1. SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit

2. SAFE BioPharma Association CONFIDENTIAL2 Topics SAFE –What is SAFE? –History? –Framework –Architecture SAFE Bridge Authority –Architecture –Timeline Current Test environment for the SBCA –Architecture –Services –Test Package

3. SAFE BioPharma Association CONFIDENTIAL3 SAFE is a Bio-pharmaceutical Industry Standard that specifies technical, legal, and regulatory compliance standards SAFE delivers unique electronic identity credentials for legally enforceable & regulatory compliant digital signatures across the global biopharmaceutical environment for Business-to-Business and Business-to-Regulator transactions SAFE – Secure Access For Everyone

4. SAFE BioPharma Association CONFIDENTIAL4 SAFE & Bio-Pharmaceutical Community CONCEPT Trusted e-identity credentials Closed contractual system Accredited Business focus DRIVERS Regulatory compliance Business efficiency Cost savings MAY 2003 SAFE  strategic PhRMA initiative DEC 2003 Seed investment  12 bio-pharmaceuticals JUN 2004 SAFE Standard v1.0 DEC 2004 SAFE-Biopharma  8 bio-pharmaceutials JUL & AUG 2005 SAFE Bridge IOC & SAFE Standard v2.0

5. SAFE BioPharma Association CONFIDENTIAL5 SAFE-Biopharma Member Issuer Agreement SAFE Community Framework SAFE Standard Business/Legal Governance Specifications Services SAFE Bridge CA Directory Issuer Services for Medical Practitioners/Others Full For-Profit Entities Not-For-Profit Entities Government Orgs Associate Medical Practitioners Other Entities/Individuals designated by SAFE Services CA / RA / CSA Credentials for Members Identity Proofing

6. SAFE BioPharma Association CONFIDENTIAL6 Subscriber SAFE Member SAFE Issuer SAFE- Biopharma SAFE Architecture Registration and Certificate Management Systems SAFE Enabled Applications SAFE Bridge CA Central Systems End-User Systems Machine Systems SAFE Certificate OCSP Response OCSP Request SAFE Cert. Authentication C P Details contained in SAFE CP C P Details contained in associated Technical Specification SAFE Certificate Cross Certificates C P OCSP Response OCSP Request OCSP Response OCSP Request Validation Request & Response Signing & Validation Request & Response Signing & Validation Request & Response

7. SAFE BioPharma Association CONFIDENTIAL7 SAFE Bridge Authority (SBCA) Physical Layout

8. SAFE BioPharma Association CONFIDENTIAL8 SBCA Operational Authority – Cybertrust 2004 SepSAFE SBCA RFP 2005 JanCybertrust chosen as operational authority for SBCA Jan - MarContract negotiations Mar - JulDevelopment of CPS, policies & procedures, test environment, and production environment Jun 30SBCA Root Key generation ceremony Jul 26-27SBCA acceptance testing [in progress] Jul 29Acceptance for Initial SBCA operations [planned] Aug - DecInitial Cross certification with initial SAFE Issuers [planned]

9. SAFE BioPharma Association CONFIDENTIAL9 SBCA Test Environment Provides emulation of SBCA: –SBCA pre-production testing –SAFE Issuers cross-certifying with the SAFE Bridge CA –SAFE Application Testing –Accredited SAFE Product Certification Labs Availability: –Operational NOW –Download package at http://safe-biopharma.orghttp://safe-biopharma.org –No guaranteed service level –No support available

10. SAFE BioPharma Association CONFIDENTIAL10 SBCA Test Environment

11. SAFE BioPharma Association CONFIDENTIAL11 SBCA Test Environment Package SAFE_CROSS-CERT_TEST_PKG –Version: 1.3 –Released: 7/12/2005 –TEST Readme file Test package components: – 2 Test Issuers Emulates 2 test-only SAFE Issuers, cross-certified by test-only SBCA Valid and revoked digital signature certificates - PKCS#12 format Certificates provide all OCSP, CRL and directory URIs –Cross-Certificates are available via URL –OCSP Accepting both signed & unsigned OCSP requests –Only tested unsigned request Only URL to access OCSP Responders –CRL For each test CA Certificate is available via URL –Cross Certificate Request PKCS#10 certificate request from the test SBCA The request is provided in both Binary and Base 64 formats

12. SAFE BioPharma Association CONFIDENTIAL12 SAFE Bridge Certificates - Test Every CA has also issued an OCSP Responder certificate –The responder certificate is not explicitly trusted, but can be verified using the CA cert Except for the self signed roots, all certificates have the Authority Information Access (AIA) extension –OCSP entry points to an internet accessible OCSP server –caIssuers entry points to an internet accessible URL for the issuing CA’s certificate(s) contained in PKCS#7 files Except for the self signed roots, all certificates have the CRL Distribution Point (CRLDP) extension –HTTP URL points to an internet accessible location The above properties allow certificate paths to be built and validated from any user certificate to either trusted root certificate –Even without prior “knowledge” of the existence of the bridge!

13. SAFE BioPharma Association CONFIDENTIAL13 SAFE Bridge CA Test Structure MagiCure Water TEST CA SAFE Bridge CA TEST Cybertrust SAFE Issuer TEST Root CA Cybertrust From Bridge MagiCure Water From Bridge Cybertrust SAFE Issuer Test Sub CA End Entities

14. SAFE BioPharma Association CONFIDENTIAL14 SAFE Bridge CA - Test MagiCure Water SBCA Test Cybertrust Sub CA OCSP

15. SAFE BioPharma Association CONFIDENTIAL15 Questions Contact information: Russel F Weiser PKI SME Cybertrust Inc. Russ.Weiser@cybertrust.com Cell 801-631-1685 SAFE contact information: Terry Zagar SAFE Core Team SAFE-BioPharma Association terry.zagar@ngc.com Phone 301-527-6780