1 / 23

Current Status of Japanese Government PKI Systems

Current Status of Japanese Government PKI Systems. Yasuo Miyakawa*+, Takashi Kurokawa*, Akihiro Yamamura* and Yasushi Matsumoto+ * National Institute of Information and Communications Technology (NICT), Japan + Information-technology Promotion Agency (IPA), Japan. Background.

lysandra
Télécharger la présentation

Current Status of Japanese Government PKI Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Current Status of Japanese Government PKI Systems Yasuo Miyakawa*+, Takashi Kurokawa*, Akihiro Yamamura* and Yasushi Matsumoto+ * National Institute of Information and Communications Technology (NICT), Japan+ Information-technology Promotion Agency (IPA), Japan

  2. Background • There are many e-Government projects around the world • Also in Japan • As the main system, Government PKI system was constructed • In about 2000 • There may have been similar projects in other countries in those days

  3. Abstract • 2 characteristics: • I. Bridge Model • II. Signature & non-repudiation centric • Current Status

  4. Overview 2000 2008 Current Status Efforts on Interoperability I. Bridge Model 1. Optimization 2. + Entity Authentication 2. Signature & non-repudiation centric * Level of Assurance * CP (domain policy) * Smart card data format CRYPTREC:“e-Government Recommended Ciphers List” 3. Movement in Cryptographic analysis research 4. Revise Signature Law 5. Migration Plan

  5. Our Standpoint • We have not assumed the responsibility about the design of Government PKI systems - very complicated systems • But, we had been consulted by the contractors, system integrators, and ministries • Although it was managed to operate up to now… • It will not be easy to cope with …

  6. I. Before talking about Bridge CA Model • Vertically Divided Administration • Ministries should have dealt equally • No superior • Ministries wished to have flexibility Ministry A Ministry B Our PKI system Our PKI System

  7. I. Trust Model of Government PKI Systems in Japan

  8. PKI System Owners

  9. Vertically Divided Administration again • Prefectures should be treated equally • No superior • Bridge Model is adopted • Actually, identical CPSs and CPs

  10. Our efforts regarding Bridge Model • In 2002 • There was not Trust Status List • Test-suite for Japanese government PKI software • Testing datum for path validation over Bridge CA • IPA’s Contractor • http://www.jnsa.org/mpki/index.html

  11. Our efforts regarding Bridge Model • IETF Internet-Draft: Guidance • “Memorandum for multi-domain Public Key Infrastructure Interoperability” • Already cleared – RFC will be published soon • http://www.ietf.org/internet-drafts/draft-shimaoka-multidomain-pki-13.txt • Practical factors • e.g.: ‘Domain Policy Object Identifier’ • Certificate Policy as Domain Policy

  12. II. Signature & non-repudiation centric • The majority of certificates are for Non-repudiation • keyUsage bit: set in US style • CP: not well utilized, no confusion ? • ACT ON ELECTRONIC SIGNATURES AND CERTIFICATION BUSINESS (2001) • http://www.moj.go.jp/ONLINE/CERTIFICATION/ • With 2 Ministerial Ordinance • Discussion has started to revise these legislation • To be explained later

  13. FYI: CRYPTREC • Cryptography Research and Evaluation Committees • http://www.cryptrec.jp/english/index.html • Cryptographic Technique Monitoring Subcommittee • “e-Government Recommended Ciphers List”

  14. Recent Undertakings • Optimizing GPKI System • Concerns for Entity Authentication • Estimating the Improvement of Factoring Power • Revising ACT ON ELECTRONIC SIGNATURES AND CERTIFICATION BUSINESS and its Ministerial Ordinance • Migration Plan about Cryptography which is used in PKI Systems

  15. 1. Optimizing GPKI System • Conducted by MIC Administrative Management Bureau • Planed in March, 2005 • To be completed in FY 2008 • From economic point of view • Duplication in issuing function • Managing operational practices may be centralized • Centralized CA for GPKI • CAs: 14 -> 1 • RAs will remain • Several exceptions: • commercial register system’s CA

  16. 2. Concern for Entity Authentication • Level of Assurance • Developing Guideline documents • Citizen’s Smart Cards Format • Multiple credentials • Open specification is expected • Certificate Policy (PKI domain Policy) • Risk to confuse: • Signature non-repudiation • Other purpose • Written in RFC 5280 • MUST be distinguished

  17. 3. Movement in Cryptographic analysis research Estimating GNFS sieving steps

  18. 3. Movement in Cryptographic analysis research Estimating collision of SHA-1

  19. 4. Revising ACT ON ELECTRONIC SIGNATURES AND CERTIFICATION BUSINESS and its Ministerial Ordinance • Under discussion • We are supporting Technical issues • Technical issues are not dealt widely yet CA’s business issue Promotion etc. Technical issues Spend most of the time on Cryptographic issue Dealt independently Administrative Scheme issue Certifying procedure:heavy !

  20. 4. Status of the discussion • Technical issue • Based on certifying conforming CAs • As a requirement for certified CA: cryptographic issue is included • Although it was the main topic in the first stage… • There are many other technical issues • Need to get understood by lawyers

  21. 4. To be discussed • Preventing misrecognition on Section 10 • Often considered as Prohibition of other business • Serious effect on CA’s business • Can be solved by CP description • Confusion: signature on certificates vs. signature on digital documents • different level of Risks • Actually, Not well utilized • Signature is for Authority person and Professionals

  22. 5. Migration Plan about Cryptography which is used in PKI Systems • RSA-1024 and SHA-1 • May be Internationally common issue • How we can deal this issue? • Application level discussion may be different from Primitive level discussion • Multi level of risks • Roadmap / Procedure

  23. Conclusion • Bridge Model may be the typical trust model for national level PKI systems • Efforts to keep interoperability is required • Additional system requirements • Which have not supposed before 2000 • Not only Signature & non-repudiation • Should be put into design consistently Thank you

More Related