SUMMARY of the Questionnaire
about PKI/CA related services/projects for Research and Education Community

Presented at PKI-COORD Meeting on December 6, 2000

Tables by countries:


This document in RTF format as one table.

Table 1. Countries Netherlands/SURFnet, UK (ISSRG), Germany/DFN-PCA, Spain/RedIRIS
 
 
 Countries/NRENs Netherlands/SURFnet UK/ISSRG Germany/DFN-PCA Spain/RedIRIS
1. Do you have a CA (Y/N)? Yes Yes Yes Yes
If NO,
2. Are you considering setting up a CA?        
3. If SO, what is the date of planned launch of service?        
4. Will you use third party to provide CA service as an alternative?        
If YES, provide us with CA or project details below
5. CA or project contact details

a) Full Name of CA/Project(s)

 SURFnet PKI Service (service for customers) + SURFnet Office CA (service for SURFnet employees) Electronic Discharge Notes; 
Electronic Prescriptions
Secure Web Access to a hospital diabetes database; 
Privilege Management
Infrastructure for Secure E-Commerce 		 DFN-PCA, "Policy Certification Authority for the German Research Network (DFN)" The RedIRIS Policy Certification Authority (IRIS-PCA)
b) URL http://pki.surfnet.nl/ (mainly Dutch!) + https://creche.wind.surfnet.nl/office-ca/ (English!) http://sec.isi.salford.ac.uk http://www.pca.dfn.de/dfnpca/ http://www.rediris.es/cert/proyectos/
iris-pca/index.en.html (English version)
http://www.rediris.es/cert/proyectos/
iris-pca/index.es.html (Spanish version)
6. At what level will the CA provide Service (root or lower)? root + organisational root Root, + 2 subordinate CAs for users that do not run a CA of its own (yet) root
7. What is the Upper/Top level CA that certifies/audit your CA service? Audited by TTP.NL, the Dutch TTP accreditation body. N/a Self-certified as a Top level CA within the German Research Network Communication Center CSIC RedIRIS
8. Constituency/ Customers 
A description of the organisations that the CA serves or aims to serve?		 SURFnet users Hospital researchers, University researchers All member institutions of DFN and their employees, scientists, students etc. RedIRIS constituency (Spanish Research and Academic Network)
9. Which Certification services are provided by your CA?2
General answer		        
a) For institutions yes (for the PCA), 

no (for the Office CA)

   DFN-PCA certifies subordinate CAs (PGP-CAs and X.509-CAs) in DFN-member institutions. 
DFN-PCA itself runs two subordinate CAs: Server CA and User CA.
For details see b) and c).		 Yes
b) For server transactions/applications (e.g., SSL, IPSec/VPN, Secure HTTP, SMTP/SSL, etc.) no (for the PCA), 

yes (for the Office CA: SSL, IPSec, IMAP/SLL, SMTP/SSL, S/MIME)

 Web servers The Server CA provides X.509 certification for servers, e.g., SSL, IPSec, etc.  
c) Individuals (e.g., S/MIME, PGP, etc.) no (for the PCA), 

yes (for the Office CA: S/MIME, SSL client Certs, IPSsec Certs)

 S/MIME and Web access The User CA certifies PGP keys for end users and groups of users (group keys).  
d) Other     Intention to offer "pseudonymous" certifications, (The name-nym pair will be internally documented and archived by the CA.)  
10. Which of basic CA documents are available?
If available, please give URL or e-mail a draft
a) Certification Practices Statement (CPS) http://pki.surfnet.nl/mid-x509.html and https://creche.wind.surfnet.nl/office-ca/
office-CPS.1.1a.html		 Only to our users N/A Included in the CP http://www.rediris.es/cert/proyectos/
iris-pca/docs/politica.htm
b) Certificate Policy (CP) no distinction between CPS and CP None http://www.pca.dfn.de/dfnpca/policy/
wwwpolicy.html (World Wide Web Policy/X.509)
http://www.pca.dfn.de/dfnpca/policy/
lowlevel.html (Policy for PEM and PGP certifications)		 http://www.rediris.es/cert/proyectos/
iris-pca/docs/politica.html
c) Other (e.g. CA liability, etc.) refer to CPS      
11. CP/CPS Standards compliance (e.g., RFC2527) not yet (PCA), 

yes (Office CA)

