Challenge PKI Project Japanese


  • What's new?
  • Introduction
  • Projects
  • Conferences
  • Contact
  • Partners
  • What's new?

  • Our Proposal Memorandum for Multi-domain PKI Interoperability is now published as RFC 5217. (July 2008) NEW!
  • The testcase database for Timestamp Protocol Interoperability Test Suite is downloadable. (July 2004)
  • The testcase database for CPKI-TS 2.0 is released, which supports three types of PKI models; Japanese Government PKI (GPKI), Local Government PKI (LGPKI) and National IC Card Infrastructure (JPKI). (July 2004)
  • The brand-new version of Challenge PKI test suite, CPKI-TS 2.0 is released. (July 2004)
  • The online test center for Timestamp Protocol Interoperability Test Suite is now available. (July 2004)
  • We have issued an announcement about the RFC 3280 UTF8String problem, which describes about the conclusion of the 58th IETF discussion in Japanese. (December 2003)

  • Introduction

    According to the development of e-government and e-commerce, the importance of PKI (Public Key Infrastructure) has been growing. A small minority of PKI vendors were the main player and PKI was used in closed domain in early PKI. There are many players around PKI and multiple PKI domains are cross connected in these latter days (e.g. GPKI in Japan, U.S. Federal PKI).

    Transition of PKI

    We currently have a very complex PKI; multi-domain and multi-vendor PKI, vague standards and various implementations. Complex PKI is inevitable and imperative because it results from the growth of PKI, and it requires interoperability between domains and vendors.
    Interoperability tests between some implementations have often been performed but the test scheme is ine.cient because it is generally low-speed and very expensive.

    Concept of the open test suite

    The open test suites (Challenge PKI Test Suites, CPKI-TS) is our solution to speed interoperability between multi-domain and multi-vendor PKIs. The test suites can overcome the contradiction between vague standards and valious implementations. Open test suite also can feedback the knowledge and solutions for standards body and vendors. Our goal is to ensure PKI interoperability and to contribute actively to development and spread of reliable PKI applications in future electronic society.


    Below we feature the Challenge PKI projects.

    Challenge PKI Test Suite (CPKI-TS) 2.0
    CPKI-TS 2.0 is the brand-new version of Challenge PKI test suite. The test suite can currently simulate three types of PKI models on your one Linux PC; Japanese Government PKI (GPKI), Local Government PKI (LGPKI) and National IC Card Infrastructure (JPKI).

    CPKI-TS 2.0 Overview

    CPKI-TS 2.0 Overview

  • Multi Domain PKI testing environment using only ONE Linux PC.
  • Open Source Software distributed as BSD lincence.
  • Multi CA certificate issuance
  • Multi LDAP repository
  • Test case database for certificate path processing and timestamp testing
  • Easy accessible web browser based interface
  • Flexible certificate and CRL issuance (e.g. any extensions, distinguish name which contains special characters such like European, Chinese, Japanese or Korean languages)
  • Cooperative test case design environment.
  • Easy to re-build test environment.
  • Cross certification with CA products.
  • OCSP Responder and Japanese GPKI CVS(Certificate Validation Server) Simulator
  • Timestamp request and response generator.

    Test Suite

  • Online Documents for Challenge PKI Test Suite 2.0
  • cpkits-2.0.2-21.i386.rpm (md5sum:8be64a260c52d780617a4212b737e6b3, 2.10MB)
  • cpkits-2.0.2-21.src.rpm (md5sum:d42d1cbd20566f565c6c7ac05101efb2, 587KB)
  • cpkits-2.0.2-21.tar.gz (md5sum:bce3a0c4d600c67596d61b5294d3f33c, 585KB)

    Japanese GPKI Testcases

  • Online Documents for Japanese GPKI Test Cases
  • cpki_testcase_jgpki2_20040709.tar.gz (md5sum:642c00fd3f2d0d6de5672ce78f672130, 849KB)

    Timestamp Testcases

  • Online Documents for Timestamp Test Cases
  • cpki_testcase_tsp2_20040723.tar.gz (md5sum:6d93a7511b32b05e77cba5d242389e3a, 78KB)
  • Please visit our project homepage for timestamp interoperability.

    *NOTE: Please install Adobe SVG Viewer to see some figures.

  • Challenge PKI 2003 TSP
    The Timestamp-protocol Interoperability Test Suite can create various TSTs and TSRs regardless of the RFC3161 compliance. Using the test suite, you can test an interoperability of a TSP client for RFC3161. The test cases represent all the requirements that are phrased as MAY, SHALL, SHOULD, MUST, and REQUIRED in RFC3161.

