Component Enterprise Or Application Choices In Interoperability Testing

Component, Enterprise, Or Application? Choices In Interoperability Testing Tim Polk, NIST PKI Program Manager wpolk@nist. gov March 2000 12/17/2021 1

PKI Interoperability n Three different aspects to PKI interoperability – Component interoperability – Enterprise interoperability – Application interoperability 12/17/2021 2

PKI Component Interoperability n n Ability to mix and match COTS PKI products CA Depends upon specification-based messages exchanged between components to support: – – – Certificate requests Certificate renewal Certificate revocation 12/17/2021 3 RA Repository Client

Factors For Component Interoperability Algorithm suite n Certificate management protocols n – Certificate issuance – Certificate revocation n Transport mechanisms 12/17/2021 4

Enterprise Interoperability n Enterprise A PKI The ability to connect two enterprise PKIs into a larger functional PKI CA Repository A RA Client – More than just crosscertification – Clients must be able to find and validate meaningful certification paths Client CA Repository B RA Enterprise B PKI 12/17/2021 5

Factors for Enterprise Interoperability Algorithm suite n Certificate format and extension set n Certificate policies n Certificate status information formats n Path building and validation across PKIs n 12/17/2021 6

Application Interoperability n Enterprise A PKI The ability of PKI-aware applications to: CA – Share PKI certificates, key -pairs, and processing modules – Rely on different PKI environments to implement security services Repository A RA Client CA Repository B RA Enterprise B PKI 12/17/2021 7

Factors for Application Interoperability n Ability to share cryptographic modules OR export/import cryptographic materials – Cryptographic application programming interfaces (APIs) Access to path validation and path building utilities n Consistency of processing n Feature sets n 12/17/2021 8

Does Anyone Care? n Yes, to different degrees – Application interoperability is the real goal » In fact, it’s an expectation, especially for electronic mail – Enterprise interoperability is the prerequisite for application interoperability – Component interoperability will reduce cost and increase choices - some day 12/17/2021 9

What NIST Is Doing Promote Interoperability Certificate Formats and Profiles n Certificate Management Protocols n – MISPC V 2 (soon!) and interoperability workshops Encouraging multi-algorithm solutions through expanded FIPS, MISPC n Pursuing Bridge CA Concept n Profiles for PKI-Enabled Application n Interoperability Testing n 12/17/2021 10

NIST And Interoperability Testing n n CMP interoperability workshops Bridge CA demonstration and testing (ongoing) Path Validation Test Suite (end of FY 00) S/MIME v 3 interoperability testing (FY 01) 12/17/2021 11

S/MIME Interoperability Testing n n Remote testing against the Van Dyke reference implementation May use NIST issued certificates to eleiminate enterprise interoperability issues OR May use locally issued certificates if your PKI is cross certified with the Federal Bridge CA May be followed by tests for additional applications 12/17/2021 12

For More Information n Tim Polk – (301) 975 -3348 – wpolk@nist. gov 12/17/2021 13