   RFC 1875 model used when our policies were established. No yet
12. Technical details
a) PKI/CA Software used Xcert + OpsenSSL Entrust v5 PGP 2.6.2i, OpenSSL OpenSSL + Apache + mod_ssl
b) What Directory Service do you use for Certificate storage: X.500, LDAP or other? LDAP i500 MIT-Keyserver by Marc Horowitz for publishing PGP keys/certificates At present moment webserver based storage, to be migrated to LDAP 
c) Other   Linux Firewall and Checkpoint Firewall 1    
13. Do you participate in any CA/PKI development/ standardisation activity (e.g., EuroPKI, ETSI QCert and ElSign, EEMA, etc.)? We comment on EuroPKI CP, ETSI QCP, etc. EEMA, X.509, PKIX, ISSS E-SIGN   No
14. Current and future developments more applications & secure private key storage devices (smart cards, tokens)     LDAP support, defining a new IRIS-PCA identity with correspondent changes in the CP and requirements, setup of the PKI service for RedIRIS employees.
15. Describe in short your current/planned business model for sustaining CA activity   Using research grants to further evaluate them    
Other questions
16. Is there a Governmental PKI policy in your country? not yet No Yes, two different versions: The Digital Signature Act (Signaturgesetz, SigG) and The SPHINX PCA and its policy (to be published on 25.11.2000) Yes http://www.eurocert.org/legislature.html
17. Do you plan to join any global/regional PKI (i.e. one that spans several organizations)?

a) If YES please tell which one

 Perhaps EuroPKI Yes, we have joined ICE-CAR one way (they trust us) SPHINX "PKI", EuroPKI, Cross-Cert with CREN-CA (US Educational Network) would be fine, German SigG-"PKI" (when the SigG will comply with the requirements of the EC Guideline for Electronic Signatures) maybe
b) If NO, please explain the reason   We don't trust any other CA because we are transferring patient confidential details    
18. What are the most important issues for you in PKI/CA deployment:

a) in your country?

 IT related issues within our community & legally binding digital signatures Usability and reliability of the software. Interoperability, adherence to published internationally recognized standards, usability of the PKI within real-world applications The development of legislation about digital signature and electronic commerce
b) at European level?   Standards conformance of products Technical Interop., common/bi-lateral recognition of other CAs/PKIs, benefit for the user The coordination between the PKI projects in the NRENs and the legislation as well.

 

Table 2. Countries Finland/FUNE, Sweden/SUNET, UK/JISC, Italy/GARR, Switzerland/SWITCH
 
 
 Countries/NRENs Finland/FUNET Sweden/SUNET UK/JISC Italy/GARR Switzerland/SWITCH
1. Do you have a CA (Y/N)? In transition (we have a national CA but moving to commercial CA) No (we don't have a large scale PKI until 1 January). 

Yes (we have a small scale CA at Umea University and several other universities)

 No, for practical purposes. (However the ICE-CAR/ICE-TEL projects at UCL performs a CA function for a limited research community only.) JISC pilot X.509 sites currently use self-signed institutional keys. No No
If NO,
2. Are you considering setting up a CA? Yes We are planning a PKI for Swedish universities and university colleges Yes, although a subject to a major policy review early in 2001. Yes Yes, might be
3. If SO, what is the date of planned launch of service? Autumn 2002 2000-01-01 for the Policy CA. We will accept members of the PKI from the same date See above: if approved, later in 2001.  February 2001 (exp.), June 2001 (full service) Not scheduled yet
4. Will you use third party to provide CA service as an alternative? Yes The Policy CA will be run by one of the universities. Each University to decided whether to run their own CA or use a CA service provider. Seeking proposals from third parties to provide some CA functions, e.g. issue of globally-recognised server certificates, as an interim measure.  No Probably
If YES, provide us with CA or project details below
5. CA or project contact details

