d1 p3 Kisa

The Interoperability between
NPKI(National PKI) & GPKI(Government PKI)

in KOREA
5 Nov 2002
Korea Certification Authority Central

Korea Information Security Agency
Bo-Sung, Hwang
(hbs2593@kisa.or.kr)
The Interoperability between NPKI & GPKI in KOREA
Contents
! 1. PKI Status in Korea

! 2. Activity of NPKI-GPKI interoperability
! 3. Certificate Trust List
! 4. NPKI-GPKI Interoperability based on
CTL model in Korea
! 5. Conclusion
2
3
PKI Status in Korea
1.1 Overview of National PKI[NPKI]
■ Object
✦ To assure the security and trust of electronic documents
and to promote use of it in private sector
■ Target of certificate issuance
✦ Citizen, Enterprise
■ Scope of certificate usage
✦ Internet Banking, Cyber Trading, e-Bidding and G4C
service, etc.
■ Relevant Act
✦ 1999. 7 : Enforce Digital Signature Act
✦ 2002. 4 : Enforce Electronic Signature Act [Revised]
4
NPKI Structure
•Setup
•Set upand
andexecute
execute
certificatepolicy
certificate policy MIC
MIC
•DesignateACAs
•Designate ACAs [Ministry of Information
[Ministry of Information
and Communication]
and Communication]
•Cross-certification
withforeign
foreignPKI
PKI •OperateRoot
•Operate RootCA
CA
with KISA •EvaluateACAs
•Evaluate ACAs
KCAC
KCAC •Supportfor
forfounding
founding
•Support
ACA
ACA
certificate issuance
KOSCOM KICA NCA KFTC CrossCert KTNET
certificate issuance certificate issuance
subscriber Enterprise
Enterprise subscriber Enterprise
Enterprise
subscriber subscriber
5
1.2 Overview of Government PKI[GPKI]
■ Object
✦ To implement G4C(Government for Citizen) service
■ G4C Service
✦ To enable public services on the internet between
Citizen and Government
✦ One of the 11 projects for the e-Government in Korea
● Educational Administrative Information Systems, Integrated National Tax
services and e-Public Procurement Services, etc.
■ Target of certificate issuance
✦ Public officer
■ Scope of certificate usage
✦ G4C service
■ Relevant Act
✦ 2001. 7 : Enforce e-Government Act
6
GPKI Structure
•Setup
•Set upand
andexecute
execute PMA
PMA
certificatepolicy
certificate policy [policy Management Authority]
[policy Management Authority]
withforeign
foreignPKI
PKI
with MOGAHA
MOGAHA •Setup
upand
andexecute
execute
[Ministry of Government
[Ministry of Government •Set
Administration and Home Affairs]
Administration and Home Affairs] certificatepolicy
certificate policy
GCC
GCC •OperateRoot
•Operate RootCACA
[Government computer center]
[Government computer center]
••Evaluate subCAs
Evaluatesub CAs
GCC
certificate issuance
The National The Constitutional The National

The Supreme
Assembly Court Election Commission
Court
Public Public
Public
Public Officer
Officer
Officer Officer
7
1.3 Need of Interoperability between
NPKI & GPKI
Need of
Interoperability
NPKI GPKI
KISA GCC
GCC
KISA
Sub CA
G4C
ACA Website GPKI
CertA
Public
Public
Officer
Officer
Request or Response of public service + Signature
NPKI
CertA citizen
citizen
8
9
Activity of
NPKI-GPKI Interoperability
2.1 NPKI-GPKI interoperability activity
■ Establishment of Working Group (Oct, 2001)

✦ MIC, MOGAHA, KISA, GCC and Accredited CAs
✦ For implementing GPKI, use technical specifications
of NPKI
● Certificate & CRL Profile
● OID Specification
● DN Specification
● Algorithms
✦ Decided as CTL(Certificate Trust List) based model
for interoperability.
10
■ Development of technical specification(Mar,

2002)
✦ The CTL Technical Specification for Interoperability
of Certification Authorities
■ Development and Interoperability test of CTL

modules(Mar, 2002)
■ Enforce NPKI-GPKI Interoperability(Apr,

2002)
✦ Now, 140 public services provided for citizen
11
12
Certificate Trust List
■ One of the CA-CA Interoperability models
✦ CTL is used to distribute a information of Trusted CA
Certificates
■ CTL
✦ Issued by Competent Authority
✦ Includes a list of “Trusted CAs”
✦ a Signed PKCS#7 data structure
Sign Trust List Co mpetent

Authority
Trust List
(List :CA A, CA B) Add to Trust List Accreditation
(Signer : Com-Auth)
CA A CA B
Download or Check
Trust List
User User
A B
13
CTL ASN.1 Structure
CertificateTrustList ::= SEQUENCE {

version Version DEFAULT v1,
subjectUsage SubjectUsage,
listIdentifier ListIdentifier OPTIONAL,
sequenceNumber INTEGER,
thisUpdate Time,
nextUpdate Time,
subjectAlgorithm AlgorithmIdentifier,
trustedSubjects TrustedSubjects OPTIONAL,
extensions Extensions OPTIONAL }
14
Certificate Path Validation using CTL
Certificate Path
PKI Domain A
CTL
R O OT Co mpetent
USE R A CA A (List: RootCA A)
CA A (Issuer: Comp-Auth) Authority
■ For verifying target certificate(USER A), relying parity

must be able to obtain the Certificate Path.
■ Relying Party must verify
✦ CTL content
✦ hash value of RootCA A’s certificate in the CTL
15
Discussed issues about CTL model
■ CTL Operation Model

