We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKenzie Tatham
Modified about 1 year ago
1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise Security Expo 2001 June 5, 2001
2 © Cooley Godward 2001 Introduction l Dichotomy l Challenges l Models l Mechanisms and criteria l Path forward
3 © Cooley Godward 2001 Dichotomy l “UBIQUITOUS PKI!!!!!” l …but many barriers è Need: common recognition mechanism
4 © Cooley Godward 2001 Challenges - traditional technology vs. PKI l Traditional technology
5 © Cooley Godward 2001 Challenges - traditional technology vs. PKI l Public key infrastructure l CP and CPS l Complicated by varied requirements of particular sectors (verticals)
6 © Cooley Godward 2001 Challenges - recognition l No universally acceptable mechanism for recognizing the sufficiency of a PKI deployment l Uncharted legal waters l Several efforts and proposals - most focus on technical and business l General model
7 © Cooley Godward 2001 Models - Simple assessment model Assessment Criteria Assessor PKI System or Component assesses develops influences Key Subject Object
8 © Cooley Godward 2001 Mechanisms and criteria l PAG l RFC 2527 l WebTrust l Common Criteria l BS7799 l FIPS l Gatekeeper l Others
9 © Cooley Godward 2001 PKI Assessment Guidelines (PAG) l Five year project of the Information Security Committee of the American Bar Association l Follow up work to the Digital Signature Guidelines (1996) l Participation by over 400 legal, technical, and business people
10 © Cooley Godward 2001 PAG (cont’d) l D The Effect of Contractual Privity Upon Relying Party’s Responsibilities Expressed as Covenants or Imposed by Law l Issue Summary. This section discusses the issue of whether the relying party is in privity of contract with the other PKI participants… l Relevant Considerations. Threshold question is whether the PKI attempts to create contractual privity between the CA and the relying party… l Appropriate Requirements and Practices. It is necessary for the PKI to decide how to present relying party covenants; unlike other participants, however, relying party covenants tend to be small enough in number to make it feasible to list in this section, or perhaps cross reference.
11 © Cooley Godward 2001 Detailed model Note Vanguard advice: “avoid complicated charts…”
12 © Cooley Godward 2001 RFC 2527 l Framework for PKI policy documents l Certificate Policies l Certification Practice Statements
13 © Cooley Godward 2001 RFC 2527 (cont’d) l 1. INTRODUCTION l 2. GENERAL PROVISIONS l 3. IDENTIFICATION AND AUTHENTICATION l 4. OPERATIONAL REQUIREMENTS l 5. PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS l 6. TECHNICAL SECURITY CONTROLS l 7. CERTIFICATE AND CRL PROFILES l 8. SPECIFICATION ADMINISTRATION
14 © Cooley Godward 2001 WebTrust l Framework to assess adequacy and effectiveness of controls employed by CAs l Designed specifically for the examinations of CA business activities l Builds on X9.79 work of the American Banker’s Association
15 © Cooley Godward 2001 WebTrust (cont’d)
16 © Cooley Godward 2001 X CA Control Objectives l National standard - approved by ABA (the other ABA - American Banker’s Association) and ANSI l Being proposed to ISO TC68 as an international work item
17 © Cooley Godward 2001 X9.79 (cont’d)
18 © Cooley Godward 2001 Common Criteria l Some view as replacement for the Orange Book, ITSEC, etc. l International acceptance l Focus on protection profile
19 © Cooley Godward 2001 BS Code of Practice for Information Security Management l British Standard being used in several other European countries l General Information Security standard, not focussed on PKI l Certification scheme called c:cure similar to ISO 9000 l Now ISO/IEC 17799:2000
20 © Cooley Godward 2001 FIPS l Security requirements of a cryptographic module utilized for protecting sensitive information l Four increasing levels of security è Covers areas such as roles and authentication; physical security; OS security; cryptographic key management; EMI/EMC; self-tests; design assurance; and mitigation of other attacks
21 © Cooley Godward 2001 FIPS (cont’d) Single-Chip Cryptographic Modules SECURITY LEVEL 2 - All Level 1 requirements plus: chip covered with tamper-evident coating or contained in a tamper-evident enclosure coating or enclosure shall be opaque within the visible spectrum. SECURITY LEVEL 3 - All Level 2 requirements plus: Either: chip covered with hard opaque tamper-evident coating, or the chip shall be contained within a strong enclosure. The enclosure shall be such that attempts at removal or penetration shall have a high probability of causing serious damage to the cryptographic module (i.e., the module will not function).
