Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alternative Governance Models for PKI

Published byLorena Edwards Modified over 6 years ago

Similar presentations

Presentation on theme: "Alternative Governance Models for PKI"— Presentation transcript:

1 Alternative Governance Models for PKI
GGF8 BOF June 26/03

2 Agenda Overview and proposed scope (5min) Governance Models (25 min)
QIK as a possible mechanism (15 min) Discussion of proposed charter and milestones.(30 min)

3 BOF Goals Agree on RG Charter
Identify parties interested in working within a RG Identity overlap/interest with other groups Identity preliminary work items Rough out schedule

4 Overview X.509 does not dictate a particular governance model
The conventional governance model of CP/CPS is best suited to the TTP business model There is room for a variety of governance models to address different business models The requirements of the GRID community may best be served by a different governance model

5 Definitions PKI governance model • PKI governance instruments
Identifies the types of participants in a PKI and the relationships between them • PKI governance instruments Contractual and supporting documents that define the warranties offered by, and the obligations imposed on, the participants in the PKI Mechanisms for maintaining the trustworthiness of statements made by authorities Gentlemen’s agreements Governance model: A representation of the entities and the mechanisms for maintaining the trustworthiness of statements made by authorities

6 Objectives of Governance models
To achieve a proper understanding and equitable allocation of risk among the actors Make the risks commensurate with the benefits for all participants Expose risk Apportion liability Identify obligations

7 Trust/Expectations To trust someone is to have a reasonable belief that they will behave as expected. Issuer Notification of revocation Conduct quality processes Notification of issuance Notification of revocation Publish the certificate and CRLs Query for revocation Rely within limits Protect private key Use appropriately Trust this is from me Relying Party Subscriber Use within limits Notification of revocation

8 Governance Models Taxonomy
Governance models can be characterized by The nature of the information shared On which party the risk assessment burden falls Trusted Third Party ‘Equivalent Safeguards’ ‘Equivalent Conditions’

9 Trusted Third Party CA describes practices in CPS
Subscriber & Relying party perform risk assessment to determine if practices are suitable for purposes Auditor’s report provides independent assessment of TTP’s adherence to published practices

10 Equivalent Safeguards
CP lists statement of requirements for PKI safeguards CA describes its practices in CPS Subscriber & Relying party perform risk assessment to determine if practices are suitable for purposes Auditors report details CA adherence to published practices (at a very high level)

11 Equivalent Conditions
CP lists conditions for certificates Approved uses Obligations Warranties CPS (if it exists) is internal document Risk assessment performed by Operating authority Auditors report offers opinion wrt suitability of practices to intended use

12 Comparison Model CP CPS TTP Equivalent Safeguards Conditions NA
CA practices Limited liability Public Equivalent Safeguards CA practice requirements Conditions Approved uses Commitments Obligations Private

13 Policy Authority Issuer Policy Authority Issuer Policy Authority
Subscriber Relying Party Subscriber Relying Party Issuer Subscriber Relying Party Policy Authority

14 Applications Y/N Y/N Application Details Certificate Relying Policy
(generic) Relying Party Policy Authority Y/N Application Details Certificate Policy (app) Relying Party Policy Authority Y/N

15 Possible mechanism - QIK
Qualified Installation of Keys Key-owners publish their public verification key – appended with appropriate uses & associated commitments and obligations in a QIK statement Relying parties parse QIK statement to determine if contained public key should be ‘trusted’ If ‘yes’, key is ‘installed’, ‘qualified’ by appropriate conditions (e.g. uses and restrictions)

16 QIK statement A binding between a public key and the terms and conditions of its use, as specified by the key owner or issuer. Keys can be discovered based on these terms & conditions Keys characterized by The Commitments the key-owner/issuer makes with respect to their use The Obligations attendant on those entities that use the key

17 Basic model The owner of a digital-signature key-pair creates a QIK instance, containing the public verification key and the conditions of use for that key. It publishes the QIK instance, either on the Web or by some other means, e.g. in WSDL or UDDI. It creates a validation string by digesting the QIK instance and makes the digest available by an authentic channel, The relying party retrieves and validates the QIK instance, using the digest, confirms the suitability of its conditions of use to the intended application and, if these checks pass, installs the key. The key owner sends signed transactions to the relying party The relying party validates the transactions using the key from the QIK instance

18 Variations Key Owner Relying Party Bilateral trust Subscriber
End-entity Root import CA Cross-cert

19 Cross-certification

20 Top-level Schema

21 Key Application Schema
A key is listed along with the applications for which its use are appropriate Each KeyApplication has associated Commitments and Obligations

22 Charter Output Purpose
The Alternative Governance Model Research Group will explore the potential for a simpler, less-expensive, semi-automated alternative to the CP/CPS model for PKI policy governance. It is hoped that such an alternative will simplify and enable the establishment of trust between Grid participants, both end-entities and Certificate Authorities. Output The output of this research group will be an informational or community practices GGF document and suggestions for future development work in GGF working groups.

23 Summary The requirements of the GRID community may best be served by a PKI governance model different than the conventional Work warrants the creation of a Research (Working?) Group to explore the pros/cons of different models and relevance to Grid scenarios

Download ppt "Alternative Governance Models for PKI"

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Auditing of a Certification Authority Patrick Cain, CISA, CISM The Cooper-Cain Group, Inc.

Auditing of a Certification Authority Patrick Cain, CISA, CISM The Cooper-Cain Group, Inc.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.

Interoperation Between a Conventional PKI and an ID-Based Infrastructure Geraint Price Royal Holloway University of London joint work with Chris Mitchell.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.
Digital Signature Technologies & Applications Ed Jensen Fall 2013.

Digital Signature Technologies & Applications Ed Jensen Fall 2013.
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report.

National Smartcard Project Work Package 8 – Security Issues Report.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Similar presentations

Ads by Google