IDA Security Experts Workshop Olivier LIBON Vice President – Global. Sign November 2000
Outlines 4 Interoperability at the EU side § § § Private Key Storage (software, hardware, etc) Certificate Management (expiration, renewal, revocation, etc) Products Limitations (web, mail, etc) 4 Interoperability at the CA side § § § Accreditation Schemes (EESSI vs. . . ) Products Compliance & Interoperability (RA, CA, etc) Common Trust Levels (Cross-certification, etc) 2
Interoperability at the EU side 4 Interoperability at the EU side § § § Private Key Storage (software, hardware, etc) Certificate Management (expiration, renewal, revocation, etc) Products Limitations (web, mail, etc) 4 Interoperability at the CA side § § § Accreditation Schemes (EESSI vs. . . ) Products Compliance & Interoperability (RA, CA, etc) Common Trust Levels (Cross-certification, etc) 3
Private Key Storage 4 Software (Disk) § § § Various Certificate Store (Microsoft, Netscape, Opera, etc. . . ) Key protection (pin code, token, etc. . . ) PC lost? / upgraded? (backup, import/export, etc. . . ) 4 Hardware (Smart. Card) § § § Key-pair generation Reader Installation & Costs Compatibility (ship + OS + Data) 4
Certificate Management 4 Certificate Lifecycle (history) § § Certificate History (Expiration/Renewal) Certificate Revocation (Status Checking) 4 Key Usage (key protection) § § One certificate for every key usage Multiple certificates (Encryption, Authentication, Non. Repudiation, etc) 4 Certificate Usage (public vs private) § § One certificate (ID-card) for every application/domain Multiple certificates (one for each application/domain) 5
Products Limitations 4 Certificate Chaining § § Deliver the complete chain No cross-certification support 4 Certificate Extensions § § § Basic Constraints (the only one supported) Naming Constraints (not supported) Policy Constraints & Mappings (not supported) 4 Certificate Status § § CRLs (no check) OCSP (not yet available) 6
Interoperability at the CA side 4 Interoperability at the EU side § § § Private Key Storage (software, hardware, etc) Certificate Management (expiration, renewal, revocation, etc) Products Limitations (web, mail, etc) 4 Interoperability at the CA side § § § Accreditation Schemes (EESSI vs. . . ) Products Compliance & Interoperability (RA, CA, etc) Common Trust Levels (Cross-certification, etc) 7
Accreditation Schemes 4 Step 1: EC Directive adoption § A common framework for electronic signature defines: . . . • Electronic Signature • Qualified Certificate • TTP requirements 4 Step 2: Local Laws adaptation § § § Germany (BSI) UK (T-Scheme) France (MEFI) Netherlands (TTP. NL) Etc. . . 4 Step 3: EESSI § § Standards. . . but very complex (and not accepted yet) A lawyers and lobbying world 8
Products Interoperability 4 Component Interoperability § § Ability to mix and match PKI products Depends on messages exchanged between components to support: • Certificate request • Certificate renewal • Certificate revocation 4 Enterprise Interoperability § § § Ability to connect PKI s into a larger P functional PKI Cross-certification Repositories/Directories 9
Common Trust Levels 4 Hierarchical Model § § § Root Signing (a signle hierarchy of certificates) Proprietary accreditation rules Not flexible and irrealistic 4 Non-hierarchical Model § § § Cross-certification (multiple hierarchies of certificates) Opened cross-certification rules Very flexible but irrealistic 4 Meshed Model § § § CA bridge (multiple hierarchies per business domain) Opened bridging rules Very flexible but need for an independant organization (EC? ) 10
Скачать презентацию IDA Security Experts Workshop Olivier LIBON Vice President
443fb4997e4aedc522932ebcdbacfb2f.ppt