- Количество слайдов: 26
EEMA’s pki Challenge (pki. C) PKI Forum European Meeting Munich, June 2001 by Frank Jorissen Vice Chairman EEMA & pki. C Co-ordinator
About EEMA • Europe’s largest, not-for-profit E-business Forum • founded in 1987 by the largest European PTO’s • Currently close to 250 member organisations & growing, many new members with a strong ICT Security interest ! : – “Vendors”, including: Microsoft, IBM, Compaq, Alcatel, Siemens, Lotus, SAP, Ericsson, Smart. Trust, Entrust, RSA, Global. Sign, Veri. Sign, Baltimore, Bull, Identrus, BT, Cylink, Entegrity, Roccade, Utimaco Safeware, . . . – “Users”, including: Barclays, Unilever, Reuters, Shell, Volvo, BP, Exxon, ING, Glaxo Wellcome, Hoffmann la Roche, Astra. Zeneca, ICC, UK Post, TI, SWIFT, . . . – “Consultants”: KPMG, PWC/be. TRUSTed, Cap Gemini, Ovum, . . . – + many PTO’s & Service Providers • “WEMA” liaisons globally: • in the US (TOG ‘EMA Forum’), in Australia/SEA (AOEMA), in Brazil (BRISA), in Japan (E-Japan Forum), in Russia (RANS) EEMA & PKI Forum are Liaison members, with a specific pki. C Mo. U
EEMA “Interest Groups” “ECAF” & its ICT Security initiatives: --> “ECAF Model”: basic PKI implementation guidance for novice PKI implementers. NEW!: ECAF Model part 2 initiated, will focus on “PKA” --> ISSE Conference (Berlin ‘ 99, Barcelona ‘ 00, London ‘ 01, Paris ‘ 02) --> pki Challenge --> liaisons (being) established with other major global players + Other EEMA E-business-related Interest Groups: Directories, Unified Messaging, Users, EDI / E-Commerce, Events & Marcom, Standards Watch, NEW: e-Government…
“Challenges” (interoperability events) • Since the early 90’s • On evolving technologies: X. 400, X. 500, SMTP, LDAP, S/MIME, X. 509, …; now X. 509 v 3, IETF/PKIX, PKCS, EESSI, … (standards must be stable & succesful , ie commonly implemented – not too new ! Generates issues with ao PKICX/CMC and EESSI) • By # WEMA organizations worldwide, eg “Challenge’ 97” • EEMA & EMA: pki “Challenge showcases” during the period 1999 -2002 • EMA’s Challenge showcase was demonstrated at the EMA Annual Conference in Boston, April 2000
EMA “Challenge 99/2000” = “FBCA” • “Federal Bridge CA” = US Federal Gov’t effort to solve the ad hoc interoperability problems between a range of existing PKI’s within a large number of Federal Gov’t agencies (BTW: this project&concept not to be confused with Tele. Trus. T’s “Bridge CA”, a major German PKI users-led initiative, distributing a signed “trusted CA’s list”) • The US Federal Bridge CA concept has strong merits for PKI-domain -to- PKI-domain interoperability in large (groups of) organisations • For more information, see EMA’s report at: http: //csrc. nist. gov/pki/documents/emareport_20001015. pdf • However, the FBCA scope is quite different from what most vendors & users also want: client<->RA<->CA interoperability (intra&inter-domain)
EMA “Challenge 99/2000”
pki. C’s Mission • • • Core Mission & Main Differentiator with all other similar initiatives: To provide a low-threshold, well-managed & well-funded test infrastructure, not dependent of volunteering efforts, for PKI interoperability testing between many, global PKI/PKA vendors --> “PKI as an open ‘operating system’ for various PKA’s” Vendor-led & focusing on technology interoperability, hence fully complementary to eg US FBCA and to Tele. Trus. T’s Bridge CA , which are user-led ad focusing on the ‘ad hoc’ solving of all basic interoperability issues opportunities for collaboration !! Based on stable & commercially succesful standards, eg X. 509 v 3, PKCS#10, PKIX/CMP, S/MIMEv? , … Also: no CMC (yet), no DSA/DH, … Also considering EU-specific requirements to the extent possible & reasonable in the period 2001 -2002. . . : eg the EU Electronic Signature Directive & accompanying “EESSI standards” by ETSI and CEN/ISSS To disseminate, demonstrate & promote ‘open’ results; currently 3 strong pki. C liaisons: PKI Forum, UK CESG, EESSI. Also discussions with ao Tele. Trus. T, ICSA and TOG initiated
Scope of Interoperability in pki. C Context (see further for more details)
Phase 1: Project Infrastructure & Management
· WP 1: Project Co-ordination, management & QA · WP 2: produce scope and definition of the criteria for interoperability of PKI products and services · WP 3: performing awareness activity & identifying participants, negotiating and contracting with them. · WP 4: producing the detailed plan and specifications for the interoperability tests · WP 5: building the “reference” test infrastructure
Phase 2: Interoperability Testing
