Presentation is loading. Please wait.

Presentation is loading. Please wait.

13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00."— Presentation transcript:

1 13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00

2 2 13 Sept 00Token Interoperability and Portability Project report Partial Solution PKCS#11 - with PKCS#15 (PKCS#11) Vendor 1 PKCS#15 Application Vendor 2 PKCS#15 Vendor 2 PKCS#15 Contain: key pairs trusted certs user certs Application But no good if no PKCS#11 or the Token needs PSE

3 3 13 Sept 00Token Interoperability and Portability Project report Topics Scope Why the need? Status

4 4 13 Sept 00Token Interoperability and Portability Project report Scope (abstract) The purpose of this white paper is to explore the problems with token interoperability and how the lack of token interoperability inhibits the deployment of PKI.In particular, the white paper should address: –a) The business requirements for Token Interoperability and Portability (hardware and virtual tokens) –b) The applicable environments (Windows, Java, etc), interface and driver technologies (CAPI, PKCS#11, PKCS#15, IETF sacred, OpenCard, etc) –c) The requirements for PKCS#11 conformance testing and potential groups to do this testing –d) The necessity to liase with the IETF and RSA/PKCS on the requirements for PKCS#11profiles, PKCS#15 and secure remote credentials –e) The requirement to produce a “Token Best Practises Guide” for CA, hardware token and client application vendors. This will detail what standards, profiles and testing they should meet to maximum token interoperability and portability

5 5 13 Sept 00Token Interoperability and Portability Project report Why the need? Two main problems –PKCS#11 –Token format Both of which are causing us “pain” - along with other suppliers and consumers

6 6 13 Sept 00Token Interoperability and Portability Project report PKCS#11 example - Entegrity situation We have/are testing 13 PKCS#11devices from 6 suppliers working on either Wintel or Solaris platforms Total of 20 implementations Statistics: –only 6 implementations have passed our tests –we are waiting for patches from 4 of the suppliers More on testing - Thursday afternoon!

7 7 13 Sept 00Token Interoperability and Portability Project report Tokens As a minimum a Token usually is required to store –one or more private/public key pairs –one or more trusted public keys/certificates Optionally –user certificates –a PSE a wide range of types: –Entegrity SDP Token,Entrust Token,Baltimore Token etc etc –Java 1.2 keystore –PKCS#15 (hardware and software) –Netscape keystore –MS CSP –PKCS#12

8 8 13 Sept 00Token Interoperability and Portability Project report Complexity Crypto API (CAPI)(NS)(PKCS#11)(JDK JCE)(Proprietary) MS CSPNS keystorePKCS#15JDK keystore MS Other NS Others Java appProprietary Vendor Specific Apps Other Token Vendor Specific

9 9 13 Sept 00Token Interoperability and Portability Project report What customers want... A single key store/token applications from different vendors being able to access the same token

10 10 10 13 Sept 00Token Interoperability and Portability Project report Why PSE? If you: –have totally centralized management with no automatic key update/rollover etc –totally client key generation and the RA/CA enrollment process is via a browser (and no automatic key update/rollover) Then a PSE is not required

11 11 11 13 Sept 00Token Interoperability and Portability Project report Why PSE - cont’d A PSE in the Token is a solution if you require “configuration” information in the Token - for example: –location and name of the parent CA –the protocol by which the communication with a CA is performed (e.g. PKCS#10/PKCS#7, PKIX(CMP) and transport) –key update period –PKIX CMP shared secret –CA policy e.g. min key size, token type –interdomain trust policy The PSE then permits a less intrusive PKI enrollment to take place (e.g. do not need to use browser to go to RA/CA site)

12 12 12 13 Sept 00Token Interoperability and Portability Project report Another Approach Entegrity - Universal Token Support PKCS#11 CSP NS keystore PKCS#15 Entegrity SDP Token Virtual PSE Higher level API Application

13 13 13 13 Sept 00Token Interoperability and Portability Project report Status White Paper: –Storyboard - issued on 3rd August on e-mail list –Request for Chapter Authors –Only 1 response - Laszlo Elteto (Rainbow Technologies) –Although many offers to review and “help”!! –Paper not very well progressed - lack of help + vacations PKCS#11 –attending PKCS workshop –Discussions underway to look at having PKCS#11 compliance test for profiles (more on this Thursday)

14 14 14 13 Sept 00Token Interoperability and Portability Project report Storyboard CHAPTER 1 - Business requirements –1.1 - outline purpose of the document –1.2 - Introduce and state business needs for Token Interoperability and Portability. CHAPTER 2 - PKCS#11 and Device level APIs –2.1 - Overview of PKCS#11 –2.2 - Why there are problems –2.3 - Ongoing work with PKCS#11 conformance profiles –2.4 - PKCS#11 testing - summary of what exists –2.5 - detail and explain other relevant "stds"

15 15 15 13 Sept 00Token Interoperability and Portability Project report Storyboard - cont’d CHAPTER 3 - Token Formats –3.1 - overview of Token formats - e.g. PKCS#12, PKCS#15, NS token, MS/CSP Tokens, Java Key Stores, proprietary ones etc –3.2 - detail minimum reqs of what should be in token -and refer off to Chapter 4 for remote credentials case –3.2 - Provide scenarios of why this causes problems in user registration/enrolment - in both browser registration and more integrated cases CHAPTER 4 - Mobile Users and Remote Credentials –4.1 - define requirements –4.2 - summarise current state of IETF sacred work

16 16 16 13 Sept 00Token Interoperability and Portability Project report Storyboard - cont’d CHAPTER 5 - Recommendations –5.1 - Detail “Token Best Practises Guide” for CA, hardware token and client application vendors. This will detail what standards, profiles and testing they should meet to maximum token interoperability and portability –5.2 - Detail further work in the area required to be performed and any liaison work necessary

17 17 17 13 Sept 00Token Interoperability and Portability Project report Conclusion New more volunteers - any? If none - then paper will take longer to produce

Download ppt "13 Sept 00 Token Interoperability and Portability Project status report John Hughes Montreal - 14 September 00."

Similar presentations

PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,

PKIX BASED CERTIFICATION INFRASTRUCTURE IMPLEMENTATION ADAPTED TO NON PERSONAL END ENTITIES Jacob E., Liberal F., Unzilla J. {jtpjatae, jtplimaf,
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
McAfee One Time Password

McAfee One Time Password
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
IHE Profile Proposal: Dynamic Configuration Management October, 2013.

IHE Profile Proposal: Dynamic Configuration Management October, 2013.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.

SPEKE S imple Password-authenticated Exponential Key Exchange Robert Mol Phoenix Technologies.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
PKIF TWG Report 29 June 2000 Mark Davis Andrew Nash et al.

PKIF TWG Report 29 June 2000 Mark Davis Andrew Nash et al.
Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI
Network Identity Kai Kang 27 th October 2004. Outline Introduction –Definition –Five drivers –Basic services –Roadmap Network Identity management approaches.

Network Identity Kai Kang 27 th October Outline Introduction –Definition –Five drivers –Basic services –Roadmap Network Identity management approaches.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
14 Sept 00 PKCS#11 Interoperability/Conformance Testing John Hughes PKIForum meeting Montreal - 14 September 00.

14 Sept 00 PKCS#11 Interoperability/Conformance Testing John Hughes PKIForum meeting Montreal - 14 September 00.
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
Verification & Validation.  Validation  are we building the right product?  Verification  are we building the product right?

Verification & Validation.  Validation  are we building the right product?  Verification  are we building the product right?
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)

Similar presentations

Ads by Google