordination
- Peculiar unilateral cross-certification
- Subordinate CA has no self-signed certificate.
7
Section 4 Single-domain PKI
- Define the suitable models for participant to
multi-domain PKI - Simple PKI
- Hierarchy PKI
- Mesh PKI
CAs (translucent is not Trust Anchor) EEs
colored the same as their trust anchor issued
certificate issued self-signed certificate
Mesh
Hierarchy
Simple
8
Section 5 Multi-domain PKI
Trust List
- Multi-trust point model
- Trust List
- Single-trust point model
- Peer-to-Peer model
- based on cross-certification
- Super domain model
- based on unilateral cross-certification
- Hub model
- a.k.a Bridge CA model
RP
Peer-to-Peer
RP
Super Domain
Hub
RP
RP
9
Section 6 Considerations
- Certificate CRL Profile
- Consider some extensions for achieving
multi-domain PKI interoperability - Repository
- Consider how to obtain the required information
for path construction and validation in
multi-domain PKI - Path Validation
- Consider the path validation algorithm and
parameters for multi-domain PKI - Inter-domain consensus for cross-certification
- Policy mapping
- Validity of each cross-certificate
- validity of self-signed certificate
- Consider each CA key update
10
To Do
- To concretize a relation between PKI domain and
domain policy - To consider more about Hub model
- Too complex
- To clear a relation with other dependent
specification - To consider about hybrid (heterogeneous) trust
model - CA-X trusts CA-Y by unilateral cross-certification
- CA-Y trusts CA-X by trust list
- I want co-authors ?
11
Related Resources
- Challenge PKI project Homepage
- Multi-domain PKI Interoperability Framework
- http//www.jnsa.org/mpki/
- Internet-Draft for this
- http//www.jnsa.org/mpki/draft-shimaoka-multidomai
n-pki-00.txt - Implementation Problems on PKI
- http//www.ipa.go.jp/security/fy13/report/pki_inte
rop/chalange2001.html - Interoperability Issues for multi-domain PKI
- http//www.jnsa.org/mpki/Interoperability_mPKI.pdf
12
Interoperability experimentsI had joined
- Japanese GPKI interoperability experiments
- Interconnecting GPKI BCA with some governmental
CA and private CA - Path validation and path control using some
constraints - http//www.gpki.go.jp/ Sorry, Japanese only
- JKST-IWG (JP,KR,SG,CT Interoperability WG of ASIA
PKI Forum) - International CA-CA interoperability experiments
- Path processing experiments
- PKCS11 API interoperability experiments
- http//www.japanpkiforum.jp/JKSHT-02/index.htm
- English available, but not enough yet
- JNSA/IPA Challenge PKI 200x
- CA-CA Interoperability Experiments (2001)
- PKI Interoperability Test Suite (2002)
- http//www.jnsa.org/mpki/
- Ready for English
13
Thank you.
- Masaki SHIMAOKA
- shimaoka_at_secom.ne.jp
- http//www.jnsa.org/mpki/
Recommended
CrystalGraphics Presentations
