We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKenzie Tatham
Modified over 2 years ago
1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise Security Expo 2001 June 5, 2001
2 © Cooley Godward 2001 Introduction l Dichotomy l Challenges l Models l Mechanisms and criteria l Path forward
3 © Cooley Godward 2001 Dichotomy l “UBIQUITOUS PKI!!!!!” l …but many barriers è Need: common recognition mechanism
4 © Cooley Godward 2001 Challenges - traditional technology vs. PKI l Traditional technology
5 © Cooley Godward 2001 Challenges - traditional technology vs. PKI l Public key infrastructure l CP and CPS l Complicated by varied requirements of particular sectors (verticals)
6 © Cooley Godward 2001 Challenges - recognition l No universally acceptable mechanism for recognizing the sufficiency of a PKI deployment l Uncharted legal waters l Several efforts and proposals - most focus on technical and business l General model
7 © Cooley Godward 2001 Models - Simple assessment model Assessment Criteria Assessor PKI System or Component assesses develops influences Key Subject Object
8 © Cooley Godward 2001 Mechanisms and criteria l PAG l RFC 2527 l WebTrust l Common Criteria l BS7799 l FIPS 140-2 l Gatekeeper l Others
9 © Cooley Godward 2001 PKI Assessment Guidelines (PAG) l Five year project of the Information Security Committee of the American Bar Association l Follow up work to the Digital Signature Guidelines (1996) l Participation by over 400 legal, technical, and business people
10 © Cooley Godward 2001 PAG (cont’d) l D.184.108.40.206The Effect of Contractual Privity Upon Relying Party’s Responsibilities Expressed as Covenants or Imposed by Law l Issue Summary. This section discusses the issue of whether the relying party is in privity of contract with the other PKI participants… l Relevant Considerations. Threshold question is whether the PKI attempts to create contractual privity between the CA and the relying party… l Appropriate Requirements and Practices. It is necessary for the PKI to decide how to present relying party covenants; unlike other participants, however, relying party covenants tend to be small enough in number to make it feasible to list in this section, or perhaps cross reference.
11 © Cooley Godward 2001 Detailed model Note Vanguard advice: “avoid complicated charts…”
12 © Cooley Godward 2001 RFC 2527 l Framework for PKI policy documents l Certificate Policies l Certification Practice Statements
13 © Cooley Godward 2001 RFC 2527 (cont’d) l 1. INTRODUCTION l 2. GENERAL PROVISIONS l 3. IDENTIFICATION AND AUTHENTICATION l 4. OPERATIONAL REQUIREMENTS l 5. PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS l 6. TECHNICAL SECURITY CONTROLS l 7. CERTIFICATE AND CRL PROFILES l 8. SPECIFICATION ADMINISTRATION
14 © Cooley Godward 2001 WebTrust l Framework to assess adequacy and effectiveness of controls employed by CAs l Designed specifically for the examinations of CA business activities l Builds on X9.79 work of the American Banker’s Association
15 © Cooley Godward 2001 WebTrust (cont’d)
16 © Cooley Godward 2001 X9.79 - CA Control Objectives l National standard - approved by ABA (the other ABA - American Banker’s Association) and ANSI l Being proposed to ISO TC68 as an international work item
17 © Cooley Godward 2001 X9.79 (cont’d)
18 © Cooley Godward 2001 Common Criteria l Some view as replacement for the Orange Book, ITSEC, etc. l International acceptance l Focus on protection profile
19 © Cooley Godward 2001 BS7799 - Code of Practice for Information Security Management l British Standard being used in several other European countries l General Information Security standard, not focussed on PKI l Certification scheme called c:cure similar to ISO 9000 l Now ISO/IEC 17799:2000
20 © Cooley Godward 2001 FIPS 140-2 l Security requirements of a cryptographic module utilized for protecting sensitive information l Four increasing levels of security è Covers areas such as roles and authentication; physical security; OS security; cryptographic key management; EMI/EMC; self-tests; design assurance; and mitigation of other attacks
21 © Cooley Godward 2001 FIPS 140-2 (cont’d) 4.5.2 Single-Chip Cryptographic Modules SECURITY LEVEL 2 - All Level 1 requirements plus: chip covered with tamper-evident coating or contained in a tamper-evident enclosure coating or enclosure shall be opaque within the visible spectrum. SECURITY LEVEL 3 - All Level 2 requirements plus: Either: chip covered with hard opaque tamper-evident coating, or the chip shall be contained within a strong enclosure. The enclosure shall be such that attempts at removal or penetration shall have a high probability of causing serious damage to the cryptographic module (i.e., the module will not function).
22 © Cooley Godward 2001 Gatekeeper l Australian PKI strategy and enabler for the delivery of Government online l Accreditation Criteria published l Covers procurement, security policy/planning, physical security, technology evaluation, personnel vetting, legal issues, and privacy considerations
23 © Cooley Godward 2001 Path forward l Development of internationally acceptable suite of criteria, NOT development of an international approach to PKI l Common Criteria, WebTrust, & PAG promising l Common Criteria è Industry specific protection profiles è Global recognition l WebTrust è PKI-specific set of criteria
24 © Cooley Godward 2001 On going activities l Update to RFC 2527 l Industry specific protection profiles l Other industry and governmental activities è PAG out for public comment è X9.79 into ISO
25 © Cooley Godward 2001 Resources for more info l ABA - http://www.abanet.org/scitech/ec/isc/ l RFC 2527 - http://www.ietf.org/rfc.html l WebTrust - http://www.aicpa.org/webtrust/princrit.htm l X9.79 - http://webstore.ansi.org/ansidocstore/ l Common Criteria - http://www.commoncriteria.org/ l FIPS 140 - http://csrc.nist.gov/cryptval/140-1.htm l Gatekeeper - http://www.govonline.gov.au/projects/publickey/
26 © Cooley Godward 2001 Questions?
27 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Cooley Godward LLP 703.456.8137 (phone) - 703.456.8100 (fax) firstname.lastname@example.org www.cooley.com
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Higher Education PKI Summit Meeting August 8, 2001 The ABA PAG Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information Technology.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Certification Authority. Overview Identifying CA Hierarchy Design Requirements Common CA Hierarchy Designs Documenting Legal Requirements Analyzing.
Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Jimmy C. Tseng Assistant Professor of Electronic Commerce
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
IT Security Evaluation By Sandeep Joshi
+1 (801) Standards for Registration Practices Statements IGTF Considerations.
Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,
Best Practices Working Group June 19-21, 2001 Munich, Germany.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
© 2017 SlidePlayer.com Inc. All rights reserved.