Presentation is loading. Please wait.

Presentation is loading. Please wait.

SWIM Common PKI and policies & procedures for establishing a Trust Framework                           Kick-off meeting Patrick MANA Project lead 29 November.

Published byDamian Gaines Modified over 5 years ago

Similar presentations

Presentation on theme: "SWIM Common PKI and policies & procedures for establishing a Trust Framework                           Kick-off meeting Patrick MANA Project lead 29 November."— Presentation transcript:

1 SWIM Common PKI and policies & procedures for establishing a Trust Framework                          
Kick-off meeting Patrick MANA Project lead 29 November 2017

2 Agenda Welcome - Introduction Tour de table Project scope/objective
Technical content Tasks/deliverables Contribution Next steps AOB SWIM Common PKI and policies & procedures for establishing a Trust framework

3 Why this initiative? The local deployment of a Public Key Infrastructure (PKI) at a stakeholder is a well-established technical undertaking that can rely on proven technology and best practices. Even the basic processes and policies required to operate the PKI locally are a local issue in the first place. However to establish the required trust in the other parties on a European scale, a commonly agreed set of processes and policies is required especially with the aim to ensure the interoperability of digital certificates. SWIM Common PKI and policies & procedures for establishing a Trust framework

4 The SESAR Deployment Programme and 2017 CEF Transport Calls Project objectives to cover Family Common PKI and Cyber Security Information to be exchanged and business impact if compromised Properties of information to be exchanged International data exchange (e.g. FAA) Trustworthiness on business level Identify business objectives Define trust models/structure supporting the identified business objectives Identify minimum requirements for the technical tools and how to use the tools Define content of certificates Develop overall architecture Match business objectives and policies with technical solutions Define legal and organizational framework Develop policies / standards / legal framework Define minimum cyber security objectives and requirements for Common PKI service(s) Define minimum cyber security objectives and requirements for PKI clients PKI implementation supported by cyber security defenses Develop guidance material to support SWIM Service Provider Develop guidance material to support SWIM Service Consumers Develop guidance material

5 SWIM Common PKI (Family 5.1.4)
Common Bridge PKI

6 Description/Scope/Objective
The project aims at developing and deploying a common framework for both integrating local PKI deployments in an interoperable manner as well as providing interoperable digital certificates to the users of SWIM. The resulting PKI and its associated trust framework, which will be part of the cyber security infrastructure of aviation systems, are required to sign, emit and maintain digital certificates and revocation lists as required in the family The digital certificates will allow user authentication and encryption/decryption when and where needed in order to ensure that information can be securely transferred. All aviation Stakeholders (ANSPs, Airspace users, MIL, Airport, etc …) will benefit from the project. The scope of the project includes the definition and development of a dedicated common PKI and its associated trust framework for Europe, its integration and validation with some Stakeholders. It will ensure the interoperability of digital certificates within Europe and with other regions. The project also aims at preparing the development of the systems needed to operate a PKI and its associated trust framework in order to produce and manage digital certificates, e.g. Certification Authorities, validation services such as OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation List), user interfaces, systems supporting the Registration Authority and Policy Management Authority roles. These systems will be developed through procurement, for which the project will prepare the Call For Tenders (CFT). SWIM Common PKI and policies & procedures for establishing a Trust framework

7 Tasks for (1/2) Develop the Trust Framework policies and procedures Define the Policy Management Authority (PMA) (Terms Of Reference (ToR), procedures) Develop/approve the initial Certificate Policy/Certification Practices Statement(s) Develop the Membership Agreement Ensure interoperability with others PKIs, e.g. US Federal Bridge Etc. Develop Common PKI specifications (for both development and operations) Develop high-level architecture Functional Technical Specifications (including certificates specs) Define the (SWIM) interfaces to the Common PKI Define Users interface Define validation interfaces (e.g. OCSP interface (Online Certificate Status Protocol), CRL interface (Certification Revocation List)) etc. SWIM Common PKI and policies & procedures for establishing a Trust framework

8 Tasks for 5.1.4 (2/2) Interface with SWIM Governance Project
Interaction with SWIM governance project deliverables Prepare the material for the potential launch of a CFT (scope still to be defined) Develop the draft of technical and contractual specifications Prepare all necessary material for operations Develop guidance for SWIM service providers Develop guidance for SWIM service consumers Project Management SWIM Common PKI and policies & procedures for establishing a Trust framework

