www oasis-open org The OASIS PKI Adoption TC

www. oasis-open. org The OASIS PKI Adoption TC Objectives and Case Studies Burton Group Catalyst Meeting Barcelona, Spain 22 October 2007 June Leung OASIS PKI Adoption TC

The PKI environment c. 2006 n n n PKI is resurgent Embedded PKI is commonplace We’re all in the midst of a paradigm shift to identity plurality Digital Certificates can be about relationships as well as (or instead of) personal identity Successful PKI has always been application specific, not general purpose

Resurgent, embedded PKI n Closed (vertical) schemes l n Health smartcards l n US PIV, Identrus, ICAO e-passports, Cable. Labs, Skype, Bank. ID (Sweden) France, Germany, Taiwan, Italy, Austria, Australia … Digital Credentials l US Patent Office, France, Taiwan, Australia …

Identity plurality n “Identity 2. 0” (archetype: Cardspace) l l l n Too soon to tell precise outcomes But it’s a progressive re-think of identity, context, privacy, control etc. Fundamental concept is plurality of identities. Stephen Kent’s critique: “For big CAs, there is an implicit assumption that a single certificate is all that a user should need. This assumes that one identity is sufficient for all applications, which contradicts experience”

The top five obstacles According to OASIS Surveys 1 & 2: 1. Software applications don’t support PKI 2. Costs too high 3. PKI poorly understood 4. Too much focus on technology (not need) 5. Poor interoperability

PKIA TC: Fresh objectives n n Continue to overcome obstacles with targeted practical initiatives that improve understanding of PKI Disseminate case studies Develop position papers that de-mystify legal, governance and interoperability issues and modernise the PKI message so it reflects real needs Liaise more closely with other OASIS efforts, esp. under the umbrella of the new IDtrust Member Section

Case studies & TC deliverables

Embedded PKI application: Device authentication schemes Some of the oldest, most successful PKIs are for device authentication: n GSM cell phone SIM cards n SSL server certificates n IPsec VPN devices n Cable. Labs PKI for Cable TV set-top boxes www. cablelabs. com/certqual/security

Embedded PKI application: Skype n n n Each Skype subscriber receives a digital certificate embedded in Skype install “Zero User Interface” (ZUI) principle; i. e. Subscriber unaware of their certificate! http: //share. skype. com/sites/security

Embedded PKI application: Medicos’ smartcards n France (500, 000 doctors) l n n Rolling out 40 million PKI smartcards for patients, for secure e-health Taiwan (300, 000 doctors) Australia (10, 000 doctors) l l l wide range of PKI enabled govt lodgments electronic prescribing in development certificates represent doctor’s qualifications planning “wholesale” supply of certs to hospitals etc. see www. hesa. gov. au

Vertical PKI application: University sector national PKI n “Australian Access Federation” l n n an infrastructure to facilitate trusted communications and collaboration within and between higher education and research institutions both locally and internationally … in line with the objective of providing researchers with access to an environment necessary to support worldclass research Working with Shibboleth (single sign on) and international grid computing See www. hesa. gov. au

PKIA TC Policy Initiative: New legal view points in PKI n n Objective to de-mystify traditionally complex or confusing aspects of PKI e. g. “Security Printer Model” l l n Conceptualizes backend CA as ‘minting’ certificates on order from RA, like printing cheques Decouples CA from policy and from user liability When someone writes a bad cheque, nobody sues the cheque printer! See http: //tinyurl. com/2 g 4 q 4 d Aim to complete one or more papers late CY 07

www. oasis-open. org OASIS PKI Technical Committee www. oasis-open. org/committees/pki Stephen Wilson swilson@lockstep. com. au 0414 488851