a) Full Name of CA/Project

 HSTYA - Electronic identification in Finnish higher education - project to design a smart card based PKI for the HE community. SwUPKI - The Swedish University and University College PKI      
b) URL http://www.csc.fi/proj/hst/ http://www.umu.se/it/projupp/swupki/      
6. At what level will the CA provide Service (root or lower)? Not decided yet, probably two levels (common root and sub-CA for each university and polytechnic). It is a PKI with 2 or more levels    Lower  
7. What is the Upper/Top level CA that certifies/audit your CA service? Not decided yet, options - Population Register Centre of Finland, NovoTrust and CertAll, other including commercial. The Policy CA will audit the CAs of member universities   EuropPKI  
8. Constituency/ Customers 
A description of the organisations that the CA serves or aims to serve?		 Universities and polytechnics in Finland, both staff and students. Swedish universities and university colleges   GARR Network  
9. Which Certification services are provided by your CA?
General answer		 Each university will define PKI based services themselves.        
a) For institutions   Yes and No, the subscriber of each certificate must always be an individual. The subject of a certificate may be a role, an IT-system or an individual. One of roles will be "the right to sign for the institution"   Yes  
b) For server transactions/applications (e.g., SSL, IPSec/VPN, Secure HTTP, SMTP/SSL, etc.)   se a)   Yes  
c) Individuals (e.g., S/MIME, PGP, etc.)   se a), only individuals with a sponsor within the CAs organisation   Yes  
d) Other   roles, se a)       
10. Which of basic CA documents are available?
If available, please give URL or e-mail a draft
a) Certification Practices Statement (CPS) Will depend on the CA's CP. Not yet      
b) Certificate Policy (CP) Will depend on the CA. http://www.umu.se/it/projupp/swupki/      
c) Other (e.g. CA liability, etc.) Will depend on the CA. Is covered by the policy      
11. CP/CPS Standards compliance (e.g., RFC2527) Will depend on the CA. RFC2527 for CP/CPS and RFC2459 for certificates and revocation lists   RFC 2527 compliant  
12. Technical details
a) PKI/CA Software used Nothing yet. TBD based on interoperability test of November 29-30, 2000. The PKI may run several CMSs   SECUDE and OpenCA  
b) What Directory Service do you use for Certificate storage: X.500, LDAP or other? LDAP LDAP   MessagingDirect X.500, OpenLDAP, Iplanet LDAP server  
c) Other          
13. Do you participate in any CA/PKI development/ standardisation activity (e.g., EuroPKI, ETSI QCert and ElSign, EEMA, etc.)? No To comply with IETF.   EuroPKI + EESSI  
14. Current and future developments Current stage is preparation and planning, small pilots will started early in 2001, large pilot - in fall 2001. Large scale implementation aimed at fall 2002.     Use of RSA smart-cards  
15. Describe in short your current/planned business model for sustaining CA activity Commercial CA. Intention to start a national academic consortium to run the PMA and PCA for PKI   Self-sustained by individual entities contribution (e.g., institutions, students, etc.)   
Other questions
16. Is there a Governmental PKI policy in your country? Yes Not, although there is a law to implement the EU directive from the Jan 1, 2001. Up to a point. No intention for the centrally issued multi-purpose identity certificates to citizens. However, government departments (health, internal revenue etc) encouraged to develop their own PKIs where useful and appropriate; an overall goal of having e-government widely available by 2005.  Yes It is on its way. Currently only a 'Decree of 12.4.2000 on electronic certification services' http://www.bakom.ch/eng/
subsubpage/document/265/1335
17. Do you plan to join any global/regional PKI (i.e. one that spans several organizations)?
a) If YES please tell which one		 We are planning PKI for universities and polytechnics in Finland.  SwUPKI's priority: National cross-certification with other PKIs Probably, though this has not yet been decided. Yes Not decided yet
b) If NO, please explain the reason          
18. What are the most important issues for you in PKI/CA deployment:

a) in your country?