    TSP Test Suite Overview

    The online test center for timestamp protocol is now available. Visit Challenge PKI 2003 project homepage.
    The technology needed for an interconnection between muliple PKI domains is insufficient with only the specification of conventional protocols and data formats. The document - Memorandum for Multi-domain PKI Interoperability - will clarifies these definitions for multi-domain PKI interoperability.

    This proposal is published as RFC 5217 at July, 2008.

  • RFC 5217 (Useful HTMLized version)
    *NOTE: Archived Internet-Drafts are available from HTMLized version.
  • Challenge PKI 2002 GPKI
    Japanese Government PKI (GPKI) adopts bridge model. Through a Bridge CA, many CAs have already been cross-certified, such as government agencies, local governments, commercial registration and National IC Card Infrastructure (JPKI). Overseas official CAs may be connected to GPKI in the future.

    GPKI Overview

    Highly specific interoperability technology is needed to develop GPKI applications because GPKI has a specialized certificate profile which is a subset of RFC 3280 and X.509. Furthermore, the truly test environment is critical to create reliable implementation for complex path construction and validation. Challenge PKI Test Suite (CPKI-TS 1.0) is a first issue based on the concept of open test suites to overcome the contradiction between GPKI standards and implementations. The test suite is composed of simulated GPKI repositories, database of test cases and it's web-based interface and sample applications.

    GPKI Test Suite Overview

    GPKI repositories are truly simulated LDAP directory of real GPKI. Certificates, CRLs and OCSP parameters can be arranged into the repositories according to the database which includes three categories of the test cases; NIST conformance test, GPKI matrix test and original test. The original test includes highly specific situations such as NameRollover and KeyUpdate.

    Number of failed test cases versus each implementations

    Sun JDK 1.4 and Microsoft CryptoAPI based sample applications are available. The above figure represents a number of failed test cases because of the contradiction between GPKI standards and implementations.

    Challenge PKI Test Suite

  • The brand-new version of Challenge PKI test suite, CPKI-TS 2.0 is released.
    The old version is also downloadable from Challenge PKI project homepage of IPA.


  • GPKI Application Implementation Guideline (Rev.1) (Zipped HTML)
  • GPKI Testcase specification (Rev.1) (Zipped HTML)

    Sample applications for certificate path construction/verification

  • Sun JDK1.4-based implementation: Source, Binary, Library
    *NOTE: No part of this library may be reverse-engineered or commercial used without the prior written consent of Fuji Xerox Co.,Ltd. When you have the interest about commercial use of the library, please contact us.
  • Microsoft CryptoAPI-based implementation: Source, Binary
  • Challenge PKI 2001
    This project validated interoperability between nine CAs; Entrust, SSH, NEC, RSA, Fuji XEROX, Microsoft, VeriSign, Nagoya Institute of Technology and WIDE. Three types of PKI models, hierarchy model, bridge model and mesh model, have been constructed for the plugtest.

    ChallengePKI 2001 Interoperability Test: Overview

    Technical Report

  • Implementation Problems on PKI (HTML)
  • Related conferences

    International workshops

  • 59th IETF in Seoul, Korea on February 29 - March 5, 2004
  • 58th IETF in Minneapolis, USA on November 9-14, 2003 *
    *We have issued an announcement about the RFC 3280 UTF8String problem, which describes about the conclusion of the 58th IETF discussion in Japanese.
  • 57th IETF in Vienna, Austria on July 13-18, 2003 (slide)
  • 56th IETF in San Francisco on March 16-21, 2003 (slide)
  • 55th IETF in Atlanta on November 17-22, 2002 (slide)
  • 54th IETF in Yokohama,Japan on July 14-19, 2002 (slide1, slide2)

    Domestic seminars

  • PKI Day 2007 in Tokyo, Japan on June 25, 2007(PDF)
  • PKI Day in Tokyo, Japan on October 28, 2005(PDF)
  • IPAX Winter 2004 in Tokyo, Japan on January 21, 2004
  • Internet Week 2003 in Yokohama, Japan on December 2-5, 2003
  • CISCO Wave 2003 in Tokyo, Japan on June 5-6, 2003
  • RSA Conference / NSF2003 spring in Tokyo, Japan on June 3-4, 2003
  • Internet Week 2002 in Yokohama, Japan on December 16-20, 2002

    Challenge PKI meetings takes place in at random times at Kogakuin University in Shinjuku, Tokyo. Your entry is always welcome!

  • Contact

    Your comments, advices, quiestions, bug reports for test suite or test case are always welcome!


    Copyright © 2002-2004, NPO Japan Network Security Association (JNSA)