- 3 -
ACP-WGM17/WP-XX/
International Civil Aviation Organization
WORKING PAPER / ACP-WGM17/WP-XX
31 January 2011
AERONAUTICAL COMMUNICATIONS PANEL (ACP)
17th MEETING OF WORKING GROUP M (Maintenance)
Bangkok, Thailand 31 January – 1 February 2011
Agenda Item 3a: / ATN/OSI Document 9880 Update Status – Security UpdatesATN Certificate and CRL Analysis Report
(Presented by Michael Olive, Honeywell International Inc., United States)
SUMMARYThis working paper includes, as an appendix, a report containing detailed analysis of ATN/OSI certificate and certificate revocation list (CRL) provisions in Doc. 9880 Part IV-B with respect to industry standard Public Key Infrastructure (PKI) practices. The analysis was conducted by the Aerospace Advanced Technology organization of Honeywell International Inc. under contract to the FAA and in support of the FAA DataComm Program Office.
ACTION
The working group is invited to review the analysis results and consider recommended improvements to certificate and CRL provisions in Part IV-B.
1. INTRODUCTION
1.1 This working paper includes, as an appendix, a report containing detailed analysis of ATN/OSI certificate and certificate revocation list (CRL) provisions in Doc. 9880 Part IV-B with respect to industry standard Public Key Infrastructure (PKI) practices.
1.2 The analysis was conducted by the Aerospace Advanced Technology organization of Honeywell International Inc. under contract to the FAA and in support of the FAA DataComm Program Office.
2. DISCUSSION
2.1 ICAO Doc. 9880 Part IV-B includes detailed provisions for specification of certificate and certificate revocation list (CRL) profiles. These provisions, which were transferred from ICAO Doc. 9705 Sub-volume VIII, were developed in the late 1990’s, and consequently, they do not necessarily reflect current industry standard practices both in the commercial world as well as in the aviation community.
2.2 The ICAO Doc. 9880 Part IV-B Security Validation Report [WGM-WP1608] recommended that the detailed ATN-specific certificate/CRL provisions be replaced with references to industry standards, consistent with the Public Key Infrastructure (PKI) provisions in Section 2.5 of ICAO Doc. 9896 (ATN/IPS).
2.3 In response to an action taken during WG-M16, a detailed provision-by-provision analysis of the Part IV-B certificate/CRL provisions was performed to identify ATN/OSI unique provisions that need to be retained if the WGM-WP1608 recommendation is implemented. The analysis included a comparison between the Part IV-B certificate and CRL provisions and the following industry standards specified in ICAO Doc. 9896:
· Internet Engineering Task Force (IETF) RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, and
· Air Transport Association (ATA) Spec 42, 2010.1, Aviation Industry Standards for Digital Information Security.
2.4 In general, the analysis results show that the ATN certificate and CRL provisions in Part IV-B align with industry standards RFC 5280 and ATA Spec 42.
2.5 To address identified differences, the analysis report includes the following recommendations for improving Part IV-B:
· Include references to RFC 5280 and ATA Spec 42, consistent with the ATN/IPS PKI provisions in ICAO Doc. 9896, such that ATN/OSI certificates and CRLs comply with industry standard PKI practices.
· Include a new reference to RFC 5480, which defines syntax and object identifiers for elliptic curve public keys.
· Include select ATN/OSI PKI provisions and notes where necessary to supplement the industry standard references and provide specificity relevant to ATN (e.g., naming of ATN entities).
3. ACTION BY THE MEETING
3.1 The ACP WG-M is invited to:
- Review the detailed analysis results and consider recommended improvements to Part IV-B presented in the ATN Certificate and CRL Analysis Report, which is included as Appendix A to this working paper.
APPENDIX A
ATN Certificate and CRL Analysis Report
(embedded PDF file)