[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: request for reviewing our interoperability experiment report

Dear Rundgren-san,

Thank you for your comment, and very sorry for my late reply.
I conveyed your opinion to our team and am waiting for their comment.
If I get any, I'll post it to this mailing list ASAP. Anyway, we'll take
your comment into consideration when we have chance to revise
the Final Report.

Best Regards,

Nakagawa
Japan PKI Forum

----------------------- Original Message -----------------------
On Tue, 30 Sep 2003 13:23:43 +0200
"Anders Rundgren" <anders.rundgren@xxxxxxxxx> wrote:

> 
> Dear Nakagawa-San,
> May I offer some comments not so much on the report itself, but
> on the architectures that you are working with?  The described
> CA structures represent one of three IMO entirely different ways
> to apply PKI:
> 
> 1. The "Classic".  Often using Cross-Certification (CC) and is fairly complex. 
>     Used by the FED-PKI and the PKIs described in the report.  Adding
>     CP extensions as "application trust filters", things get even more complex
>     to scale-up as the extensions are (and will likely continue to be) never
>     agreed upon except within certain "communities".  It is interesting to
>     note that AFAIK, no commercial TTP CA make their
>     issuance depending on CP extensions.  I.e., they all use the
>    "universal issuing formula" CA <=> Policy.
> 
> 2. Relying-party-only.   RP=CA.  Limited interoperability concerns but
>     potentially awkward out-of-band RA-arrangements when the number
>     of external partners increase.
> 
> 3. The bank-model PKI [*].  Builds on legacy IT architectures and is
>     simpler (but magnitudes more flexible) compared to the "Classic".
> Short "promotional" description: http://www.x-obi.com/OBI400/b2bsign.pdf
> Long(-winding) description: http://www.x-obi.com/OBI400/pki4org.pdf
> 
> Regarding interoperability I noted that you did not mention the four-corner
> model which if I'm not misinformed possibly to be used by the coming Japanese
> government PKI hosted by Identrus.  This system eliminates CC and
> interoperability (as it is a closed trust-network) but dramatically
> complicates RP software handling as there are no standards for
> managing independent (they all are) four-corner trust-networks.
> Most of these competing trust-networks require you to pay license
> fees and only use certified software.  This is how the Swedish
> banks currently operate.  A short [negative] description of four-corner:
> http://www.x-obi.com/OBI400/e-government-ID-A.Rundgren.pdf
> 
> Press-release indicating that the Japanese government indeed
> is considering supporting four-corner models:
> http://www.identrus.com/company/press_releases/release_030717.html
> 
> Regards
> Anders Rundgren
> 
> *] My participation in more or less related standards:
> http://shibboleth.internet2.edu/minutes/SHIB-05-Sept-2001.html
> 
> 
> ----- Original Message ----- 
> From: "Nakagawa" <nakagawa@xxxxxxxxxxxxxxxx>
> To: <ietf-pkix@xxxxxxx>
> Cc: <suishin3@xxxxxxxxxxxxxxxxxxxx>
> Sent: Monday, September 29, 2003 11:50
> Subject: request for reviewing our interoperability experiment report
> 
> 
> 
> Dear PKIX list members,
> 
> Korea PKI Forum, PKI Forum Singapore, Chinese Taipei PKI Forum, and Japan
> PKI Forum are pleased to announce the completion of the Final Report for
> the Experiment in PKI Interoperability in Asia region in 2002. These
> four countries/areas have been conducting the Experiment in PKI
> interoperability since 2001, and compiled the first report for the 2001
> experiment in the middle of 2002. A report compiled this time is
> extended version of the previous one. 
> 
> In 2002, we have conducted 3 experiments as follows: 
> 
> 1) CA-CA Interoperability Experiment with Cross Certification / Cross
> Recognition models;
> 
> 2) Path Processing Experiment intending to Resolve the certificate path
> processing issues of repository by clarifying the path processing logic
> described in RFC3280;
> 
> 3) PKCS#11 Experiment tempting to approach PKI application
> interoperability using a commonly defined API (application interface).
> The Final Report contains the recommended technical specifications and
> the lessons learnt, which are valuable for CA operators, VA (validation
> authority) and application developers when dealing with relevant
> interoperability matters.
> 
> In addition to this overall project result document, other five documents
> were developed as appendixes, which are: 
> - Appendix 1. IWG Recommended Profiles
> - Appendix 2. CA-CA Interoperability Interface Specification for
> experiment
> - Appendix 3. Certificate Path Processing Implementation Guideline
> - Appendix 4. Certificate Path Processing Testing Guideline
> - Appendix 5. PKCS#11 Testing
> 
> It will be highly appreciated if IETF members examine the
> report and let us know your thoughts/comments.
> You can download the report and the appendix from:
> 
> Achieving PKI Interoperability 2003 -Results of the JKST-IWG Interoperability project-
> http://www.japanpkiforum.jp/shiryou/IWG_2002/FinalReport2003-Version1.0.pdf
> Appendix
> http://www.japanpkiforum.jp/shiryou/IWG_2002/Appendix.pdf
> 
> Regards,
> 
> -- 
> Hiroyuki Nakagawa
> Japan PKI Forum