22 © Cooley Godward 2001 Gatekeeper l Australian PKI strategy and enabler for the delivery of Government online l Accreditation Criteria published l Covers procurement, security policy/planning, physical security, technology evaluation, personnel vetting, legal issues, and privacy considerations
23 © Cooley Godward 2001 Path forward l Development of internationally acceptable suite of criteria, NOT development of an international approach to PKI l Common Criteria, WebTrust, & PAG promising l Common Criteria è Industry specific protection profiles è Global recognition l WebTrust è PKI-specific set of criteria
24 © Cooley Godward 2001 On going activities l Update to RFC 2527 l Industry specific protection profiles l Other industry and governmental activities è PAG out for public comment è X9.79 into ISO
25 © Cooley Godward 2001 Resources for more info l ABA - l RFC l WebTrust - l X l Common Criteria - l FIPS l Gatekeeper -
26 © Cooley Godward 2001 Questions?
27 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Cooley Godward LLP (phone) (fax)
Prof.Dr.Victor PATRICIU, ROMANIA ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-Commerce May, 14-17, 2002, Bucharest, ROMANIA.
Health & Safety Management Health & Safety Management for Quarries Topic Four.
Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University.
EURELECTRIC WG Retail Markets Presentation for ERGEG Customer Focus Group Helsinki, 11 October 2005.
Introducing ISO/IEC 17067:2013 Conformity assessment – fundamentals of product certification and guidelines for product certification schemes.
ISO INTRODUCTION In the present day, environmental matter is not limited only in one country or specific area. The environmental impact effects.
Date. © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval.
The European Organisation for the Safety of Air Navigation Implementing the DAL – A Phased Approach DAL/DQR Workshop Brussels, February 2013 Presented.
An introduction to Ofqual Simon Perks – Policy Manager
Development of CP Policies: Approaches and Instruments Guidelines for the CP Centres UNIDO NCPC Programme April 2002.
Examining the Regulatory Landscape Al Berman DRI International NEDRIX Annual Conference October 20, 2009.
Insert your company logo here (on slide master). Insert your company logo here (on slide master) Developed by the Department of Communications, Information.
Presented by. © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored.
NEBOSH International General Certificate Resource Pack Ian Harries CMIOSH © 2013 Ian Harries. All rights reserved. No part of this material may be reprinted.
0 May 2013 Internal Control–Integrated Framework.
HND Supply Chain Management Implementation of Revised Framework Workshop 1 Ken White – SQA External Verifier 23 April 2013.
Section 2 QM & ISO PURPOSE Section 4 STRUCTURE ISO 9001 Section 6 APPENDENCIES Section 1 INTRO Section 5 IMPLEMENTATION STEPS Section 3 EIGHT PRINCIPLES.
Steps towards E-Government in Syria Nibal Idlebi Ministry of Communications and Technology.
Toolkit: Approaches to Private Participation in Water Services Module 7 Developing Institutions to manage the relationship.
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
Module 2: National IEA process design and organization.
Prof. Dr. Mr. Madeleine de Cock Buning Centre for Intellectual Property Law, Institute for Private Law Faculty of Law, Economics and Governance Utrecht.
Green Seal Standard for Product Manufacturers, GS-C1 Green Seal Standard for Product Manufacturers, GS-C1 Public Review Webinar September 15, 2010.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
Institutionalizing Global Principles of Business and Human Rights From Institutional Misalignments to Socially Sustainable Governance: The Guiding Principles.
1 European Security Standardisation in relation to ABC Paolo Salieri DG Enterprise and Industry FRONTEX 8 th2nd Global Conference and Exhibition on Future.
Sample U.S. Government Cryptography and Key Management Methods and Policies Information Security Management Spring 2005 Presented by Ling Wang.
How to Create an IT Security Program Tracy Mitrano Steve Schuster R. David Vernon Copyright Tracy Mitrano, Steven Schuster and David Vernon, This.
COOPERATION AND COORDINATION WITH RELEVANT INTERNATIONAL ORGANIZATIONS/INITIATIVES AMBASSADOR BONNIE D. JENKINS COORDINATOR FOR THREAT REDUCTION PROGRAMS.
TITRE 4 th REMIT IT Expert Group Ljubljana, 27 th June 2013 Discussion on ACER Guidelines for RRM and RIS Stefano Bracco Knowledge Manager.
© 2016 SlidePlayer.com Inc. All rights reserved.