3Rd Annual PKI R & D Workshop Proceedings
Total Page:16
File Type:pdf, Size:1020Kb
3rd Annual PKI R& D Workshop Proceedings Krishna I. Sankaf William T. Polk* b Nelson E. Hastings 'Cisco Systems U S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology Information Technology Laboratory Gaithersburg, MD 20899*8230 QC Nisr IOO National Institute off Standards and Technology Technology Administration U.S. Department of Commerce * HX7- SLOO^f NISTIR 7122 3d Annual PKI R & D Workshop Proceedings Krishna I. Sankaf * William T. Polk b Nelson E. Hastings 'Cisco Systems U. S. DEPARTMENT OF COMMERCE Technology Administration National Institute of Standards and Technology Information Technology Laboratory Gaithersburg, MD 20899-8230 September 2004 U.S. DEPARTMENT OF COMMERCE Donald L Evans, Secretary TECHNOLOGY ADMINISTRATION Phillip J. Bond, Under Secretary for Technology NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Arden L. Bement, Jr., Director Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. 3rd Annual PKI R&D Workshop—Proceedings Foreward NIST hosted the third annual Public Key infrastructure (PKI) Research and Development Workshop on April 12-14, 2004. The two and a half day event brought together PKI experts from academia, industry, and government to explore the remaining challenges in deploying public key authentication and authorization technologies. These proceedings includes the 10 refereed papers, and captures the essence of the six panels and interaction at the workshop. The first two workshops concentrated on PKI theory, architectures, human factors, and deployment. Building on this prelude, the third workshop focused on applying PKI technology to the problem of authorization, current real world interoperability issues and solutions, and retrospective views of PKI technology - taking stock of the progress and failures in PKI’s evolution. Stefan Brands’ keynote presentation, which focused on the limitations of traditional authentication primitives in cross-domain environments, opened the workshop. The rest of day one explored PKI and authorization, including several techniques for delegating and sharing authorizations, a decentralized technique for X.509 based authorization for wireless networks, and a role sharing technique leveraging passwords and PKI. Day two of the workshop featured Peter Gutmann’s keynote presentation describing six “Grand Challenges” facing PKI technology, and proposing various solutions. The papers and panels which followed spanned a wide range of topics including PKI interoperability problems and solutions faced by real world PKI projects, trusted archiving, document signatures, and a retrospective look at the history of PKI. Ken Klingenstein’s keynote presentation on the necessity to interconnect a variety of security technologies beyond PKI to achieve our security goals kicked off the final day of the workshop. Day three topics included approaches and workarounds to path discovery, PKI deployment issues encountered by Johnson & Johnson, and results of the OASIS PKI survey. The workshop concluded with a panel discussion on the potential impact of the OASIS report. The workshop also included a work-in-progress session and a birds-of-a-feather session during the evenings at the workshop hotel. Attendees included presenters from the United Kingdom, Canada, New Zealand, and Japan. Due to the success of this event, a fourth workshop is planned for 2005. William T. Polk and Nelson E. Hastings National Institute of Standards and Technology Gaithersburg, MD USA iii rd 3 Annual PKI R&D Workshop - Proceedings This page has been left intentionally blank. iv 1 rd 3 Annual PKI R&D Workshop - Proceedings 2004 PKI R&D Workshop Gaithersburg, Maryland USA April 12-14, 2004 http://middleware.intemet2.edu/pki04/ (Pre-proceedings were distributed at the workshop) SUMMARIES Provided by Ben Chinowsky, Internet Workshop Summary 1 NIH-EDUCAUSE PKI Interoperability Project: Phase Three Document Signatures Johnson & Johnson’s Use of Public Key Technology How to Build a PKI that Works Controlled and Dynamic Delegation of Rights Approaches to Certificate Path Discovery Non-lntrusive Cross-Domain Identity Management Which PKI Approach for Which Application Domain A New and Improved Unified Field Theory of Trust The PKI Action Plan: Will it make a Difference? Works in Progress Session 1 REFERRED PAPERS Role Sharing in Password-Enabled PKI 13 Xunhua Wang James Madison University Samuel Redwine James Madison University Greenpass: Decentralized, PKI-based Authorization for Wireless LANs 26 Nicholas C. Goffee Dartmouth College Sung Hoon Kim Dartmouth