   It is essential to form groups of authorities and organisations that can form PKIs and not to start with singular CAs   Interoperability  
b) at European level?   Cross-certification between existing autonomous PKIs issuing medium strength and perhaps weak certificates. Strong certificates are already regulated through the directive. Common standards for certificate profiles, getting academic root CAs recognised by standard-issue commercial software; trust models development and interoperability, e.g. between academic and government CA domains (cf the US Federal Bridge CA model). Interoperability  

 

Table 3. Countries Greece, Checz Republic, Luxembourgh/RESTENA, Iran/IraNet, Russia
 
 
 Countries/NRENs Greece/GR-NET Czech Republic/CESNET Luxembourg/RESTENA Iran/IRANET Russia
1. Do you have a CA (Y/N)? No No No No YES. Internal CA for our University.
If NO,
2. Are you considering setting up a CA? Yes Yes Yes YES  
3. If SO, what is the date of planned launch of service? Early 2001 2001 Not defined yet. 2001  
4. Will you use third party to provide CA service as an alternative? No   Not defined yet.    
If YES, provide us with CA or project details below
5. CA or project contact details

a) Full Name of CA/Project

         Certification Authority of Russian State University of Oil and Gas 
b) URL          
6. At what level will the CA provide Service (root or lower)?   Root Probably Lower root and lower  
7. What is the Upper/Top level CA that certifies/audit your CA service?   None N/A   Intension to request certificate from EuroPKI
8. Constituency/ Customers 

A description of the organisations that the CA serves or aims to serve?

   TEN 155 CZ users N/A (probably research and educational community) Academic community Russian universities
9. Which Certification services are provided by your CA?
General answer		     N/A    
a) For institutions   No   Yes  
b) For server transactions/applications (e.g., SSL, IPSec/VPN, Secure HTTP, SMTP/SSL, etc.)   Yes   Yes SSL, SMTP/SSL
c) Individuals (e.g., S/MIME, PGP, etc.)   Yes   for individuals inside IRANET  
d) Other   No      
10. Which of basic CA documents are available?
If available, please give URL or e-mail a draft
a) Certification Practices Statement (CPS)   No N/A Not yet Not yet
b) Certificate Policy (CP)   No N/A Not yet Not yet
c) Other (e.g. CA liability, etc.)   No N/A    
11. CP/CPS Standards compliance (e.g., RFC2527)     N/A RFC2527 and RFC2459  
12. Technical details
a) PKI/CA Software used   Unknown N/A OpenSSL and Xcert OpenSSL
b) What Directory Service do you use for Certificate storage: X.500, LDAP or other?   LDAP N/A LDAP OpenLDAP
c) Other          
13. Do you participate in any CA/PKI development/ standardisation activity (e.g., EuroPKI, ETSI QCert and ElSign, EEMA, etc.)?     N/A No No
14. Current and future developments     N/A    
15. Describe in short your current/planned business model for sustaining CA activity   CA will be part of TEN 155 CZ project. N/A Looking for an arrangement between organizations. University funding, grants from Ministry of Education, money from some projects, CA services for other Russian Universities.
Other questions
16. Is there a Governmental PKI policy in your country? Currently under discussion. The policy will be in accordance with the EU's directive. No No No Russian State Duma (parliament) expected to pass Electronic Signature and PKI/CA legislation in December 2000.
17. Do you plan to join any global/regional PKI (i.e. one that spans several organizations)?
a) If YES please tell which one		 Consider to use EuroPKI     Probably EuroPKI
b) If NO, please explain the reason   It depends on the needs of the project and its participant organizations. No plans yet.    
18. What are the most important issues for you in PKI/CA deployment:
a) in your country?		          
b) at European level? Meet the requirements of EU's 399L0093 directive for "certification-service-providers issuing qualified certificates"