9 Technical content SWIM Common PKI and policies & procedures for establishing a Trust framework

10 Common PKI Designed for ATM and providing ATM specific services :
Compliant with SWIM PKI requirements as set in SESAR D (Families & 5.2.3) Can be the response to ICAO/AFSG need for a European PKI ATM specific services: support to safety case, DSU Able to comply with US (FAA) PKI Recommended to have a fully dedicated PKI (producing and managing only those aviation certificates, not shared with other domains) Governance : Liaise with SWIM governance SWIM Common PKI and policies & procedures for establishing a Trust framework

11 Common PKI and Trust Framework
Common PKI and Trust framework: … not only a PKI Means to ensure interoperability Policies and procedures to establish a Trust framework Cross-certification with at least US (FAA/FBCA) Dedicated Certification Authority platform Day-to-day operations by a contractor Aspects of Service Provision under governance liaising with SWIM governance: Policy Management Authority & Registration Authority Root Certification Authority “key” components Public Key Infrastructure for European ATM Stakeholders: ANSPs, AUs, AOs, … Digital security keys Identification & authentication Encryption if needed Common Bridge PKI

12 Common PKI & Trust Framework: Goals
Enhances the security of ATM information. It ensures that the users of services are those who have been authorised. It ensures the identity of services providers. It ensures the identity of information senders. It ensures the identity of information receivers. Ensures the interoperability of the certificates and the secured exchanges of information Supports the secure cooperation amongst ATM Stakeholders in the framework of an increasing inter-connection of systems (e.g. AMHS, SWIM) by: Providing a unique service and reference for European ATM identity and authentication management; Providing a mutual and trustworthy recognition of security certificates with other ICAO regions. Facilitates and extends the access and use of identity & authentication services to those ATM Stakeholders not yet using such services. SWIM Common PKI and policies & procedures for establishing a Trust framework

13 Why is a Cybersecurity Trust Framework Needed
Cyber-security can not be effectively developed at the lower levels, it needs to start at the top: Establishing these common and mutually agreed upon methods to protect the aviation community from its cybersecurity risk needs to be centrally established and manage. Managed aviation cybersecurity through a federated Framework to govern aviation community as a whole through that get integrated into The various workgroups and programs to ensure global interoperability reducing the overall burden and impacts to the community as a whole Provide a frame of established common governance documents e.g. business, technical, legal, privacy This project intends to develop a Trust framework related to Common Bridge PKI. SWIM Common PKI and policies & procedures for establishing a Trust framework

14 Specific objectives through the Cybersecurity Trust Framework
SPECIFICATIONS DEVELOPMENT. Develops common specifications for secure collaboration and information exchange through federation across the aviation community. Establish common methods and solutions that align and enable global interoperability. The specifications fall into these categories: Secure information exchange Identity credentials/digital identities and attributes Federated identity Information assurance GLOBAL GOVERNANCE. Establishes policy and governance for the aviation community . Interoperable Identity Federation Trust Framework Common Operating Rules Legal Framework & Allocation of Liabilities Accreditation & Trustmark COMMON BRIDGE. Hosts a Common Bridge for Aviation only Membership that enables secure collaboration between all aviation Stakeholders. SWIM Common PKI and policies & procedures for establishing a Trust framework

15 Elements of Trust Framework for Common PKI
Organization Membership Agreement Multilateral Trust & Operating Agreement Accreditation Certification & Audit Process Trust Framework Governance Body Operational Trust Framework Trust Framework Provider Identity Providers Common Bridge & Credential Exchange Operator Relying Parties Credential Service Providers Attribute Exchange Service Attribute Providers Service Agreement Trust Framework Organization Governance Certificate Policy Common Operating Rules Governance Trust Framework Criteria & Methodology for Cross-Certification Certificate Policy Certification Practice Statement Technical Specifications Membership/Participation Governance Documents Trust Framework Governance Documents Technical Documents

16 Cross-certification (1/2):
Cross-certification (1/2): What collaboration WITHOUT a cross-certification bridge looks like CA 5 CA 1 CA 4 CA 2 CA 3 SWIM Common PKI and policies & procedures for establishing a Trust framework

