The purpose of this page is to collect information on how the OpenNCP project should take into account the PKI used in epSOS. This includes integration or interaction of protocol terminators with TSLSync, management of certificates used for establishing VPN connections, and other certificate-management procedures such as handling expired or revoked certificates.
General PKI questions
The main documents defining the selected PKI model are D3.7.2 Section II and D3.4.2 v. 2.2.
Currently certain relaxations are applied to these rules. The security relaxations are valid until 31/12/2012 and they are listed in D3.10.1 App.7: https://service.projectplace.com/pp/pp.cgi/r730057798. The summary of the relaxations is the following:
- Certain certificates can be merged/combined. Instead of 5 certificates an NCP can use only 3.
- CAs are not required to be authorized by the national authorities listed on the European TSL list.
- The previous relaxation has caused that NCP operators / TSLSync import certificates from the central services without their validity/revocation checks.
- SHA-1 can be used instead of SHA-2
- Some attribute deviations by some countries
- No proper signature verification of NSL lists
- NCP 2 NCP messages are not signed (signatures are only applied to the assertions)
Open questions
What are the other documents which describe the selected PKI model?
In D3.7.2 Section II four options for implementing the PKI service were described. Is the currently used model the same as 1 (Using a different PKI for each epSOS-NCP with a repository of root certificates in each epSOS-NCP), recommended by the document or another one?
What are the Are there any other relaxations currently in use?
Does the current selected normative PKI model place trust directly in certificates (along with certificate distribution rules), in CAs that issue them, or both?
What is the impact of the EU Trusted Lists of Certification Service Providers? http://ec.europa.eu/information_society/policy/esignature/eu_legislation/trusted_lists/index_en.htm The understanding of France and Finland is that these apply only to personal certificates, not to server certificates? Turkey, Switzerland and Norway are outside the scope of the list.
What are the trusted CAs in the selected PKI model, if any?
TSLSync and connection to the central services
TSLSync is a utility for updating the truststores in NCPs. It fetches XML-formatted TSL lists from the central services and updates the truststore used by the NCP by adding there the extracted certificates.
Open questions
What are the documents which describe the PKI-related functionality of the central services?
...
Further analysis of the second question requires better understanding of the PKI model used in epSOS.
Open questions
What is/are the CRL distribution points?
...
Trust stores and keystores are used for establishing TLS connections between NCPs. The configuration of keystores and truststores is done by configuration manager
Open questions
Is there some duplication in configuration files epsos-srdc.properties and epsos.properties?
...
Currently ipsec is configured directly with certificates used by connection endpoints. Another potential way of configuring ipsec is to define a list of trusted CA certificates. This way ipsec would check the certificate of the other connection endpoint against this list. As CA certificates do not change very often, ipsec restart problem (and some other problems) would be solved.
Open questions
Is there a trustworthy way of automatically propagating VPN certificate updates from the directory used by TSLSync to ipsec configuration in the current solution?
...