[PPT] - An Experience in Developing Common Certificate Policy 9 April 2008, PowerPoint Presentation

SLIDE 1

An Experience in Developing Common Certificate Policy

Shinichi Mineo (RIKEN)

International Symposium on Grid Computing 2008 9 April 2008, Academia Sinica, Taipei, Taiwan

SLIDE 2

Outline

MOTIVATION FEATURES OF RFC3647 A CASE IN NAREGI DRAFTING A COMMON CP OPEN ISSUES SUMMARY

SLIDE 3

MOTIVATION

Preparation for CA operations based on RFC 3647

NAREGI CA plans to restart operation with a new

CP/ CPS

Deployment Plan of Grid CAs by UPKI

Increasing complexity for trust federation

CP Sensitive Application

Possibility of flexible authorization for Grid

Applications

SLIDE 4

UPKI as a basis of Cyber Science Infrastructure UPKI as a basis of Cyber Science Infrastructure

EE EE A Uni v. NAREGI C A EE EE B Uni v. NAREGI C A

G r i d PKI

G r i d C om put i ng Pr

xy

Pr

xy

Pr

xy

EE Pr

xy

Pr

xy

Pr

xy

EE 学内用学内用 A Uni v. C A EE 学内用学内用 B Uni v. C A EE

C am pus PKI

Aut h, Si gn, Encr pt . Aut h, Si gn, Encr pt .

St udent , Facul t y Ser ver , Super C om put er St udent , Facul t y Ser ver , Super C om put er

W ebｻｰﾊﾞ W ebｻｰﾊﾞ NI I Pub C A W eb Sr v. W ebｻｰﾊﾞ W ebｻｰﾊﾞ S/M I M E S/M I M E O t her Pub C A S/M I M E W eb Sr v.

O penDom ai n PKI

S/M I M E S/M I M E S/M I M E Si gn, Encr pt . Fut ur e pl an

SLIDE 5

FEATURES OF RFC3647 (1)

Easy to transform CP/ CPS based on RFC 2527 to RFC 3647

(7) “Comparison to RFC 2527”

Just adding (4.9) “Other Business and Legal Maters”, etc

It’s OK, but…

Another idea is to develop a new CP split from CPS

SLIDE 6

FEATURES OF RFC3647 (2)

CP is a named set of rules that indicates the

applicability of a certificate to a particular community and/ or class of application with common security requirements, and CPS is a statement of the practices which a certification authority employs in issuing certificates.(1.1)

A CP generally applies to multiple CAs, and a CPS

applies only to a single CA. (3.5)

CP and CPS have the same structure and ordering of

topics, thereby facilitating comparisons and mappings among these documents (3.7)

Document framework is the same in CP and CPS, but

their objectives are different.

SLIDE 7

A CASE IN NAREGI (1)

A traditional X.509 Public Key CA

issues long-term credentials to end- entities conforms to the Asia Pacific Grid Minimum CA Requirements

An Analysis of the documentation structure regarding to accreditation of ApGrid PMA

SLIDE 8

An Analysis of Documentation Structure

[3] RFC 2459, "Internet X.509 Public Key Infrastructure: Certificate and CRL Profile" [4] RFC3280, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile” [2] RFC 3647,”Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework” [1] RFC 2527, "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework" [7] Authentication Profile for Classic X.509 Public Key Certification Authorities with secured infrastructure Version 4.1 (4.0) [6] Global Grid Forum Certificate Policy Model [5] RFC3820, “Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile” [8] GWD-C Grid Certificate Profile [10] Guidelines for auditing Grid CAs [9] Asia Pacific Grid Minimum CA Requirements

NOTE) Arrows show relations of conformity to each other

SLIDE 9

A CASE IN NAREGI (2)

Why split CP from CPS?

Grid CAs can concentrate on designing CPS based on the common CP, which will save money and time. The regional PMA can concentrate on analyzing CPS to accredit Grid CAs, which will decrease a lot of work load. The Grid CAs can enforce mutual audit based on the common policy, which will make the work simple and efficient.

SLIDE 10

A CASE IN NAREGI (3)

A Trial to design a Common CP

Collection of common security requirements for

Grid applications

excluding descriptions peculiar to CAs or

rganizations.
The CP demands a CA to describe individual

information in CPS

the Demands themselves are treated as a part

f the Certificate Policy
For items with no special requirements either in

CP or CPS, “No requirements” is described

These items can be described at discretion of the CA

SLIDE 11

DRAFTING A COMMON CP

We have analyzed all the sections of RFC3647 framework, and classified them into groups of:

CP: To be described in CP CPS: To be described in CPS conforming to the requirements of this CP None: No Requirements

SLIDE 12

A Table of Classification (1)

