We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKenzie Tatham
Modified about 1 year ago
1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise Security Expo 2001 June 5, 2001
2 © Cooley Godward 2001 Introduction l Dichotomy l Challenges l Models l Mechanisms and criteria l Path forward
3 © Cooley Godward 2001 Dichotomy l “UBIQUITOUS PKI!!!!!” l …but many barriers è Need: common recognition mechanism
4 © Cooley Godward 2001 Challenges - traditional technology vs. PKI l Traditional technology
5 © Cooley Godward 2001 Challenges - traditional technology vs. PKI l Public key infrastructure l CP and CPS l Complicated by varied requirements of particular sectors (verticals)
6 © Cooley Godward 2001 Challenges - recognition l No universally acceptable mechanism for recognizing the sufficiency of a PKI deployment l Uncharted legal waters l Several efforts and proposals - most focus on technical and business l General model
7 © Cooley Godward 2001 Models - Simple assessment model Assessment Criteria Assessor PKI System or Component assesses develops influences Key Subject Object
8 © Cooley Godward 2001 Mechanisms and criteria l PAG l RFC 2527 l WebTrust l Common Criteria l BS7799 l FIPS 140-2 l Gatekeeper l Others
9 © Cooley Godward 2001 PKI Assessment Guidelines (PAG) l Five year project of the Information Security Committee of the American Bar Association l Follow up work to the Digital Signature Guidelines (1996) l Participation by over 400 legal, technical, and business people
10 © Cooley Godward 2001 PAG (cont’d) l D.126.96.36.199The Effect of Contractual Privity Upon Relying Party’s Responsibilities Expressed as Covenants or Imposed by Law l Issue Summary. This section discusses the issue of whether the relying party is in privity of contract with the other PKI participants… l Relevant Considerations. Threshold question is whether the PKI attempts to create contractual privity between the CA and the relying party… l Appropriate Requirements and Practices. It is necessary for the PKI to decide how to present relying party covenants; unlike other participants, however, relying party covenants tend to be small enough in number to make it feasible to list in this section, or perhaps cross reference.
11 © Cooley Godward 2001 Detailed model Note Vanguard advice: “avoid complicated charts…”
12 © Cooley Godward 2001 RFC 2527 l Framework for PKI policy documents l Certificate Policies l Certification Practice Statements
13 © Cooley Godward 2001 RFC 2527 (cont’d) l 1. INTRODUCTION l 2. GENERAL PROVISIONS l 3. IDENTIFICATION AND AUTHENTICATION l 4. OPERATIONAL REQUIREMENTS l 5. PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS l 6. TECHNICAL SECURITY CONTROLS l 7. CERTIFICATE AND CRL PROFILES l 8. SPECIFICATION ADMINISTRATION
14 © Cooley Godward 2001 WebTrust l Framework to assess adequacy and effectiveness of controls employed by CAs l Designed specifically for the examinations of CA business activities l Builds on X9.79 work of the American Banker’s Association
15 © Cooley Godward 2001 WebTrust (cont’d)
16 © Cooley Godward 2001 X9.79 - CA Control Objectives l National standard - approved by ABA (the other ABA - American Banker’s Association) and ANSI l Being proposed to ISO TC68 as an international work item
17 © Cooley Godward 2001 X9.79 (cont’d)
18 © Cooley Godward 2001 Common Criteria l Some view as replacement for the Orange Book, ITSEC, etc. l International acceptance l Focus on protection profile
19 © Cooley Godward 2001 BS7799 - Code of Practice for Information Security Management l British Standard being used in several other European countries l General Information Security standard, not focussed on PKI l Certification scheme called c:cure similar to ISO 9000 l Now ISO/IEC 17799:2000
20 © Cooley Godward 2001 FIPS 140-2 l Security requirements of a cryptographic module utilized for protecting sensitive information l Four increasing levels of security è Covers areas such as roles and authentication; physical security; OS security; cryptographic key management; EMI/EMC; self-tests; design assurance; and mitigation of other attacks
21 © Cooley Godward 2001 FIPS 140-2 (cont’d) 4.5.2 Single-Chip Cryptographic Modules SECURITY LEVEL 2 - All Level 1 requirements plus: chip covered with tamper-evident coating or contained in a tamper-evident enclosure coating or enclosure shall be opaque within the visible spectrum. SECURITY LEVEL 3 - All Level 2 requirements plus: Either: chip covered with hard opaque tamper-evident coating, or the chip shall be contained within a strong enclosure. The enclosure shall be such that attempts at removal or penetration shall have a high probability of causing serious damage to the cryptographic module (i.e., the module will not function).