College Sean Smith Dartmouth College Punch Taylor Dartmouth College Meiyuan Zhao Dartmouth College John Marchesini Dartmouth College v . rd 3 Annual PKI R&D Workshop - Proceedings X.509 Proxy Certificates for Dynamic Delegation 42 Von Welch NCSA, University of Illinois Ian Foster Argonne National Lab/University of Chicago Carl Kesselman University of Southern California Oile Mulmo Royal Institute of Technology, Sweden Laura Pearlman University of Southern California Steve Tuecke Argonne National Laboratory Jarek Gawor Argonne National Laboratory Sam Meder University of Chicago Frank Siebenlist Argonne National Laboratory Experiences of establishing trust in a distributed system operated by mutually distrusting parties 59 Scott Crawford Enterprise Management Associates David Chadwick University of Salford Trusted Archiving 71 Santosh Chokhani Orion Security Solutions Carl Wallace Orion Security Solutions PKI: Ten Years Later 80 Carlisle Adams University of Ottawa Mike Just Treasury Board of Canada An Examination of Asserted PKI Issues and Proposed Alternatives 96 John Linn RSA Laboratories Marc Branchaud RSA Security Inc Private Revocation Test using Oblivious Membership Evaluation Protocol 110 Hiroaki Kikuchi Tokai University “Dynamic Bridge” Concept Paper 119 Ken Stillson Mitretek Systems Identifying and Overcoming Obstacles to PKI Deployment and Usage 131 Stephen R. Hanna Sun Microsystems, Inc. Jean Pawluk Inovant vi rd 3 Annual PKI R&D Workshop - Proceedings Organizers General Chair: Ken Klingenstein, University of Colorado Program Chair: Krishna Sankar, Cisco Systems Steering Committee Chair: Neal McBurnett, Internet Local Arrangements Chair: Nelson Hastings, NIST Scribe: Ben Chinowsky, Internet2 Program Committee Peter Alterman, NIH Bill Burr, NIST Yassir Elley, Sun Microsystems Carl Ellison, Microsoft Stephen Farrell, Trinity College Dublin Richard Guida, Johnson & Johnson Peter Honeyman, University of Michigan Russ Housley, Vigil Security LLC Ken Klingenstein, University of Colorado Olga Kornievskaia, University of Michigan Neal McBurnett, Internet2 Clifford Neuman, USC Eric Norman, University of Wisconsin Tim Polk, NIST Ravi Sandhu, George Mason University; NSD Security Krishna Sankar (Chair), Cisco Systems Jeff Schiller, MIT Frank Siebenlist, Argonne National Laboratory Sean Smith, Dartmouth College Michael Wiener, Cryptographic Clarity Archival Sites PKI 2003: http://middleware.intemet2.edu/pki03 PKI 2002: http://www.cs.dartmouth.edu/~pki02 rd 3 Annual PKI R&D Workshop - Proceedings This page has been left intentionally blank. VIII 3rd Annual PKI R&D Workshop—Proceedings 3rd Annual PKI R&D Workshop Summary Ben Chinowsky, Intemet2 The workshop announcement listed the goals of this gathering as: 1 . Explore the current state of public key technology in different domains including web services, grid technologies, authentication systems et. al. in academia & research, government and industry. 2. Share & discuss lessons learned and scenarios from vendors and practitioners on current deployments. 3. Provide a forum for leading security researchers to explore the issues relevant to the PKI space in areas of security management, identity, trust, policy, authentication and authorization. This summary groups workshop sessions according to which of these goals was their primary concern, although many sessions addressed more than one. Surveying Deployments Dr. Susan Zevin, Acting Director of the Information Technology Laboratory at NIST, opened the meeting by noting some Federal PKI highlights. The Federal Bridge Certification Authority now connects six Federal agencies. The Department of Defense now requires contractors to obtain PKI credentials for email and authentication to DoD web sites. Several countries and international associations, including Canada, Australia, and NATO, are negotiating to connect to the Federal PKI. NIST is a global leader in smartcards and biometrics and their integration with PKI. A panel discussion with Peter Alterman, Deb Blanchard, Russ Weiser, and Scott Rea discussed the NIH-EDUCAUSE PKI Interoperability Project: Phase Three. This project has been largely driven by the Government Paperwork Elimination Act; in order for virtual paperwork not to become just as much of a hassle as the physical paperwork it replaces, reducing the number of certificates each person needs (“reusability”) is essential. While this is still at the technology-demonstration stage — a production implementation has additional, expensive, datacenter requirements — various agencies including GSA and HHS are adopting elements for production use. This uptake in