Upload
rupert
View
36
Download
0
Embed Size (px)
DESCRIPTION
Web-based Integrated CA services Protocol, ICAP draft-sakurai-pkix-icap-00.txt. Mine Sakurai (NEC) Hiroaki Kikuchi (Tokai Univ) Hiroyuki Hattori (Meiji Univ) Yoshiki Sameshima (ICAT) Hitoshi Kumagai (ICAT). Summary. ICAP provides typical CA services for applications online - PowerPoint PPT Presentation
Citation preview
98/08 42nd IETF PKIX WG
Web-based Integrated CA services Protocol, ICAPdraft-sakurai-pkix-icap-00.txt
Mine Sakurai (NEC)Hiroaki Kikuchi (Tokai Univ)Hiroyuki Hattori (Meiji Univ)Yoshiki Sameshima (ICAT)Hitoshi Kumagai (ICAT)
98/08 42nd IETF PKIX WG
Summary
ICAP provides typical CA services for applications online
We propose the ICAP as a CA service protocol, because it is;
compact and easy to implement and usebased on HTTP and adaptable to the existing
network environmentincludes CA-CA communication on the
supposition of a CA hierarchy and is scalable
98/08 42nd IETF PKIX WG
ICAP features
subset of typical CA services for applications online certificate issuing certificates retrieval CA certificates retrieval CRLs retrieval certificate validation checks certificate revocation certificate updating
98/08 42nd IETF PKIX WG
ICAP features (2)
based on HTTPbased on an original CA modelincluding CA-CA protocols
an application just throws a query to a neighboring CA then gets a response
the neighboring CA forwards the query to another CA as required
assuming CA hierarchy for certificates retrievalusing X.509 V3 extension fields for CRLs retrieval, CA
certificate retrieval and certificate validation checks
98/08 42nd IETF PKIX WG
CA model and services
RA IA
VA PA
certreqrevokerequpdatereq
verifyreq
lookupreqcalookupreqcrlreq
PAVA
CA
98/08 42nd IETF PKIX WG
ICAP implementation
ICAT has both ICAP-compliant CA software and ICAP-compliant S/MIME E-mail system software
Supporting RSA and Matsushita’s Elliptic Curve Cryptosystems, My-Ellty, for public key algorithm
ICAP is used by the medical community in a S/MIME E-mail system
98/08 42nd IETF PKIX WG
Correspondence to existing PKIX drafts
certreqlookupreq
calookupreqcrlreq
verifyreqrevokerequpdatereq
ICAP
CMP
OPP(HTTP)
OPP(LDAP)
OCSP
CertificateManagementProtocol
OperationalProtocols
WEB basedCA Access Protocol
OnlineCertificateStatusProtocol
WebCAP
98/08 42nd IETF PKIX WG
What is the goal?
New PKIX draft ?Partial contribution to existing PKIX
drafts?
98/08 42nd IETF PKIX WG
Additional slides
98/08 42nd IETF PKIX WG
Example
% telnet cahost1 80Trying 123.16.5.41 …Connected to cahost1.Escape character is ‘^]’.POST /cgi-bin/lookupreq HTTP/1.0Content-length: 41
[email protected]&Latest=1HTTP/1.1 200 OKDate: Sat, 25 Oct 1997 09:34:17 GMTContent-Type: text/plain
lookupreq200 accept your request MIIDmTCCA…..
request
response
98/08 42nd IETF PKIX WG
What is ICAT ?
Initiatives for Computer Authentication Technology(1995--1998)
Industry-university cooperative research project
The purpose is to establish a technology of authentication adopting cryptography especially focused on CA development for experiment
98/08 42nd IETF PKIX WG
Background
Conclusion of the ICAT activities development of a protocol between CA and
application, including CA-CA communicationSecond proposal from ICAT to PKIX WG
initial draft, draft-kikuchi-web-repository-00.txt (1997) has expired
improvement of the specification through a sample implementation