· WP 3 (part) - identifying potential participants, negotiating and contracting with them. · WP 6 - performing the interoperability tests · WP 7 - demonstrating and disseminating the results of the testing (WP 6) at “EEMA 2002” and “ISSE 2002” Conferences · WP 8 - writing the final project report
Time Plan & Work Packages
Today’s Status • Contract with the Commission for total funding of 8 m/y was signed end of 2000; • Project kick-off : end of jan. 2001 WP 1 (Project Management) - initiated WP 2 (Scope) --> almost finished WP 3 (Marketing) --> leading to enormous interest (see further) • Total Project Duration: 2001&2002
Who will Participate in “Phase 1” ? pki. C “Consortium members”: Baltimore, Belgacom, EEMA, Entegrity, Entrust, Global. Sign, KPMG, Makra, Security&Standards, Smart. Trust, Consignia (ex “Royal Mail”), Univ. of Leuven (COSIC”(AES!) & “ICRI” Labs), Univ. of Salford, Utimaco Safeware
Who will be Involved in “Phase 2” ? ? 1. “Active” Participants: Baltimore, Biodata, Certicom, Cisco, Compaq, Conclusive, Consignia (Royal Mail), CRYPTOMATh. IC, Cylink, Datum, Diginotar, Entrust, Gemplus, Isabel, i. T_Security, Net. Set, Privador, Royal Mail, RSA, Safelayer, Secure. Port, Shym, Smart. Trust, Spyrus, SSE, SSH, Tarmin, Uti Systems, Utimaco Safeware, Vali. Cert, Veri. Sign (preliminary list - subject to change !) --> OPEN PARTICIPATION, BUT LIMITED NUMBERS 2. “General Interest” Participants: currently >300 people from almost 250 organisations in >30 countries: eg Alcatel, Barclays, Belgacom, BT, Bull, Cable&Wireless, Cap Gemini, Crédit Suisse, Delarue, Dell, Deloitte&Touche, Deutsche Bank, Deutsche Post, DTI, Ernst&Young, Euroclear, Global. Sign, HP, IBM, ICL, Identrus, ING, KPMG, NESTEC, NHS, Nortel, Okobank, PWC, Shell, Siemens, Statoil, SWIFT, Unilever, directory vendors, insurances, … how about YOU ?
pki. C & PKIF interoperability. . . ? • Main Goal: Avoid “islands of interoperability”! • Collaboration was discussed at PKIF’s San Jose meeting (3/01) & described in an Mo. U, which is now signed & being executed • Includes active collaboration on pki. C marketing initiatives between EEMA & PKI Forum • Similar relationship with the UK Gov’t’s CESG: again: avoid the “islands of interoperability” !!!
pki. C & PKIF interoperability. . . ? --> Mo. U elements: – where possible share terminology, structures, ‘modules/scripts’, … – establish rules for recognition of copyrighted work – publish “consensus documents”, possibly with options as required by the different organisations members and the different regions on which they focus - thereby achieving even more global consensus – mutual review of work in progress – avoid waste of effort by minimising overlap and maximising complementarity – PKIF members can engage into the pki. C project (listservs, …) , and use the pki. C test facilities – common promotion of pki. C –. . .
pki. C WP 2 Deliverables • Product/Service Interoperability Test Criteria • Update of EEMA’s “Secure Messaging Framework” (by Bob Willmott, Makra Consultancy) Acknowledgements to pki. C’s WP 2 Leader, Martin Getliffe (Entegrity), for doing an excellent job !
pki. C Interoperability Interfaces: the “helicopter view” PKA PKI
I. PKA Interoperability • Essential – Secure Email (S/MIME) – both e-signatures & encryption • Under Consideration: – – Secure Documents Signed Web Objects (XML, HTTP) Secure Time Stamping Applications Utilising “Qualified Certificates” (IETF/EESSI) (However, most likely pki. C will only address S/MIME, since the pki. C focus is on PKI rather than PKA interoperability)
II. PKI Interoperability • Essential – CA Certification (3 Level Hierarchy) – Certification by File Exchange • Under Consideration – Remote Enrolment (CMP very likely, CMC not likely (yet)) – Smart Cards (likely, but will be optional) – IETF/EESSI “Qualified Certificates” (very likely) – CA/RA Interoperability (not likely; under discussion)
III. Directory & Validation Services • Essential – LDAP, to both active participant directories” & to “one virtual directory” of the “reference impl. ” – Directory ‘Schema’ & ‘Naming’ conventions • Under Consideration – – CDP’s & delta CRL’s (unlikely) OCSP (very likely) X 500 DAP (unlikely) Notarisation (unlikely)
Detailed overview of pki. C’s Test Interoperability Interfaces: Generic Participant Test System PKIC Reference System Smart Card 1 b 1 b 1 a 1 a Root CA RA 2 3 a Sub CA RA Root CA RA Sub CA 3 b Sub CA RA Sub CA Directory 5 b 4 VA VA 5 a 6 a Virtual Directory 6 b PKI I/F PKA PKI I/F 7 PKA
Example Test Scenario Secure Email System PKIC Reference System Root CA RA Sub Sub CA Directory 4 a Virtual Directory 6 b PKI I/F Secure Email PKI I/F 7 Secure Email