Direct Project Direct + Policy Enablement

12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo

12/06/10 Policy Role In Direct Scalable Trust Philosophy for enabling Direct exchange between a large number of endpoints Policy first class citizen in scalable trust Mitigates policy variance Proposed Policy Requirements Federal Community Requirements Governance Trust Bundles Technical solution to scalable trust Bundle profiles define policy requirements Only define and attest policy compliance Can not assert and enforce policy Bundles alone are not enough

12/06/10 Policy Enablement Facilitate Policy Decisions at Runtime Systemic assertion of policy profile compliance Direct 2.0 vs Policy Enablement 2.0 may imply specification changes Potential compatibility issues Policy enablement requires no specification changes Optional module Backward compatible at transport

12/06/10 Security and Trust Support Modular Components Encryption Signature Cert Discovery Trust Chaining Current Policy Ability Simple binary trust decision based on certificate chain validation

12/06/10 Security and Trust Support Current State – Outgoing Message Certificate Store Dual Use Certificates Private Resolver All non-expired All non-revoked Public Resolver All non-expired All non-revoked Trust Chain to trust anchor

12/06/10 Security and Trust Support Current State – Incoming Message Certificate Store Dual Use Certificates Private Resolver All non-expired All non-revoked Verification Message integrity Trust Chain to trust anchor

12/06/10 Security and Trust Support Optional Policy Enablement Module Policy implemented as filters Injected into security and trust process Private Certificate Resolution Public Certificate Resolution Trust Chain Validation Configurable Granularity Message Direction Message Source Message Destination Circles of Trust Can be applied to DNS or LDAP hosting Defined Policy Best Practices

12/06/10 Security and Trust Support Policy Enabled State – Outgoing Message Certificate Store Dual Use or Single Use Certificates Private Resolver All non-expired All non-revoked Public Resolver All non-expired All non-revoked Trust Chain to trust anchor Policy Filter Filter certs that meet configured criteria

12/06/10 Security and Trust Support Policy Enabled State – Incoming Message Certificate Store Dual Use or Single Use Certificates Private Resolver All non-expired All non-revoked Public Resolver All non-expired All non-revoked Verification Message integrity Policy Filter Filter certs that meet configured criteria

Policy Engine Policy Engine (direct-policy.jar) Policy defined in lexicon specific language Definition + X509 Certificate processed by engine Engine evaluates boolean value to indicate certificate compliance with policy Policy filter equates to policy engine process in security and trust agent 12/06/10 Architecture Intermediate State Policy Definition Lexicon Parser Compiler Opcodes Executor Boolean Decision X509 Cert

12/06/10 Policy Engine Use Cases Build Policy Definitions Tooling to build definition file Policy filters in security and trust agent Out of band policy validation Trust bundle profile validation for anchors End entity certificate validation to CP or CPS

12/06/10 Release Schedule Q Policy Engine Security and Trust Agent Configuration Service Command Line Import and Configuration of Definitions Gateway Policy Validator Summer/Early Fall 2013 Visual Policy Builders Config-UI integration Java RI 3.0 to include Q release components

12/06/10 For More Information Direct + Policy Proposal: Scalable Trust Forum: Scalable Trust Summary: summary-of-findings-report.pdfhttp:// summary-of-findings-report.pdf Direct Trust Bundle Workgroup: Scalable Trust Story:

12/06/10 Policy Validation Tool Demo DEMO!!