Challenge PKI : Japanese GPKI Test Cases (Rev.2)

• 1. Introduction
• 2. Test Cases
  • 2.1 Test Case Matrix
• 3. Extract Archive
• 4. Setup Testcase Manager and Database
  • 4.1 Restore testcase database
  • 4.2 CGI settings
• 5. Setup without virtual hosts
  • 5.1. LDAP server settings
  • 5.2. OCSP responder simulator settings
  • 5.3. HTTP repository
  • 5.4. Host table setting
• 6. Setup with virtual hosts
  • 6.1 LDAP server settings
  • 6.2 OCSP responder simulator settings
  • 6.3. HTTP repository
  • 6.4 Host table settings
• 7. Testing
  • 7.1 Initial values for testing
• 8. Changes
• 9. Things To Do
• 10. Related Links

1. Introduction

Japanese Government

Bridge CA (GPKI BCA)
16 government ministries and agencies cross certified with GPKI BCA

Accredited Commercial Certificate Authorities.

14 accredited commercial certificate authority services cross certified with BCA

Local Government

Root CA (named LGPKI BCA) cross certified with GPKI BCA
Sub CAs for 47 perfectures.

Citizen Card issued by Local Government

Bridge CA (named JPKI BCA) cross certified with GPKI BCA
CAs cross certified with JPKI BCA for 47 perfectures.

We 'Challenge PKI Project' have designed testcases to test the interoperability of certificate path validation clients in such environment.

2. Test Cases

1. 216 test cases (9 TAs x 24 EEs)
2. 2 BCAs (i.e. GPKI BCA, JPKI BCA)
3. 2 Strict Hierarchy Trust Model Sub Domains (i.e. METI, LGPKI)
4. 1 OCSP Revocation Model Sub Domain (i.e. Commercial Registration(CR))
5. The 'cRLDistributionPoints' extension contains directoryName, LDAP URI or HTTP URI as fullName.

2.1. Special features of certification authorities

Ministry of Land Infrastructure and Transport

• Normal Model
• Full CARL/Full EPRL revocation model

Ministry of Public Management, Home Affairs, Posts and Telecoms

• CA issuer name differs to cRLDP.
• Full CARL/Full EPRL revocation model

Ministry of Economy, Trade and Industry

• Sub CA

Tokyo Legal Affairs Bureau, Ministry of Justice

• This CA is for business registration.
• using OCSP responder server in order to get the status of certificates issued to end entities and for cross certifications.
• No CRL issuance.

Japan Certification Services Accredited Sign 2 Service

• cRLDP is represented by fullName LDAP URI only.
• The attribute value type exists but ';binary' option does not appear in the URI. (i.e. end with '?certificateRevocationList'

SECOM Trust.net

• cRLDP is represented by fullName HTTP URI and directoryName.
• distribute Partitioned CRL by directoryName
• distribute full CRL with HTTP URI

Local Government PKI

• Strict Hierarchy Model
• Root CA named LGPKI Bridge CA

JPKI Citizen Card

• Bridge Model
• PartitionedEPRL/PartitionedCARL Model
• EE certificate has special subjectAltName extension contains name, address, gender and dateOfBirth of subscriber.
• Some validation client may not verify correctly when it has no checking function of matching between 'cRLDistributionPoints' and 'issuingDistributionPoint'.

8. Changes from the version released in 2002.

• Release in Jun 2004
  1. Now 216 test cases. (Old version has 81 test cases.)
  2. Easy setup (comparing with old version :-)
  3. In old one, certificates and CRLs for only one path exist on the LDAP repository. But now all data for all test cases are on the repository at the same time like NIST PKITS test cases.
  4. BUG FIX:wrong authorityKeyIdentifier.authorityCertSerialNumber
  5. BUG FIX:remove nameConstraints for SECOM and JCSI.
  6. BUG FIX:OCSP status of the certificate from CR to BCA had been set to 'revoked'.
  7. NEW FEATURE: Local Government Test Cases(UTF8) are added.
  8. NEW FEATURE: Local Government Test Cases(PrintableString - deprecated testcase) are added.
  9. NEW FEATURE: JPKI Citizen Card Test Cases are added.
  10. MODIFY: Test case IDs are almost changed.

9. Thins To Do

• All testcase have not filled yet. However,
  • Initial values and the expected value for the testcase are described here.
  • Trust anchor and subscriber certificates are provided in this testcase set archive.
• Old version has testcases for certificate validation server(CVS). However not available now.

10. Related Links

• NPO-JNSA Challenge PKI Project Official Site
• Information-technology Promotion Agency, Japan(IPA), The Information-technology SEcurity Center(ISEC)
• Japanese Government Public Key Infrastructure

JNSA/IPA Challenge PKI Test Suite