PKIX Working Group Baehyo Park Internet Draft Jaeho Yoon Document: draft-choi-pkix-ui-02.txt Inkyoung Jeon Expires: August 21, 2005 Hyangjin Lee Target category : Non-Standard Track Jaeil Lee KISA February 21, 2005 Required functions of User Interface for the Internet X.509 Public Key Infrastructure Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on August 21, 2005. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document provides guidance to PKI client software developers on what functions are needed on user interface of PKI client software to address requirements of security, compatibility and usability within Park, et. al. Expires - August 2005 [Page 1] INTERNET-DRAFT Required functions of User Interface February 2005 PKI client software. 1. Introduction Even though PKI is one of the most secure and influential technologies to offer the information security, most people say that it is difficult to understand and utilize PKI technology due to its complexity. General users of PKI technology make their digital signature and encrypted digital information at the application level. At this time, the users are usually directed by PKI client software that provides modules containing PKI technology. Actually, they do not have to know the whole mechanism of how PKI client software works, but they are supposed to follow user interface of the client software. The reason of people¡¯s giving up accepting PKI technology is difficulty of the very PKI technology, but unkind user interface of PKI client software. Consequently, user interface of PKI client software shall consider assisting users to know the effort of PKI client software concerning security, compatibility, and usability in order that more users can utilize PKI technology. For this purpose, this document provides trust anchor verification function, certificate floating function, and certificate handling function for the user interface of PKI client software. 2. Requirements This section defines required functions for developing user interface in terms of security, compatibility, and usability aspect for PKI client software. 2.1 Security Trust anchor is directly trusted by users. They must securely acquire the value of a trust anchor¡¯s public key, which requires some out-of- band steps.[CMP] This document describes the trust anchor verification function using PKI client software as one of out-of-band steps. Here, security means integrity of a trust anchor¡¯s certificate when the PKI client software downloads the certificate. First of all, PKI client software must be installed and upgraded with a reliable and secure manner. This document does not refer to this manner for PKI client software. Just after secure installation of PKI Client software, the client software will download the trust anchor¡¯s certificate. At this point, the user interface of the client software should offer trust anchor verification function in order that users Park, et. al. Expires - August 2005 [Page 2] INTERNET-DRAFT Required functions of User Interface February 2005 accept the trust anchor¡¯s certificate with reliability. And also the user interface shall assist the users to make the decision on whether or not the downloaded trust anchor¡¯s certificate can be trusted. The user must accept the trust anchor¡¯s certificate only if the trust anchor¡¯s certificate is verified through the direction from the user interface. The user interface shall help users to receive the trust anchor¡¯s information for verifying out of band channel. The information must not be received via a channel that can be attacked. For example, when PKI client software acquires the trust anchor¡¯s certificate after installation of client software, the user interface can show the hash value of acquired the trust anchor¡¯s certificate and also direct how to acquire the trust anchor¡¯s information. The user will acquire the hash value of the trust anchor¡¯s certificate through face-to-face contacting or trust anchor¡¯s CA web site by the direction of the user interface. In case that the trust anchor¡¯s certificate is updated, the client software also must acquire updated trust anchor¡¯s certificate. At this point, the client software can use its automatic upgrading function of the trust anchor¡¯s certificate. And then user interface must provide the same verification function with an initial installation of trust anchor¡¯s certificate. In addition, the user interface should support integrity of trust anchor¡¯s certificate with trust anchor verification function because there can be malicious attack to the trust anchor¡¯s certificate after reliably accepting the trust anchor¡¯s certificate when installing the client software. 2.2 Compatibility Compatibility can be accomplished by using one certificate to many PKI applications. Generally, PKI application such as the Internet Banking or E-mail application defines the user¡¯s certificate and private key location by their own way. Thereby, when using those applications, users are at a loss whenever receiving a question where their certificates are. Most users do not know the answer, and they want to use different PKI programs with their own certificate without answering the question. It comes true as a certificate sharing mechanism and transfer function that mainly aim for increasing certificate compatibility, which benefits the user¡¯s convenience. This section will introduce these functions. Park, et. al. Expires - August 2005 [Page 3] INTERNET-DRAFT Required functions of User Interface February 2005 2.2.1 Certificate sharing mechanism To increase compatibility in different client software, user interface defines to make a common location for storing certificate and private key according to the user¡¯s operating system and storage media. It can be an attack point, but any PKI client software can find the user¡¯s certificate and private key without any user¡¯s involvement. For example, a common storage location of a user¡¯s certificate and private key in HARD DISK driver of different operating systems can be assigned to be: - MS Windows : C:Program Files/IETF/PKIX - Linux/Unix : (User