According to the development of e-government and e-commerce, the importance
of PKI (Public Key Infrastructure) has been growing.
A small minority of PKI vendors were the main player and PKI was used in
closed domain in early PKI. There are many players around PKI and multiple
PKI domains are cross connected in these latter days (e.g. GPKI in Japan, U.S. Federal PKI).
We currently have a very complex PKI; multi-domain and multi-vendor PKI,
vague standards and various implementations.
Complex PKI is inevitable and imperative because it results from
the growth of PKI, and it requires interoperability between domains and vendors.
Interoperability tests between some implementations have often been performed
but the test scheme is ine.cient because it is generally low-speed and
The open test suites (Challenge PKI Test Suites, CPKI-TS) is our solution to speed
interoperability between multi-domain and multi-vendor PKIs.
The test suites can overcome the contradiction between vague standards and valious implementations.
Open test suite also can feedback the knowledge and solutions for standards body and vendors.
Our goal is to ensure PKI interoperability and to contribute actively to
development and spread of reliable PKI applications in future electronic society.
Below we feature the Challenge PKI projects.
Challenge PKI 2003 TSP |
The Timestamp-protocol Interoperability Test Suite can create various TSTs and TSRs regardless of the RFC3161 compliance.
Using the test suite, you can test an interoperability of a TSP client for RFC3161.
The test cases represent all the requirements that are phrased as MAY, SHALL, SHOULD, MUST, and REQUIRED in RFC3161.
The online test center for timestamp protocol is now available.
Visit Challenge PKI 2003 project homepage.
The technology needed for an interconnection between muliple PKI domains is insufficient
with only the specification of conventional protocols and data formats.
The document - Memorandum for Multi-domain PKI Interoperability - will clarifies
these definitions for multi-domain PKI interoperability.
This proposal is published as RFC 5217 at July, 2008.
RFC 5217 (Useful HTMLized version)
*NOTE: Archived Internet-Drafts are available from HTMLized version.
Challenge PKI 2002 GPKI |
Japanese Government PKI (GPKI) adopts bridge model.
Through a Bridge CA, many CAs have already been cross-certified, such as government agencies,
local governments, commercial registration and National IC Card Infrastructure (JPKI).
Overseas official CAs may be connected to GPKI in the future.
Highly specific interoperability technology is needed to develop GPKI applications
because GPKI has a specialized certificate profile which is a subset
of RFC 3280 and X.509. Furthermore, the truly test environment is critical to
create reliable implementation for complex path construction and validation.
Challenge PKI Test Suite (CPKI-TS 1.0) is a first issue based on the concept
of open test suites to overcome the contradiction between GPKI standards
and implementations. The test suite is composed of simulated GPKI repositories,
database of test cases and it's web-based interface and sample applications.
GPKI repositories are truly simulated LDAP directory of real GPKI. Certificates,
CRLs and OCSP parameters can be arranged into the repositories according
to the database which includes three categories of the test cases; NIST
conformance test, GPKI matrix test and original test. The original test includes
highly specific situations such as NameRollover and KeyUpdate.
Sun JDK 1.4 and Microsoft CryptoAPI based sample applications are available.
The above figure represents a number of failed test cases because of the contradiction
between GPKI standards and implementations.
Challenge PKI Test Suite
The brand-new version of Challenge PKI test suite, CPKI-TS 2.0 is released.
The old version is also downloadable from Challenge PKI project homepage of
GPKI Application Implementation Guideline (Rev.1) (Zipped HTML)
GPKI Testcase specification (Rev.1) (Zipped HTML)
Sample applications for certificate path construction/verification
Sun JDK1.4-based implementation:
*NOTE: No part of this library may be reverse-engineered or commercial used without the prior
written consent of Fuji Xerox Co.,Ltd.
When you have the interest about commercial use of the library, please contact us.
Microsoft CryptoAPI-based implementation:
Challenge PKI 2001 |
This project validated interoperability between nine CAs;
Entrust, SSH, NEC, RSA, Fuji XEROX, Microsoft, VeriSign, Nagoya Institute of Technology and WIDE.
Three types of PKI models, hierarchy model, bridge model and mesh model, have been constructed for the plugtest.
Implementation Problems on PKI (HTML)
in Seoul, Korea on February 29 - March 5, 2004
in Minneapolis, USA on November 9-14, 2003 *
*We have issued an announcement
about the RFC 3280 UTF8String problem, which describes about the conclusion of the 58th IETF discussion in Japanese.
in Vienna, Austria on July 13-18, 2003
in San Francisco on March 16-21, 2003
in Atlanta on November 17-22, 2002
in Yokohama,Japan on July 14-19, 2002
PKI Day 2007 in Tokyo, Japan on June 25, 2007(PDF)
PKI Day in Tokyo, Japan on October 28, 2005(PDF)
IPAX Winter 2004 in Tokyo, Japan on January 21, 2004
Internet Week 2003 in Yokohama, Japan on December 2-5, 2003
CISCO Wave 2003 in Tokyo, Japan on June 5-6, 2003
RSA Conference / NSF2003 spring in Tokyo, Japan on June 3-4, 2003
Internet Week 2002 in Yokohama, Japan on December 16-20, 2002
Challenge PKI meetings takes place in at random times at
Kogakuin University in Shinjuku, Tokyo.
Your entry is always welcome!
Your comments, advices, quiestions, bug reports for test suite or test case are always welcome!