RFC 25 I G TF C l assi cAP C P C PS

1 I ntroducti

n

1 1

1. 1 O vervi ew

1. 1 2 4. 2 レレ

1. 2 D ocum ent Nam e and I ndenti f i cati

n

1. 2 4. 2 レレ

1. 3 PKI Parti ci pants

1. 3

1. 3. 1 C er t i f i cati

n

authori ti es

1. 3. 1 2 レレ

1. 3. 2 Regi strati

n

authori ti es

1. 3. 2 2 レレ

1. 3. 3 Subscri bers

1. 3. 3 レ

1. 3. 4 Rel yi ng parti es

1. 3. 3 レ

1. 3. 5 O ther parti ci pants

N/A

1. 4 C ert i f i cate usage

1. 3. 4

1. 4. 1 Appropri ate C erti f i cate Uses

1. 3. 4 レレ

1. 4. 2 Pr

hi

bi tes C erti f i cate Uses

1. 3. 4

1. 5 Pol i cy Adm i ni strati

n

1. 4

1. 5. 1 O r gani zati

n

Adm i ni steri ng the D ocum ent

1. 4. 1 レレ

1. 5. 2 C ontact Person

1. 4. 2 レレ

1. 5. 3 Person D eterm i ni ng C PS Sui tabi l i t y f

r

the Pol i cy

1. 4. 3 レレ

1. 5. 4 C PS Approval Procedures

8. 3 レレ

1. 6 D ef i ni ti

n

and Acronym s

N/A レレ

2 Publ i cati

n

and Reposi tory Responsi bi l i ti es

2. 1. 5, 2. 6

2. 1 Reposi tori es

2. 6. 4 6 レレ

2. 2 Publ i cati

n
f

certi f i cati

n

i nf

rm ati
n

2. 6. 1, 8. 2 4. 2 4. 3 4. 4 6 レレ

2. 3 Ti m e

r

f requency

f

publ i cati

n

2. 6. 2, 8. 2 レ

2. 4 Access control s

n

reposi tori es

2. 6. 3 レ

RFC 3647 secti

n

SLIDE 13

A Table of Classification (2)

RFC 25 I G TF C l assi cAP C P C PS

3 I dent i f i cati

n

and Authenti cati

n

( I &A)

3

3. 1 Nam i ng

3. 1

3. 1. 1 Type

f

Nam es

3. 1. 1 レ

3. 1. 2 Need f

r

Nam es t

be

M eani ngf ul

3. 1. 2 4. 3 レ

3. 1. 3 Anonym i t y

r

Pseudonym i ty

f

Subscri ber s

3. 1. 2

3. 1. 4 Rul es f

r

I nt er preti ng Vari

us

Nam e For m s

3. 1. 3

3. 1. 5 Uni queness

f

Nam es

3. 1. 4 3 レ

3. 1. 6 Recogni ti

n,

Authent i cati

n,

and Rol e

f

Tradem arks

3. 1. 5, 3. 1. 6

3. 2 I ni t i al I denti ty Val i dat i

n

3. 1 3. 1 レ

3. 2. 1 M ethod to Prove Possessi

n
f

Pri vate Key

3. 1. 7 3. 1 レレ

3. 2. 2 Authenti cati

n
f

O rgani zati

n

I denti ty

3. 1. 8 レ

3. 2. 3 Authenti cati

n
f

I ndi vi dual I denti ty

3. 1. 9 3. 1 レレ

3. 2. 4 Non-Veri f i ed Subscri ber I nf

r

m ati

n

N/A レ

3. 2. 5 Val i dati

n
f

Aut hori ty

3. 1. 9 レ

3. 2. 6 C r i t er i a f

r

I nteroper at i

n

4. 1 レ

3. 3 I &A f

r

Re-key Requests

3. 2, 3. 3

3. 3. 1 I dent i f i cati

n

and Authenti cati

n

f

r

Routi ne Re-Key

3. 2 3. 2 レレ

3. 3. 2 I dent i f i cati

n

and Authenti cati

n

f

r

Re-Key Af ter Revocati

n

3. 3 レ

3. 4 I &A f

r

r evocat i

n

request s

3. 4 レレ

RFC 3647 secti

n

The rest is omitted.

SLIDE 14

CertifatePolicies EXTENTI ON in ASN.1 NOTATI ON

CertifatePolicies EXTENTI ON ::= { SYNTAX CeritificatePoliciesSyntax I DENTI FI ED BY id-ce-certificatePolicies } CertifiatePoliciesSyntax ::= SEQUENCE SI ZE( 1 ..MAX) OF PolicyI nform ation PolicyI nform ation ::= SEQUENCE { PolicyI dentifier CertpolicyI d, PolicyQalifiers PolicyQualifierI nfo} CertPolicyI d ::= OBJECT I DENTI FI ER PolicyQalifierI nfo ::= SET { pointerToCPS-Qualifier pointerToCPS, noticeToUser-Qualifier noticeToUser OPTI ONAL) } pointerToCPS ::= { POLI CY-QUALI FI ER-I D id-qt-cps QUALI FI ER-TYPE CPSuri } I d-qt-cps OBJECT I DENTI FI ER ::= { id-qt 1 } CPSuri ::= I A5 String

SLIDE 15

OPEN ISSUES

Future Capability of the common CP
If this CP is proved operational and effective, it is

worth to commonly used in the Grid community accredited by ApGrid or IGTF.

CP Sensitivity
If the Grid application can recognize Certificate

Policies, a Grid CA can issue certificates of different policies, with which Grid service providers will be able to change authorization decisions according to their service policies.

Legal Matters
Legal matters tend to be different in nations. We

need consensus on general conditions for Grid certificates.

SLIDE 16

An Example: CP Sensitive AuthZ Service

SAML 2.0 profile of XACML v2.0

SLIDE 17

CONCLUSIONS

We have described a possibility of a common certificate

policy, which NAREGI is trying to develop and planning to use for the next generation CA operations.

We believe a common CP concept is effective for both

Grid CAs and the regional PMAs, and contributes to the Grid community.

Further discussions will be necessary for consensus and

the open issues in public place such as CAOPs working group in OGF.

A draft of a common CP with a sample of CPS will be

published by NAREGI project for open discussions.