22 © Cooley Godward 2001 Gatekeeper l Australian PKI strategy and enabler for the delivery of Government online l Accreditation Criteria published l Covers procurement, security policy/planning, physical security, technology evaluation, personnel vetting, legal issues, and privacy considerations
23 © Cooley Godward 2001 Path forward l Development of internationally acceptable suite of criteria, NOT development of an international approach to PKI l Common Criteria, WebTrust, & PAG promising l Common Criteria è Industry specific protection profiles è Global recognition l WebTrust è PKI-specific set of criteria
24 © Cooley Godward 2001 On going activities l Update to RFC 2527 l Industry specific protection profiles l Other industry and governmental activities è PAG out for public comment è X9.79 into ISO
25 © Cooley Godward 2001 Resources for more info l ABA - http://www.abanet.org/scitech/ec/isc/ l RFC 2527 - http://www.ietf.org/rfc.html l WebTrust - http://www.aicpa.org/webtrust/princrit.htm l X9.79 - http://webstore.ansi.org/ansidocstore/ l Common Criteria - http://www.commoncriteria.org/ l FIPS 140 - http://csrc.nist.gov/cryptval/140-1.htm l Gatekeeper - http://www.govonline.gov.au/projects/publickey/
26 © Cooley Godward 2001 Questions?
27 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Cooley Godward LLP 703.456.8137 (phone) - 703.456.8100 (fax) email@example.com www.cooley.com
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Higher Education PKI Summit Meeting August 8, 2001 The ABA PAG Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information Technology.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Certification Authority. Overview Identifying CA Hierarchy Design Requirements Common CA Hierarchy Designs Documenting Legal Requirements Analyzing.
Security Standards and Threat Evaluation. Main Topic of Discussion Methodologies Standards Frameworks Measuring threats –Threat evaluation –Certification.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Determining Equivalence between Certificate Policies for Purposes of Cross-Certification Jimmy C. Tseng Assistant Professor of Electronic Commerce Rotterdam.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
WebTrust SM/TM Principles and Criteria for Certification Authorities CA Trust Jeff
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Sandeep JoshiSouthern Methodist University1 Common Criteria IT Security Evaluation By Sandeep Joshi.
+1 (801) Standards for Registration Practices Statements IGTF Considerations.
Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,
Best Practices Working Group June 19-21, 2001 Munich, Germany.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.
TM8104 IT Security EvaluationAutumn CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
National Smartcard Project Work Package 8 – Security Issues Report.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Electronic Authentication for Flexible Learning Workshop Presentation (5 August 2003) Chris Connolly, CEO, Galexia Consulting.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
It was found in 1946 in Geneva, Switzerland. its main purpose is to promote the development of international standards to facilitate the exchange of goods.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
OIML International Recognition Schemes for Legal Measuring Instruments Ian Dunmill Assistant Director Bureau International de Métrologie Légale.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Effective Design of Trusted Information Systems Luděk Novák,
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
FIPS Section 5 – Physical Security Randall J. Easter Director, NIST CMVP Ken Lu CSE CMVP September 28, 2005.
Auditing of a Certification Authority Patrick Cain, CISA, CISM The Cooper-Cain Group, Inc.
Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
1 Review of the Electronic Transactions Ordinance Information Infrastructure Advisory Committee 9 April 2002.
FOURTH EUROPEAN QUALITY ASSURANCE FORUM "CREATIVITY AND DIVERSITY: CHALLENGES FOR QUALITY ASSURANCE BEYOND 2010", COPENHAGEN, NOVEMBER IV FORUM-
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.
2008 New York - Member Forum Council for Responsible Jewellery Practices, Ltd. Overview of CRJP.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
© 2017 SlidePlayer.com Inc. All rights reserved.