UTF 8 String Deployment Status and Migration Plan

UTF 8 String Deployment Status and Migration Plan Akira KANAOKA Challenge PKI Project Japan Network Security Association Sponsored by IT Promotion Agency, Japan 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan

Agenda • Problem statement • Project : Survey of UTF 8 String Problem in PKI Certificates • UTF 8 String Deployment Status in Asia • Ongoing Works – Migration plan for UTF 8 String – Test case design for UTF 8 String implementation 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 2

Problem statement • Deadline for migration in RFC 3280 – 31 st Dec. 2003 – Canceled in 3280 bis • Lack of description to migrate in 3280. – Detailed string matching – Migration Plan – Certificate and CRL/ARL issuance during migration • Gap between CA and client implementation 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 3

Survey of UTF 8 String Problem in PKI Certificates • Explanation of the problem • Proposal for UTF 8 String migration • Survey – Product implementation – UTF 8 String deployment status in Asia – IETF activity around UTF 8 String – Test case design for UTF 8 String implementation • Migration Plan for UTF 8 String 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 5

UTF 8 String Deployment Status in Asia • Examined whether they use UTF 8 String for directory. Name in certificates • Examined whether they use local characters in UTF 8 String – Local character : e. g. CJK (Chinese, Japanese, Korean) • Asked by the prepared questionnaire • Asked to “the Asia PKI Forum (APKI-F)” members. – 9 Countries and Regions 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 6

Replies to the Questionnaire • Sent to 9 countries and regions • Replies from 3 countries and regions (11 CAs) Countries and Regions CA Type 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 7

Encoding Used in Each Field *U: UTF 8 String (except country. : local character used ) P: Printable. String, I: IA 5 String, B: BMPString -: not used *CRLDP/i. DP: use directory. Name with U or P and URI with I to describe distribution. Point CA 1 CA 2 CA 3 CA 4 CA 5 CA 6 CA 7 CA 8 CA 9 CA 10 CA 11 issuer U P U U U U P subject U U U U U P issuer. Alt. Name - - - - U U subject. Alt. Name I U - I I U - U U subject. Directory. Attribute - - - P U U, P P - - name. Constraints - - U - - - - U, I I I I U U U I authority. Info. Access - - I I I - - other standard extensions - - - - U I, B other private extensions - - - issuing. Distribution. Point U, I I - - - U P - - Certificate. Issuer - - - other CRL extensions - - - c. RLDistribution. Points CCS 6 -11 March 2005 JIS X CNS CNS CNS 0208 11643 11643 UTF 8 String Deployment Statement and Migration Plan JIS X 0208 Unkn own 9

Encoding Use in Each Field (cont. ) *U: UTF 8 String (except country. : local character used ) P: Printable. String, I: IA 5 String, B: BMPString -: not used *CRLDP/i. DP: use directory. Name with U or P and URI with I to describe distribution. Point CA 1 CA 2 CA 3 CA 4 CA 5 CA 6 CA 7 CA 8 CA 9 CA 10 CA 11 issuer U P U U U U P subject U U U U U P issuer. Alt. Name - - - - U U subject. Alt. Name I U - I I U - U U • Most CAs already use UTF 8 String. • Most CAs use local character. 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 10

Compliance with RFC 3280 and its Migration Plan 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 11

Additional Survey • UTF 8 String use in MS Windows Root Certificate Store – OS: Windows XP (Japanese) – as of January 2005 Date of Issue After 31 st Dec. 2003 # 2001 1 1999 1998 1997 1996 1995 1994 55 29 4 16 1 1 • No certificate use UTF 8 String. – 107 certificates in the certificate store – No certificate issued after 31 st Dec. 2003 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 0 12

Conclusion : UTF 8 String Deployment Status in Asia • Contrast between Government CAs and Commercial CAs • Most Government CAs use UTF 8 String (by Questionnaire) • No Commercial CA use UTF 8 String (by MS Windows Certificate Stores) – Asian Government CAs hope to use local character. • Most governments use local character for register information. 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 13

Conclusion (cont. ) : UTF 8 String Deployment Status in Asia • Few CA has a Migration Plan to UTF 8 String – Most Government CAs use UTF 8 String from the beginning. – There is only one case having a migration plan. • Deadline of the case : November, 2005 • Best Practice for using/migration to UTF 8 String is needed. – We don’t have any guideline. 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 14

Ongoing Project • Migration Plan – CA certificate • Re-issue or re-build – CRL encoding after migration of CA certs • ‘Keeping legacy encoding’ or ‘Using UTF 8 String’ – Need to publish this as informational RFC? • Test Case Designing – Typical case of: • path building (‘different encoding’ and ‘comparison rules’) • Revocation checking – Providing the Test data of: • Sample Certificate and CRL – Available by the end of this month on our web site 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 15

Reference • JNSA Challenge PKI Project – http: //www. jnsa. org/mpki/ • RFC 3454 - Preparation of Internationalized Strings ("stringprep") – http: //www. ietf. org/rfc 3454. txt • 3280 bis – http: //csrc. nist. gov/pki/documents/PKIX/draft-ietfpkix-rfc 3280 bis-00. txt 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 16

Appendix : Questionnaire outline • Certificate and CRL/ARL – – Kind of local character (e. g. CJK) Kind of encoding for directory. Name Kind of CCS Difference between CA self-signed certificate and EE certificate • Migration Plan to UTF 8 String – Plan existence – Migration deadline, reason – Migration reference existence 6 -11 March 2005 UTF 8 String Deployment Statement and Migration Plan 17