Web Trust SM TM Principles and Criteria for Certification

Зарегистрируйтесь, чтобы просмотреть полный документ!

Web. Trust SM/TM Principles and Criteria for Certification Authorities CA Trust June 2000 Jeff Stapleton PKI Forum jstapleton@kpmg. com 617 -988 -6312

Agenda • Overview of Organizations & Standards • Overview of CA Trust • Question & Answer June 2000 PKI Forum 1

AICPA / CICA AICPA: American Institute of Certified Public Accounts (CPA) CICA: Canadian Institute of Chartered Accountants -------------------------------Electronic Commerce Assurance Service Task Force • Web. Trust family: – Web. Trust, ISP Trust, CA Trust, & Sys. Trust (no seal) – NOT a SAS 70, adaptation of the Statement on Standards for Attestation Engagements (SSAE) No. 1 June 2000 PKI Forum 2

X 9. 79 / CA Trust X 9 F 5 working group (established 1998) • X 9. 79 PKI Practices and Policy Framework – Annex B: Certification Authority Control Objectives – currently in X 9 ballot -------------------------------Electronic Commerce Assurance Service Task Force • Web. Trust Principles and Criteria for Certification Authorities (CA Trust) – completed public exposure, final in July 200 June 2000 PKI Forum 3

CA Control Objectives ANSI standards FIPS 140 -1 CA Trust ISO standards ABA-ISC PAG IETF PKIX-4 BS 7799 NACHA CARAT X 9. 79 “audit language” June 2000 PKI Forum 4

CA Trust Organization and statistics: • 3 principles Business Practices Disclosure – 45 required disclosures Service Integrity – 33 criteria and 182 illustrative controls CA Environmental Controls – 28 criteria and 165 illustrative controls • 30 topics (5 optional), 392 disclosures and controls June 2000 PKI Forum 5

CA Trust • PRINCIPLE 1: CA Business Practices Disclosure - The Certification Authority discloses its key and certificate life cycle management business and information privacy practices and provides its services in accordance with its disclosed practices. • 45 required disclosures June 2000 PKI Forum 6

CA Trust • PRINCIPLE 1: CA Business Practices Disclosure – General Disclosures – Key Life Cycle Management – Certificate Life Cycle Management – CA Environmental Controls June 2000 PKI Forum 7

CA Trust • PRINCIPLE 2: Service Integrity - The Certification Authority maintains effective controls to provide reasonable assurance that: – Subscriber information was properly authenticated (for the registration activities performed by CA). – The integrity of keys and certificates it manages is established and protected throughout their life cycles. • Key Life Cycle Management Controls • Certificate Life Cycle Controls • 33 criteria and 182 illustrative controls June 2000 PKI Forum 8

CA Trust • PRINCIPLE 2: Service Integrity Key Life Cycle Management Controls: – – – – – June 2000 CA Key Generation CA Key Storage, Backup and Recovery CA Public Key Distribution CA Key Escrow (optional) CA Key Usage CA Key Destruction CA Key Archival CA Cryptographic Hardware Subscriber Key Management Services (optional) PKI Forum 9

CA Trust • PRINCIPLE 2: Service Integrity Certificate Life Cycle Controls: – – – – – June 2000 Subscriber Registration Certificate Renewal (optional) Certificate Rekey Certificate Issuance Certificate Distribution Certificate Revocation Certificate Suspension (optional) CRL Processing (negative & positive validation) Smart Card (optional) PKI Forum 10

CA Trust • PRINCIPLE 3: CA Environmental Controls The Certification Authority maintains effective controls to provide reasonable assurance that: – Subscriber and relying party information is restricted to authorized individuals and protected from uses not specified in the CA's business practices disclosure. – The continuity of key and certificate life cycle management operations is maintained. – CA systems development, maintenance, and operation are properly authorized and performed to maintain CA systems integrity. • 28 criteria and 165 illustrative controls June 2000 PKI Forum 11

CA Trust • PRINCIPLE 3: CA Environmental Controls – – – June 2000 CPS and CP Management Security Management Asset Classification and Management Personnel Security Physical and Environmental Security Operations Management System Access Management Systems Development and Maintenance Business Continuity Management Monitoring and Compliance Event Journaling PKI Forum 12

CA Trust Other sections of CA Trust: • PKI Overview • Web. Trust Overview • Example reports - Annexes • Cross reference with X 9. 79 June 2000 PKI Forum 13

CA Trust Effort 400 300 250 100 June 2000 PKI Forum 14

CA Trust Questions? June 2000 PKI Forum 15

Скачать презентацию Web Trust SM TM Principles and Criteria for Certification

af02e12f928c1016725638e5d13cb0ff.ppt

Количество слайдов: 16