Скачать презентацию EEMA s pki Challenge pki C PKI Forum European Скачать презентацию EEMA s pki Challenge pki C PKI Forum European

9db3a06366f933e21b64e6db024182b0.ppt

  • Количество слайдов: 26

EEMA’s pki Challenge (pki. C) PKI Forum European Meeting Munich, June 2001 by Frank EEMA’s pki Challenge (pki. C) PKI Forum European Meeting Munich, June 2001 by Frank Jorissen Vice Chairman EEMA & pki. C Co-ordinator

About EEMA • Europe’s largest, not-for-profit E-business Forum • founded in 1987 by the About EEMA • Europe’s largest, not-for-profit E-business Forum • founded in 1987 by the largest European PTO’s • Currently close to 250 member organisations & growing, many new members with a strong ICT Security interest ! : – “Vendors”, including: Microsoft, IBM, Compaq, Alcatel, Siemens, Lotus, SAP, Ericsson, Smart. Trust, Entrust, RSA, Global. Sign, Veri. Sign, Baltimore, Bull, Identrus, BT, Cylink, Entegrity, Roccade, Utimaco Safeware, . . . – “Users”, including: Barclays, Unilever, Reuters, Shell, Volvo, BP, Exxon, ING, Glaxo Wellcome, Hoffmann la Roche, Astra. Zeneca, ICC, UK Post, TI, SWIFT, . . . – “Consultants”: KPMG, PWC/be. TRUSTed, Cap Gemini, Ovum, . . . – + many PTO’s & Service Providers • “WEMA” liaisons globally: • in the US (TOG ‘EMA Forum’), in Australia/SEA (AOEMA), in Brazil (BRISA), in Japan (E-Japan Forum), in Russia (RANS) EEMA & PKI Forum are Liaison members, with a specific pki. C Mo. U

EEMA “Interest Groups” “ECAF” & its ICT Security initiatives: --> “ECAF Model”: basic PKI EEMA “Interest Groups” “ECAF” & its ICT Security initiatives: --> “ECAF Model”: basic PKI implementation guidance for novice PKI implementers. NEW!: ECAF Model part 2 initiated, will focus on “PKA” --> ISSE Conference (Berlin ‘ 99, Barcelona ‘ 00, London ‘ 01, Paris ‘ 02) --> pki Challenge --> liaisons (being) established with other major global players + Other EEMA E-business-related Interest Groups: Directories, Unified Messaging, Users, EDI / E-Commerce, Events & Marcom, Standards Watch, NEW: e-Government…

“Challenges” (interoperability events) • Since the early 90’s • On evolving technologies: X. 400, “Challenges” (interoperability events) • Since the early 90’s • On evolving technologies: X. 400, X. 500, SMTP, LDAP, S/MIME, X. 509, …; now X. 509 v 3, IETF/PKIX, PKCS, EESSI, … (standards must be stable & succesful , ie commonly implemented – not too new ! Generates issues with ao PKICX/CMC and EESSI) • By # WEMA organizations worldwide, eg “Challenge’ 97” • EEMA & EMA: pki “Challenge showcases” during the period 1999 -2002 • EMA’s Challenge showcase was demonstrated at the EMA Annual Conference in Boston, April 2000

EMA “Challenge 99/2000” = “FBCA” • “Federal Bridge CA” = US Federal Gov’t effort EMA “Challenge 99/2000” = “FBCA” • “Federal Bridge CA” = US Federal Gov’t effort to solve the ad hoc interoperability problems between a range of existing PKI’s within a large number of Federal Gov’t agencies (BTW: this project&concept not to be confused with Tele. Trus. T’s “Bridge CA”, a major German PKI users-led initiative, distributing a signed “trusted CA’s list”) • The US Federal Bridge CA concept has strong merits for PKI-domain -to- PKI-domain interoperability in large (groups of) organisations • For more information, see EMA’s report at: http: //csrc. nist. gov/pki/documents/emareport_20001015. pdf • However, the FBCA scope is quite different from what most vendors & users also want: client<->RA<->CA interoperability (intra&inter-domain)

