[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: request for reviewing our interoperability experiment report

To: "Nakagawa" <nakagawa@xxxxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: Re: request for reviewing our interoperability experiment report
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Tue, 30 Sep 2003 13:23:43 +0200
Cc: <suishin3@xxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Dear Nakagawa-San,
May I offer some comments not so much on the report itself, but
on the architectures that you are working with?  The described
CA structures represent one of three IMO entirely different ways
to apply PKI:

1. The "Classic".  Often using Cross-Certification (CC) and is fairly complex. 
    Used by the FED-PKI and the PKIs described in the report.  Adding
    CP extensions as "application trust filters", things get even more complex
    to scale-up as the extensions are (and will likely continue to be) never
    agreed upon except within certain "communities".  It is interesting to
    note that AFAIK, no commercial TTP CA make their
    issuance depending on CP extensions.  I.e., they all use the
   "universal issuing formula" CA <=> Policy.

2. Relying-party-only.   RP=CA.  Limited interoperability concerns but
    potentially awkward out-of-band RA-arrangements when the number
    of external partners increase.

3. The bank-model PKI [*].  Builds on legacy IT architectures and is
    simpler (but magnitudes more flexible) compared to the "Classic".
Short "promotional" description: http://www.x-obi.com/OBI400/b2bsign.pdf
Long(-winding) description: http://www.x-obi.com/OBI400/pki4org.pdf

Regarding interoperability I noted that you did not mention the four-corner
model which if I'm not misinformed possibly to be used by the coming Japanese
government PKI hosted by Identrus.  This system eliminates CC and
interoperability (as it is a closed trust-network) but dramatically
complicates RP software handling as there are no standards for
managing independent (they all are) four-corner trust-networks.
Most of these competing trust-networks require you to pay license
fees and only use certified software.  This is how the Swedish
banks currently operate.  A short [negative] description of four-corner:
http://www.x-obi.com/OBI400/e-government-ID-A.Rundgren.pdf

Press-release indicating that the Japanese government indeed
is considering supporting four-corner models:
http://www.identrus.com/company/press_releases/release_030717.html

Regards
Anders Rundgren

*] My participation in more or less related standards:
http://shibboleth.internet2.edu/minutes/SHIB-05-Sept-2001.html


----- Original Message ----- 
From: "Nakagawa" <nakagawa@xxxxxxxxxxxxxxxx>
To: <ietf-pkix@xxxxxxx>
Cc: <suishin3@xxxxxxxxxxxxxxxxxxxx>
Sent: Monday, September 29, 2003 11:50
Subject: request for reviewing our interoperability experiment report



Dear PKIX list members,

Korea PKI Forum, PKI Forum Singapore, Chinese Taipei PKI Forum, and Japan
PKI Forum are pleased to announce the completion of the Final Report for
the Experiment in PKI Interoperability in Asia region in 2002. These
four countries/areas have been conducting the Experiment in PKI
interoperability since 2001, and compiled the first report for the 2001
experiment in the middle of 2002. A report compiled this time is
extended version of the previous one. 

In 2002, we have conducted 3 experiments as follows: 

1) CA-CA Interoperability Experiment with Cross Certification / Cross
Recognition models;

2) Path Processing Experiment intending to Resolve the certificate path
processing issues of repository by clarifying the path processing logic
described in RFC3280;

3) PKCS#11 Experiment tempting to approach PKI application
interoperability using a commonly defined API (application interface).
The Final Report contains the recommended technical specifications and
the lessons learnt, which are valuable for CA operators, VA (validation
authority) and application developers when dealing with relevant
interoperability matters.

In addition to this overall project result document, other five documents
were developed as appendixes, which are: 
- Appendix 1. IWG Recommended Profiles
- Appendix 2. CA-CA Interoperability Interface Specification for
experiment
- Appendix 3. Certificate Path Processing Implementation Guideline
- Appendix 4. Certificate Path Processing Testing Guideline
- Appendix 5. PKCS#11 Testing

It will be highly appreciated if IETF members examine the
report and let us know your thoughts/comments.
You can download the report and the appendix from:

Achieving PKI Interoperability 2003 -Results of the JKST-IWG Interoperability project-
http://www.japanpkiforum.jp/shiryou/IWG_2002/FinalReport2003-Version1.0.pdf
Appendix
http://www.japanpkiforum.jp/shiryou/IWG_2002/Appendix.pdf

Regards,

-- 
Hiroyuki Nakagawa
Japan PKI Forum

Follow-Ups:
- Re: request for reviewing our interoperability experiment report
  - From: Nakagawa

References:
- request for reviewing our interoperability experiment report
  - From: Nakagawa

Prev by Date: RE: OCSP response pre-production
Next by Date: Re: OCSP response pre-production
Previous by thread: request for reviewing our interoperability experiment report
Next by thread: Re: request for reviewing our interoperability experiment report
Index(es):
- Date
- Thread