Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.

Published byKenzie Tatham Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise."— Presentation transcript:

1 1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise Security Expo 2001 June 5, 2001

2 2 © Cooley Godward 2001 Introduction l Dichotomy l Challenges l Models l Mechanisms and criteria l Path forward

3 3 © Cooley Godward 2001 Dichotomy l “UBIQUITOUS PKI!!!!!” l …but many barriers è Need: common recognition mechanism

4 4 © Cooley Godward 2001 Challenges - traditional technology vs. PKI l Traditional technology

5 5 © Cooley Godward 2001 Challenges - traditional technology vs. PKI l Public key infrastructure l CP and CPS l Complicated by varied requirements of particular sectors (verticals)

6 6 © Cooley Godward 2001 Challenges - recognition l No universally acceptable mechanism for recognizing the sufficiency of a PKI deployment l Uncharted legal waters l Several efforts and proposals - most focus on technical and business l General model

7 7 © Cooley Godward 2001 Models - Simple assessment model Assessment Criteria Assessor PKI System or Component assesses develops influences Key Subject Object

8 8 © Cooley Godward 2001 Mechanisms and criteria l PAG l RFC 2527 l WebTrust l Common Criteria l BS7799 l FIPS 140-2 l Gatekeeper l Others

9 9 © Cooley Godward 2001 PKI Assessment Guidelines (PAG) l Five year project of the Information Security Committee of the American Bar Association l Follow up work to the Digital Signature Guidelines (1996) l Participation by over 400 legal, technical, and business people

10 10 © Cooley Godward 2001 PAG (cont’d) l D.2.1.4.1The Effect of Contractual Privity Upon Relying Party’s Responsibilities Expressed as Covenants or Imposed by Law l Issue Summary. This section discusses the issue of whether the relying party is in privity of contract with the other PKI participants… l Relevant Considerations. Threshold question is whether the PKI attempts to create contractual privity between the CA and the relying party… l Appropriate Requirements and Practices. It is necessary for the PKI to decide how to present relying party covenants; unlike other participants, however, relying party covenants tend to be small enough in number to make it feasible to list in this section, or perhaps cross reference.

11 11 © Cooley Godward 2001 Detailed model Note Vanguard advice: “avoid complicated charts…”

12 12 © Cooley Godward 2001 RFC 2527 l Framework for PKI policy documents l Certificate Policies l Certification Practice Statements

13 13 © Cooley Godward 2001 RFC 2527 (cont’d) l 1. INTRODUCTION l 2. GENERAL PROVISIONS l 3. IDENTIFICATION AND AUTHENTICATION l 4. OPERATIONAL REQUIREMENTS l 5. PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS l 6. TECHNICAL SECURITY CONTROLS l 7. CERTIFICATE AND CRL PROFILES l 8. SPECIFICATION ADMINISTRATION

14 14 © Cooley Godward 2001 WebTrust l Framework to assess adequacy and effectiveness of controls employed by CAs l Designed specifically for the examinations of CA business activities l Builds on X9.79 work of the American Banker’s Association

15 15 © Cooley Godward 2001 WebTrust (cont’d)

16 16 © Cooley Godward 2001 X9.79 - CA Control Objectives l National standard - approved by ABA (the other ABA - American Banker’s Association) and ANSI l Being proposed to ISO TC68 as an international work item

17 17 © Cooley Godward 2001 X9.79 (cont’d)

18 18 © Cooley Godward 2001 Common Criteria l Some view as replacement for the Orange Book, ITSEC, etc. l International acceptance l Focus on protection profile

19 19 © Cooley Godward 2001 BS7799 - Code of Practice for Information Security Management l British Standard being used in several other European countries l General Information Security standard, not focussed on PKI l Certification scheme called c:cure similar to ISO 9000 l Now ISO/IEC 17799:2000

20 20 © Cooley Godward 2001 FIPS 140-2 l Security requirements of a cryptographic module utilized for protecting sensitive information l Four increasing levels of security è Covers areas such as roles and authentication; physical security; OS security; cryptographic key management; EMI/EMC; self-tests; design assurance; and mitigation of other attacks

21 21 © Cooley Godward 2001 FIPS 140-2 (cont’d) 4.5.2 Single-Chip Cryptographic Modules SECURITY LEVEL 2 - All Level 1 requirements plus:  chip covered with tamper-evident coating or contained in a tamper-evident enclosure  coating or enclosure shall be opaque within the visible spectrum. SECURITY LEVEL 3 - All Level 2 requirements plus:  Either: chip covered with hard opaque tamper-evident coating, or  the chip shall be contained within a strong enclosure.  The enclosure shall be such that attempts at removal or penetration shall have a high probability of causing serious damage to the cryptographic module (i.e., the module will not function).

22 22 © Cooley Godward 2001 Gatekeeper l Australian PKI strategy and enabler for the delivery of Government online l Accreditation Criteria published l Covers procurement, security policy/planning, physical security, technology evaluation, personnel vetting, legal issues, and privacy considerations

23 23 © Cooley Godward 2001 Path forward l Development of internationally acceptable suite of criteria, NOT development of an international approach to PKI l Common Criteria, WebTrust, & PAG promising l Common Criteria è Industry specific protection profiles è Global recognition l WebTrust è PKI-specific set of criteria

24 24 © Cooley Godward 2001 On going activities l Update to RFC 2527 l Industry specific protection profiles l Other industry and governmental activities è PAG out for public comment è X9.79 into ISO

25 25 © Cooley Godward 2001 Resources for more info l ABA - http://www.abanet.org/scitech/ec/isc/ l RFC 2527 - http://www.ietf.org/rfc.html l WebTrust - http://www.aicpa.org/webtrust/princrit.htm l X9.79 - http://webstore.ansi.org/ansidocstore/ l Common Criteria - http://www.commoncriteria.org/ l FIPS 140 - http://csrc.nist.gov/cryptval/140-1.htm l Gatekeeper - http://www.govonline.gov.au/projects/publickey/

26 26 © Cooley Godward 2001 Questions?

27 27 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Cooley Godward LLP 703.456.8137 (phone) - 703.456.8100 (fax) rsabett@cooley.com www.cooley.com

Download ppt "1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise."

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
A Joint Code of Practice Objectives and Summary Presentation

A Joint Code of Practice Objectives and Summary Presentation
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
FIPS 140-3 Section 5 – Physical Security Randall J. Easter Director, NIST CMVP Ken Lu CSE CMVP September 28, 2005.

FIPS Section 5 – Physical Security Randall J. Easter Director, NIST CMVP Ken Lu CSE CMVP September 28, 2005.
Auditing of a Certification Authority Patrick Cain, CISA, CISM The Cooper-Cain Group, Inc.

Auditing of a Certification Authority Patrick Cain, CISA, CISM The Cooper-Cain Group, Inc.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,

Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,
2002 10 21 Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.

Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.
Electronic Authentication for Flexible Learning Workshop Presentation (5 August 2003) Chris Connolly, CEO, Galexia Consulting.

Electronic Authentication for Flexible Learning Workshop Presentation (5 August 2003) Chris Connolly, CEO, Galexia Consulting.

Similar presentations

Ads by Google