Account)/IETF/PKIX - Mac OS X : (Hard disk label):Library/IETF/PKIX In this case, OS dependent or independent PKI client software can access to the user¡¯s certificate for using it to take actions of digital signature or encryption without questioning to the user where his or her certificate is. It is supposed that digital signature and encryption are processed independently and securely in the user¡¯s system. Regarding as the user¡¯s certificate and private key, it may be stored as a form of xxx.der or xxx.key, after creating a directory named by DN. xxx naming is identically used for distinguishing between digital signature and certificate distribution purpose. In addition, the client software should define application programming interface for accessing to various storage media such as HARD DISK driver, SMARTCARD, FLOPPY disk, etc. Format of the user¡¯s certificate in storage media may be encoded as DER or PEM in order that the user interface can list all the certificates in any storage media. For storage format of the private key, it should use [PKCS5], which is a password based cryptographic method. Afterward, it should be stored to a storage medium according to [PKCS8]. 2.2.2 Import and export function The user interface shall provide import and export function to support certificate¡¯s mobility according to [PKCS12]. This function makes certificate and private key transfer to other PKI applications so that the user can utilize his or her certificate and private key in other PKI applications on the Internet X.509 Public Key Infrastructure. Park, et. al. Expires - August 2005 [Page 4] INTERNET-DRAFT Required functions of User Interface February 2005 2.3 Usability User interface shall consider usability on implementing PKI functions, so that a user who does not know about any PKI knowledge can easily and safely use PKI services. In this section, it specifies certificate handling function of storage media and automatic updating function at the user interface of PKI client software. 2.3.1 Certificate handling function User interface shall have at least three responsibilities for handling the user¡¯s certificates; - Certificate information notice - Storage type selection - Certificate management Firstly, Certificate information notice at user interface is to display certificate that was searched by client software so that user can select the certificate to use it. At this point, important information of certificate including subject name, expiration date, and issuer name about certificate may be listed. In addition user interface shall provide certificate information in detail if the users want to receive the more information on their certificates. Secondly, for selecting various storage types, storage type selection in client software shall be made appropriately to display its storage medium by categorization, which can be changed according to the application¡¯s purpose. On the certificate representation, a choice for storage media should effectively provide for user to select the desired choice. In order to do so, storage media are independently categorized by the nature of storage media, which helps users to differentiate their own storage easily from all the storage media. User interface may consider including the followings: - Hard disk - Floppy disk - USB - Smartcard - CD ROM Lastly, the user interface shall contain certificate management commands as followings; - Trust anchor verification : defined in [2.1] - Import and export : defined in [2.2.2] Park, et. al. Expires - August 2005 [Page 5] INTERNET-DRAFT Required functions of User Interface February 2005 - Certificate verification : when a user wants to know whether his or her certificate is valid or not - Private Key password change : when a user wants to change the password of his or her private key - Certificate deletion : when a user wants to delete his or her certificate 2.3.2 Automatic update function The PKI client software must provide a secure method to update PKI client software and trust anchor¡¯s certificate. This document defines it as automatic update function, which makes user involvement minimized. Note that there must be the verification function defined in 2.1 when the trust anchor¡¯s certificate is updated automatically. 3. Security Considerations Malicious attackers can access to a user¡¯s certificate and private key because there is a common location for storing a certificate and a private key according to a user¡¯s operating system and storage media. However, it is supposed that there must be appropriate access control for the user¡¯s system and storage media in this document. 4. Reference 4.1. Normative References [PKCS5] RSA Laboratories, PKCS#5 v2.0 "Password-Based Cryptography Standard", RSA Data Security Inc., 1993 [PKCS8] RSA Laboratories, PKCS#8 v1.2 "Private Key Information Syntax Standard", RSA Data Security Inc., 1993 [PKCS12] RSA Laboratories, PKCS#12 v1.0 "Personal Key Information Exchange Syntax Standard", RSA Data Security Inc., 1993 [CMP] Adams, C. and Farrell, S., "Internet X.509 Public Key Infrastructure Certificate Management Protocols", RFC 2510, March 1999. 4.2 Informative References [RFC2119] S.Bradner, "Key words for use in RFCs to Indicate Requirement Levels",RFC3467, March 1997 5. Authors¡¯ Address Baehyo Park Korea Information Security Agency Park, et. al. Expires - August 2005 [Page 6] INTERNET-DRAFT Required functions of User Interface February 2005 Phone: 2-405-5443 FAX : 2-405-5219 Email: parkbh@kisa.or.kr Jaeho Yoon Korea Information Security Agency Phone: 2-405-5434 FAX : 2-405-5219 Email: jhyoon@kisa.or.kr Inkyoung Jeon Korea Information Security Agency Phone: 2-405-5432 FAX : 2-405-5219 Email: inkyoung@kisa.or.kr Hyangjin Lee Korea Information Security Agency Phone: 2-405-5448 FAX : 2-405-5499 Email: jiinii@kisa.or.kr Jaeil Lee Korea Information Security Agency Phone: 2-405-5200 FAX : 2-405-5219 Email: jilee@kisa.or.kr Park, et. al. Expires - August 2005 [Page 7] INTERNET-DRAFT Required functions of User Interface February 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Park, et. al. Expires - August 2005 [Page 8]