Challenge PKI : Japanese GPKI Test Cases (Rev.2)
[CGI TOP]
Revised on Jul 3, 2004
TABLE OF CONTENTS
1. Introduction
In Japan, infrastructure for electronic fillings with
GPKI (Governmnet Public Key Infrastructure) has been fully
operational from 2002.
It satisfies trust requirements for government-to-citizen and
government-to-business transactions.
GPKI consists of the following organizations
which is currently connected to the bridge CA.
- Japanese Government
-
Bridge CA (GPKI BCA)
16 government ministries and agencies cross certified with GPKI BCA
- Accredited Commercial Certificate Authorities.
- 14 accredited commercial certificate authority services cross certified with BCA
- Local Government
-
Root CA (named LGPKI BCA) cross certified with GPKI BCA
Sub CAs for 47 perfectures.
- Citizen Card issued by Local Government
-
Bridge CA (named JPKI BCA) cross certified with GPKI BCA
CAs cross certified with JPKI BCA for 47 perfectures.
(Above data based on Jun 10, 2004)
We 'Challenge PKI Project'
have designed testcases to test the interoperability of
certificate path validation clients in such environment.
2. Test Cases
Test cases provided here will examine
certification path building and validation among
selected ten organizations each other.
The special features of this test case set are listed below.
- 216 test cases (9 TAs x 24 EEs)
- 2 BCAs (i.e. GPKI BCA, JPKI BCA)
- 2 Strict Hierarchy Trust Model Sub Domains (i.e. METI, LGPKI)
- 1 OCSP Revocation Model Sub Domain (i.e. Commercial Registration(CR))
- The 'cRLDistributionPoints' extension contains directoryName,
LDAP URI or HTTP URI as fullName.
To see test case matrix, click here
2.1. Special features of certification authorities
-
Ministry of Land Infrastructure and Transport
-
- Normal Model
- Full CARL/Full EPRL revocation model
-
Ministry of Public Management, Home Affairs, Posts and Telecoms
-
- CA issuer name differs to cRLDP.
- Full CARL/Full EPRL revocation model
-
Ministry of Economy, Trade and Industry
-
-
Tokyo Legal Affairs Bureau, Ministry of Justice
-
- This CA is for business registration.
- using OCSP responder server in order to get the status of
certificates issued to end entities and for
cross certifications.
- No CRL issuance.
-
Japan Certification Services Accredited Sign 2 Service
-
- cRLDP is represented by fullName LDAP URI only.
- The attribute value type exists but ';binary' option does not appear in the URI. (i.e. end with '?certificateRevocationList'
-
SECOM Trust.net
-
- cRLDP is represented by fullName HTTP URI and directoryName.
- distribute Partitioned CRL by directoryName
- distribute full CRL with HTTP URI
-
Local Government PKI
-
- Strict Hierarchy Model
- Root CA named LGPKI Bridge CA
-
JPKI Citizen Card
-
- Bridge Model
- PartitionedEPRL/PartitionedCARL Model
- EE certificate has special subjectAltName extension contains
name, address, gender and dateOfBirth of subscriber.
- Some validation client may not verify correctly when
it has no checking function of matching between 'cRLDistributionPoints' and
'issuingDistributionPoint'.
- Release in Jun 2004
- Now 216 test cases. (Old version has 81 test cases.)
- Easy setup (comparing with old version :-)
- In old one, certificates and CRLs for only one path exist on the LDAP repository. But now all data for all test cases are on the repository at the same time like NIST PKITS test cases.
- BUG FIX:wrong authorityKeyIdentifier.authorityCertSerialNumber
- BUG FIX:remove nameConstraints for SECOM and JCSI.
- BUG FIX:OCSP status of the certificate from CR to BCA had been set to 'revoked'.
- NEW FEATURE: Local Government Test Cases(UTF8) are added.
- NEW FEATURE: Local Government Test Cases(PrintableString - deprecated testcase) are added.
- NEW FEATURE: JPKI Citizen Card Test Cases are added.
- MODIFY: Test case IDs are almost changed.
- All testcase have not filled yet. However,
- Initial values and the expected value for the testcase
are described here.
- Trust anchor and subscriber certificates are provided in this
testcase set archive.
- Old version has testcases for certificate validation server(CVS). However not available now.
JNSA/IPA Challenge PKI Test Suite