Technical Working GroupJune 2001

Andrew NashSteve Lloyd

Agenda

• Agenda praise (in lieu of bashing) – a TWG tradition (praise that is …)

• Introductions– Name, Company,

Vendor/Exploiter/Customer

• Objectives and Ground Rules• Project and White Paper Objectives• Status at end of March Meeting

TWG Agenda for Wednesday 6/20 Thursday 6/21

• Path Construction• CESG Status (UK Govt

Interop Trial)• LDAP white paper• Application certificate

usage• Token Interoperability• CMP Interoperability• TTT Bridge CA

• OCSP• PKI Challenge• AKID/SKID Interop Guide• Wireless certificates • Future Work

Introductions

• Andrew Nash– RSA Security– PKI Vender

• Steve Lloyd– Entrust– PKI Vendor

• Your turn– Name, Company, Vendor/Exploiter/Customer

Objectives and Ground Rules

“… to accelerate the adoption and use of Public-Key Infrastructure (PKI) and PKI-based products and services.”– Leverage the expertise of Members– Projects lead by PKI Forum members– Results clearly PKI Forum effort– Maximum Involvement of all parties– Leverage existing standards, efforts,

skills and organizations

… and other things

• Mailing list signup and use• Project Plans and Status• Business WG organization

– Marketing/Education– Policy & Privacy– Best Practices– Applications/Vert. Markets

Major Project Work Methodology

• Description of task• White papers/educational material/test

cases• Interoperability workshops• Internal documentation of results/lessons

learned/recommendations• External documentation• Focus on making it work!

External Project Report Objectives

• Written materials reporting results– White papers– Matrices– Presentations

• Interim results remain private to PKIF• Consensus on timing and nature of results

– Positive results desired– Describe PKI successes, not disadvantage

products that don’t work during testing

White Paper Objectives

• Address topics that will advance PKI interoperability

• What does PKIF have to add– LDAP– Path Construction– NOT remote path validation!

• May be related to specific Major Projects• Editor responsible to drive• Review/approval on list to assure agreement

Status from San Jose - March 2001

•Meeting minutes are required•We meet this requirement with “real time” PPT notes•If time permits, quick review before Joint Session•Input Solicited

Participants MarchSan Jose

DecemberSydney

SeptemberMontreal

Vendor 14 35%

13 45% 20 43%

ISV/Exploiter 19 48%

12 41% 16 38%

Customer** 7 17%

4 9% 10 24%

40 29 46** Customers include consultants

TWG Progress

In Progress:

4 Major Interoperability Projects

5 White Papers (more in the pipe)

3 PKI Notes

Complete:

1 Major Interoperability Project

1 White Paper

Path ConstructionStephen Farrell/Steve Lloyd

• White paper– Explain functionality and identify recommendations

• Assumptions– Assume complex certificate paths

• Hierarchical/Distributed/Bridge CA/Combination trust models

– Concentrate on LDAP/X.509/HTTP access methods

• CA-CA Interoperability paper relies on this paper to address “path bounding”

• Plan– 1st draft due June 2001– Final submission Sept 2001

Application Certificate UsageDavid Crowe

• Deliverables– Data sheets describing pair wise vendor results

•Product descr, interoperable functionality, config notes•Entrust/Xcert, RSA Security/Xcert, SECUDE/Xcert

– Certificate library – librarian: Tony Rogers

• Parallel activities with the CESG and EEMA• Issues:

– IPSec certificate usage is open– More results required for successful completion

• Future– Direct testing between companies proposed – some results already exist

with companies like Microsoft– Forum assumes a brokerage role (incl coordination of announcements)

Certificate LibraryTony Rogers

• Initial certificates provided by Computer Associates• PKI Forum web site

– FTP down load• certificates, descriptions• possibly associated private keys

• LDAP server to be established as a certificate source• Certificate samples requested from members now

– CA, SSL server, SSL client, e-mail

• Optional CRL• Optional known bad certificate examples

CA-CA InteroperabilitySteve Lloyd

• Address technical aspects of CA-CA interoperability – emphasis on “inter-domain interoperability”

• Discussion paper delivered – project did not include interoperability

demonstrations

• Recommended that non-technical issues (business relationships/legal) be addressed by the Policy & Privacy subgroup

• One activity among others – this activity was purposely focused on inter-domain

interoperability issues

CMP InteroperabilityBob Moskowitz

• No group testing in last quarter (some point-to-point)

• Support DSA and RSA• Supported direct TCP• Press announcement – Feb ’01• Further testing on additional protocol features

LDAPDavid Finkelstein

• Limited progress to date• Initial draft has limited distribution• Focused effort avail from this point forward• Outline

– Schema requirements– Creation, modification search requirements– Access control requirements

• CA vendor use of LDAP imposes unique implications

OCSPAlistair Grant

• Goal: – Promote interoperability between

implementations of OCSP (RFC 2560)

• Project proposal – Dec 2000• Agreed project plan – Feb 2001• Public OCSP responder established – March

2001• BOF planned for Thursday afternoon• Testing planned for April/May

Other Discussions

• XML Key Mgmt System (XKMS) Warwick Ford– Microsoft, VeriSign, webMethods and others– Application enabled to use 2G PKI services– Simplify the application interface– Hides complexity of PKI structure such as trust

models

Other Discussion

• CESG Interoperability Richard Lampard– Heterogeneous CA hierarchy– Interop trial to resolve issues

• Large set of standards• Work with large set of vendors• Understand state of industry and technology

– Application interop included S/Mime interop– 15 vendors– Bake-off 12-16 Feb ’01– Report will distribute test results

www.PKIForum.org