✦ Is Competent Authority which is not RootCA of Relying Party
constructed for implementing CTL interoperability?
■ CTL Issuer must be trusted by the Relying Party

✦ Needs Act related trust of CTL Issuer
■ CTL Issuer must evaluate CAs which want to be included

in CTL
✦ Needs evaluation method and evaluation criteria
■ CTL Issuer must distribute issued CTL and Relying party

must obtain it.
✦ Directory, HTTP, FTP and out-of-band.
16
NPKI-GPKI Interoperability
based on CTL model in Korea
17
4.1 CTL Operation Model

■ Does not require additional Competent
Authority
NPKI GPKI
Interop erability
CTL CTL
KISA GCC (List : KISA)
(List : GCC)
(Root CA) (Root CA) (Singer : GCC)
(Singer : KISA)
Accredited CA Sub CA
Citizen Public
Officer
18
4.2 Trustworthiness of CTL Issuer

■ CTL Issuers in the NPKI-GPKI Interoperability
environment
✦ KISA, GCC
■ KISA and GCC have already been trusted by
their subscribers
✦ KISA : Electronic Signature Act
✦ GCC : e-Government Act
✦ Does not have to be legislated additional for NPKI-
GPKI Interoperability
■ Because Root CAs are based on relevant Acts,
subscribers of the NPKI and GPKI can trust a
issued CTLs by own Root CAs
19
4.3 Evaluation of Root CA

■ Each RootCA(KISA, GCC) has not yet evaluated the Root
CA system of the other party
✦ Almost all technical and operational specifications for
implementing GPKI is using specifications of NPKI
■ However, KISA is going to have an annual inspection for

Root CA operation of GPKI
✦ According to “Annual Inspection Specifications”
developed by KISA
20
4.4 Distribution of issued CTL

■ Uses CRL mechanism
KISA Directory
(Root CA)
NPKI GPKI GCC Directory
(Root CA)
KISA GCC Publishes

Publishes (Root CA) (Root CA)
CTL CTL CTL CTL
(List : GCC) (List : KISA)
(Singer : KISA) (Singer : GCC)
Licensed CA Sub CA
Public
Citizen
Obtains CTL Officer Obtains CTL
21
4.5 CTL Technical Specification

■ Specifies for generating, distributing and verifying
CTL
■ Generating CTL
version Default v1
subjectUsage 1.2.410.200004.8.1.1.1
listIdentifier X
sequenceNumber 1, 2, …
thisUpdate 2002/10/10
nextUpdate 2002/10/20
subjectAlgorithm SHA-1
trustedSubjects GCC certificate
extension X
22
Distributing CTL
■
✦ CTL DP of KISA
- LDAP://dirs y s.root c a.or.kr:389/

- Entr y DN : CN=KISA -CTL, OU=ROOTCA, O=KISA, C=KR
■ Verifying CTL
✦ PKCS#7->SignedData
● OID of SignedData
● Version of SignedData & SignerInfo
● CTL OID of contenttype
● authenticatedAttributes of SignerInfo
● encryptedDigest of SingerInfo(Signature Verifying)
✦ CTL
● Version, Validity, Subject Usage
● trustedSubjects(whether CTL includes a proper Root CA
Certificate)
23
24
Conclusion
■ NPKI-GPKI Interoperability has been

implemented by using CTL model since Apr,
2002
■ Future Work
✦ The structure of GPKI has not fixed yet.
● If other Ministry wants to operate own Root CA in the
future, we may consider other models for NPKI-GPKI
Interoperability
✦ Needs efficient method which manages CPs.

● if NPKI & GPKI have various CPs, we may consider
management method of CPs that used to implement
NPKI & GPKI interoperability
25
Thank You !
For Details, Please Contact
Homepage : http://www.rootca.or.kr
Address : 78, Garak-Dong, Songpa-Gu,
Seoul, Korea 138-803
E-mail : hbs2593@kisa.or.kr
26

d1 p3 Kisa

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

d1 p3 Kisa

Hochgeladen von

Copyright:

Verfügbare Formate

The Interoperability between

NPKI(National PKI) & GPKI(Government PKI)

Korea Certification Authority Central

! 1. PKI Status in Korea

1.1 Overview of National PKI[NPKI]

KOSCOM KICA NCA KFTC CrossCert KTNET

certificate issuance certificate issuance

1.2 Overview of Government PKI[GPKI]

The National The Constitutional The National

NPKI & GPKI

2.1 NPKI-GPKI interoperability activity

■ Establishment of Working Group (Oct, 2001)

■ Development of technical specification(Mar,

■ Development and Interoperability test of CTL

■ Enforce NPKI-GPKI Interoperability(Apr,

Sign Trust List Co mpetent

CTL ASN.1 Structure

CertificateTrustList ::= SEQUENCE {

Certificate Path Validation using CTL

■ For verifying target certificate(USER A), relying parity

Discussed issues about CTL model

■ CTL Operation Model

■ CTL Issuer must be trusted by the Relying Party

■ CTL Issuer must evaluate CAs which want to be included

■ CTL Issuer must distribute issued CTL and Relying party

4.1 CTL Operation Model

4.2 Trustworthiness of CTL Issuer

4.3 Evaluation of Root CA

■ However, KISA is going to have an annual inspection for

4.4 Distribution of issued CTL

KISA GCC Publishes

4.5 CTL Technical Specification

- LDAP://dirs y s.root c a.or.kr:389/

■ NPKI-GPKI Interoperability has been

✦ Needs efficient method which manages CPs.

For Details, Please Contact

Das könnte Ihnen auch gefallen