EMA “Challenge 99/2000” EMA “Challenge 99/2000”

pki. C’s Mission • • • Core Mission & Main Differentiator with all other pki. C’s Mission • • • Core Mission & Main Differentiator with all other similar initiatives: To provide a low-threshold, well-managed & well-funded test infrastructure, not dependent of volunteering efforts, for PKI interoperability testing between many, global PKI/PKA vendors --> “PKI as an open ‘operating system’ for various PKA’s” Vendor-led & focusing on technology interoperability, hence fully complementary to eg US FBCA and to Tele. Trus. T’s Bridge CA , which are user-led ad focusing on the ‘ad hoc’ solving of all basic interoperability issues opportunities for collaboration !! Based on stable & commercially succesful standards, eg X. 509 v 3, PKCS#10, PKIX/CMP, S/MIMEv? , … Also: no CMC (yet), no DSA/DH, … Also considering EU-specific requirements to the extent possible & reasonable in the period 2001 -2002. . . : eg the EU Electronic Signature Directive & accompanying “EESSI standards” by ETSI and CEN/ISSS To disseminate, demonstrate & promote ‘open’ results; currently 3 strong pki. C liaisons: PKI Forum, UK CESG, EESSI. Also discussions with ao Tele. Trus. T, ICSA and TOG initiated

Scope of Interoperability in pki. C Context (see further for more details) Scope of Interoperability in pki. C Context (see further for more details)

Phase 1: Project Infrastructure & Management Phase 1: Project Infrastructure & Management

· WP 1: Project Co-ordination, management & QA · WP 2: produce scope and · WP 1: Project Co-ordination, management & QA · WP 2: produce scope and definition of the criteria for interoperability of PKI products and services · WP 3: performing awareness activity & identifying participants, negotiating and contracting with them. · WP 4: producing the detailed plan and specifications for the interoperability tests · WP 5: building the “reference” test infrastructure

Phase 2: Interoperability Testing Phase 2: Interoperability Testing

· WP 3 (part) - identifying potential participants, negotiating and contracting with them. · · WP 3 (part) - identifying potential participants, negotiating and contracting with them. · WP 6 - performing the interoperability tests · WP 7 - demonstrating and disseminating the results of the testing (WP 6) at “EEMA 2002” and “ISSE 2002” Conferences · WP 8 - writing the final project report

Time Plan & Work Packages Time Plan & Work Packages

Today’s Status • Contract with the Commission for total funding of 8 m/y was Today’s Status • Contract with the Commission for total funding of 8 m/y was signed end of 2000; • Project kick-off : end of jan. 2001 WP 1 (Project Management) - initiated WP 2 (Scope) --> almost finished WP 3 (Marketing) --> leading to enormous interest (see further) • Total Project Duration: 2001&2002

Who will Participate in “Phase 1” ? pki. C “Consortium members”: Baltimore, Belgacom, EEMA, Who will Participate in “Phase 1” ? pki. C “Consortium members”: Baltimore, Belgacom, EEMA, Entegrity, Entrust, Global. Sign, KPMG, Makra, Security&Standards, Smart. Trust, Consignia (ex “Royal Mail”), Univ. of Leuven (COSIC”(AES!) & “ICRI” Labs), Univ. of Salford, Utimaco Safeware

Who will be Involved in “Phase 2” ? ? 1. “Active” Participants: Baltimore, Biodata, Who will be Involved in “Phase 2” ? ? 1. “Active” Participants: Baltimore, Biodata, Certicom, Cisco, Compaq, Conclusive, Consignia (Royal Mail), CRYPTOMATh. IC, Cylink, Datum, Diginotar, Entrust, Gemplus, Isabel, i. T_Security, Net. Set, Privador, Royal Mail, RSA, Safelayer, Secure. Port, Shym, Smart. Trust, Spyrus, SSE, SSH, Tarmin, Uti Systems, Utimaco Safeware, Vali. Cert, Veri. Sign (preliminary list - subject to change !) --> OPEN PARTICIPATION, BUT LIMITED NUMBERS 2. “General Interest” Participants: currently >300 people from almost 250 organisations in >30 countries: eg Alcatel, Barclays, Belgacom, BT, Bull, Cable&Wireless, Cap Gemini, Crédit Suisse, Delarue, Dell, Deloitte&Touche, Deutsche Bank, Deutsche Post, DTI, Ernst&Young, Euroclear, Global. Sign, HP, IBM, ICL, Identrus, ING, KPMG, NESTEC, NHS, Nortel, Okobank, PWC, Shell, Siemens, Statoil, SWIFT, Unilever, directory vendors, insurances, … how about YOU ?

