Introduction/overview
advertisement
Technical Working Group June 2001 Andrew Nash Steve Lloyd Agenda • Agenda praise (in lieu of bashing) – a TWG tradition (praise that is …) • Introductions – Name, Company, Vendor/Exploiter/Customer • Objectives and Ground Rules • Project and White Paper Objectives • Status at end of March Meeting TWG Agenda for Wednesday 6/20 Thursday 6/21 • Path Construction • CESG Status (UK Govt Interop Trial) • LDAP white paper • Application certificate usage • Token Interoperability • CMP Interoperability • TTT Bridge CA • • • • • OCSP PKI Challenge AKID/SKID Interop Guide Wireless certificates Future Work Introductions • Andrew Nash – RSA Security – PKI Vender • Steve Lloyd – Entrust – PKI Vendor • Your turn – Name, Company, Vendor/Exploiter/Customer Objectives and Ground Rules “… to accelerate the adoption and use of Public-Key Infrastructure (PKI) and PKIbased products and services.” – Leverage the expertise of Members – Projects lead by PKI Forum members – Results clearly PKI Forum effort – Maximum Involvement of all parties – Leverage existing standards, efforts, skills and organizations … and other things • Mailing list signup and use • Project Plans and Status • Business WG organization – Marketing/Education – Policy & Privacy – Best Practices – Applications/Vert. Markets Major Project Work Methodology • • • • Description of task White papers/educational material/test cases Interoperability workshops Internal documentation of results/lessons learned/recommendations • External documentation • Focus on making it work! External Project Report Objectives • Written materials reporting results – White papers – Matrices – Presentations • Interim results remain private to PKIF • Consensus on timing and nature of results – Positive results desired – Describe PKI successes, not disadvantage products that don’t work during testing White Paper Objectives • Address topics that will advance PKI interoperability • What does PKIF have to add – LDAP – Path Construction – NOT remote path validation! • May be related to specific Major Projects • Editor responsible to drive • Review/approval on list to assure agreement Status from San Jose - March 2001 •Meeting minutes are required •We meet this requirement with “real time” PPT notes •If time permits, quick review before Joint Session •Input Solicited Participants March San Jose December Sydney September Montreal Vendor 14 35% 13 45% 20 43% ISV/Exploiter 19 48% 12 41% 16 38% Customer** 7 17% 4 9% 10 24% 40 ** Customers include consultants 29 46 TWG Progress Complete: In Progress: 1 Major Interoperability Project 4 Major Interoperability Projects 1 White Paper 5 White Papers (more in the pipe) 3 PKI Notes Path Construction Stephen Farrell/Steve Lloyd • White paper – Explain functionality and identify recommendations • Assumptions – Assume complex certificate paths • Hierarchical/Distributed/Bridge CA/Combination trust models – Concentrate on LDAP/X.509/HTTP access methods • CA-CA Interoperability paper relies on this paper to address “path bounding” • Plan – 1st draft due June 2001 – Final submission Sept 2001 Application Certificate Usage • Deliverables David Crowe – Data sheets describing pair wise vendor results • Product descr, interoperable functionality, config notes • Entrust/Xcert, RSA Security/Xcert, SECUDE/Xcert – Certificate library – librarian: Tony Rogers • Parallel activities with the CESG and EEMA • Issues: – IPSec certificate usage is open – More results required for successful completion • Future – Direct testing between companies proposed – some results already exist with companies like Microsoft Certificate Library Tony Rogers • Initial certificates provided by Computer Associates • PKI Forum web site – FTP down load • certificates, descriptions • possibly associated private keys • LDAP server to be established as a certificate source • Certificate samples requested from members now – CA, SSL server, SSL client, e-mail • Optional CRL • Optional known bad certificate examples CA-CA Interoperability Steve Lloyd • Address technical aspects of CA-CA interoperability – emphasis on “inter-domain interoperability” • Discussion paper delivered – project did not include interoperability demonstrations • Recommended that non-technical issues (business relationships/legal) be addressed by the Policy & Privacy subgroup • One activity among others – this activity was purposely focused on inter-domain interoperability issues CMP Interoperability Bob Moskowitz • • • • • No group testing in last quarter (some point-to-point) Support DSA and RSA Supported direct TCP Press announcement – Feb ’01 Further testing on additional protocol features LDAP David Finkelstein • • • • Limited progress to date Initial draft has limited distribution Focused effort avail from this point forward Outline – Schema requirements – Creation, modification search requirements – Access control requirements • CA vendor use of LDAP imposes unique implications OCSP Alistair Grant • Goal: – Promote interoperability between implementations of OCSP (RFC 2560) • • • • • Project proposal – Dec 2000 Agreed project plan – Feb 2001 Public OCSP responder established – March 2001 BOF planned for Thursday afternoon Testing planned for April/May Other Discussions • XML Key Mgmt System (XKMS) Warwick Ford – – – – Microsoft, VeriSign, webMethods and others Application enabled to use 2G PKI services Simplify the application interface Hides complexity of PKI structure such as trust models Other Discussion • CESG Interoperability Richard Lampard – Heterogeneous CA hierarchy – Interop trial to resolve issues • Large set of standards • Work with large set of vendors • Understand state of industry and technology – – – – Application interop included S/Mime interop 15 vendors Bake-off 12-16 Feb ’01 Report will distribute test results www.PKIForum.org