17 Common Bridge (Trust Anchor)
Cross-certification (2/2): What collaboration WITH a cross-certification bridge looks like Common Bridge (Trust Anchor) CA 1 CA 2 CA 3 CA 4 CA 5 SWIM Common PKI and policies & procedures for establishing a Trust framework

18 Common PKI/Bridge/Trust Anchor
SWIM Common PKI and policies & procedures for establishing a Trust framework

19 Common PKI: ICAO/AFSG - AMHS
SWIM Common PKI and policies & procedures for establishing a Trust framework

20 SWIM Common PKI and policies & procedures for establishing a Trust framework

21 Local Applications/users/systems
Other Bridges/CAs (e.g. FAA, ICAO in the future) Common Bridge & Root Certification Authority PMA SWIM Governance RA Issuing CA-1 (e.g. Non Safety Critical, Special Case) Issuing CA-2 (e.g. Safety Critical) Issuing CA-3 (e.g. Reserve (Safety Critical)) Issuing CA-X Root signing Others: Users/ apps/ systems Local RA Local RA Local RA Local Applications Local RA Local Applications Local RA Applications/users/systems Local CA Subscribers: States/ Stakeholders Local Applications EUROCONTROL Local Applications Local Applications Local Applications Local Applications/users/systems PMA: Policy Management Authority RA: Registration Authority

22 Deliverables See excel
SWIM Common PKI and policies & procedures for establishing a Trust framework

23 Contribution (see RACI table)
SWIM Common PKI and policies & procedures for establishing a Trust framework

24 THANK YOU patrick.mana@eurocontrol.int
SWIM Common PKI and policies & procedures for establishing a Trust framework

25 enter your presentation title
back-up slides enter your presentation title

26 X.509 Digital certificates
Can be used for: External exchanges: SWIM and non-SWIM Interoperability : no more need for cross-certification Strong authentication Internal exchanges: Internal Machine to Machine exchanges Can replace a Stakeholder “own” PKI SWIM Common PKI and policies & procedures for establishing a Trust framework

27 Public Key Infrastructure
SWIM Common PKI and policies & procedures for establishing a Trust framework

28 Cross-certification (1/2)
SWIM Common PKI and policies & procedures for establishing a Trust framework

29 Cross-certification (2/2)
SWIM Common PKI and policies & procedures for establishing a Trust framework

30 World wide PKI – ICAO trust bridge hierarchy … The dream
SWIM Common PKI and policies & procedures for establishing a Trust framework

31 Trust relations in a federated trust model
SWIM Common PKI and policies & procedures for establishing a Trust framework

32 World wide PKI - Regional CA's with Cross-certification … the reality to start with
SWIM Common PKI and policies & procedures for establishing a Trust framework

33 Regional cross-certificate trust model
SWIM Common PKI and policies & procedures for establishing a Trust framework

Download ppt "SWIM Common PKI and policies & procedures for establishing a Trust Framework                           Kick-off meeting Patrick MANA Project lead 29 November."

Similar presentations

© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
ESA Iris Programme workplan of activities

ESA Iris Programme workplan of activities
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.

Nigel Titley. RIPE 54, 9 May 2007, Tallinn, Estonia. 1 RIPE NCC Certification Task Force Update Presented by Nigel Titley RIPE NCC.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
August 2004 Providing Industry-wide Security and Identity Management Solutions.

August 2004 Providing Industry-wide Security and Identity Management Solutions.
1 Bridge/Gateway CA Project Status Gzim OCAKOGLU European Commission – DG ENTR / IDABC Reykjavik – 27 May 2005.

1 Bridge/Gateway CA Project Status Gzim OCAKOGLU European Commission – DG ENTR / IDABC Reykjavik – 27 May 2005.
CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.
Ray Collins27th September 2005LGfL Project – workshop report1 LGfL Project Report Proof of Principle of the Shibboleth Authentication & Authorisation Infrastructure.

Ray Collins27th September 2005LGfL Project – workshop report1 LGfL Project Report Proof of Principle of the Shibboleth Authentication & Authorisation Infrastructure.
Active Directory ® Certificate Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.

Active Directory ® Certificate Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
Trusted Federated Identity and Access Management to provide the Cornerstone for Cyber Defense.

Trusted Federated Identity and Access Management to provide the Cornerstone for Cyber Defense.
TFTM 01-06 Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

Similar presentations

Ads by Google