pki. C & PKIF interoperability. . . ? • Main Goal: Avoid “islands of pki. C & PKIF interoperability. . . ? • Main Goal: Avoid “islands of interoperability”! • Collaboration was discussed at PKIF’s San Jose meeting (3/01) & described in an Mo. U, which is now signed & being executed • Includes active collaboration on pki. C marketing initiatives between EEMA & PKI Forum • Similar relationship with the UK Gov’t’s CESG: again: avoid the “islands of interoperability” !!!

pki. C & PKIF interoperability. . . ? --> Mo. U elements: – where pki. C & PKIF interoperability. . . ? --> Mo. U elements: – where possible share terminology, structures, ‘modules/scripts’, … – establish rules for recognition of copyrighted work – publish “consensus documents”, possibly with options as required by the different organisations members and the different regions on which they focus - thereby achieving even more global consensus – mutual review of work in progress – avoid waste of effort by minimising overlap and maximising complementarity – PKIF members can engage into the pki. C project (listservs, …) , and use the pki. C test facilities – common promotion of pki. C –. . .

pki. C WP 2 Deliverables • Product/Service Interoperability Test Criteria • Update of EEMA’s pki. C WP 2 Deliverables • Product/Service Interoperability Test Criteria • Update of EEMA’s “Secure Messaging Framework” (by Bob Willmott, Makra Consultancy) Acknowledgements to pki. C’s WP 2 Leader, Martin Getliffe (Entegrity), for doing an excellent job !

pki. C Interoperability Interfaces: the “helicopter view” PKA PKI pki. C Interoperability Interfaces: the “helicopter view” PKA PKI

I. PKA Interoperability • Essential – Secure Email (S/MIME) – both e-signatures & encryption I. PKA Interoperability • Essential – Secure Email (S/MIME) – both e-signatures & encryption • Under Consideration: – – Secure Documents Signed Web Objects (XML, HTTP) Secure Time Stamping Applications Utilising “Qualified Certificates” (IETF/EESSI) (However, most likely pki. C will only address S/MIME, since the pki. C focus is on PKI rather than PKA interoperability)

II. PKI Interoperability • Essential – CA Certification (3 Level Hierarchy) – Certification by II. PKI Interoperability • Essential – CA Certification (3 Level Hierarchy) – Certification by File Exchange • Under Consideration – Remote Enrolment (CMP very likely, CMC not likely (yet)) – Smart Cards (likely, but will be optional) – IETF/EESSI “Qualified Certificates” (very likely) – CA/RA Interoperability (not likely; under discussion)

III. Directory & Validation Services • Essential – LDAP, to both active participant directories” III. Directory & Validation Services • Essential – LDAP, to both active participant directories” & to “one virtual directory” of the “reference impl. ” – Directory ‘Schema’ & ‘Naming’ conventions • Under Consideration – – CDP’s & delta CRL’s (unlikely) OCSP (very likely) X 500 DAP (unlikely) Notarisation (unlikely)

Detailed overview of pki. C’s Test Interoperability Interfaces: Generic Participant Test System PKIC Reference Detailed overview of pki. C’s Test Interoperability Interfaces: Generic Participant Test System PKIC Reference System Smart Card 1 b 1 b 1 a 1 a Root CA RA 2 3 a Sub CA RA Root CA RA Sub CA 3 b Sub CA RA Sub CA Directory 5 b 4 VA VA 5 a 6 a Virtual Directory 6 b PKI I/F PKA PKI I/F 7 PKA

Example Test Scenario Secure Email System PKIC Reference System Root CA RA Sub Sub Example Test Scenario Secure Email System PKIC Reference System Root CA RA Sub Sub CA Directory 4 a Virtual Directory 6 b PKI I/F Secure Email PKI I/F 7 Secure Email