Building trust on the internet Extending Attribute Protocols for Status Management and “Other Things” Patrick Richard, Xcert International

Extending Attribute Protocols for Status Management and “Other Things” Company Background Size: 80+ employees Incorporated:1996 (Vancouver, BC) HQ:Walnut Creek, CA Funding:Private, backed by founder of RSA & Verisign) Key partners & customers:

Extending Attribute Protocols for Status Management and “Other Things” Agenda (40 minutes) –Conceptual History –Products in Action –Application Potential

Extending Attribute Protocols for Status Management and “Other Things” PKI Enables Risk Management PKI provides a means to reduce the risk of business-to-business and business-to- consumer internet transactions PKI enables institutions to define trust relationships that can be: –Published –Audited –Insured

Extending Attribute Protocols for Status Management and “Other Things” Digital Certificates Role in Risk Management Digital certificates are the ONLY technology to satisfy the requirements for secure transactions among trusted parties.

Extending Attribute Protocols for Status Management and “Other Things” Certificate Formats and Risk Management Digital Certificates, as they are commonly used: –contain generalized end-entity information –this is used as part of the risk mitigation process –Examples: name, address, where you work, etc..

Extending Attribute Protocols for Status Management and “Other Things” Certificate Attributes and Risk Management The collection of information carried in a Certificate is the lowest common denominator for risk-managing transactions –Sometimes too little information –Sometimes too much Normally no one cares who you are… they care about your ability to transact.

Extending Attribute Protocols for Status Management and “Other Things” What is important Are the transaction-specific bindings between the participants and their relevant attributes Example: –Joe Customer is the owner of the card –The card is still valid –The card has enough credit space for a transaction

Extending Attribute Protocols for Status Management and “Other Things” The key concept PKI is really the practice of end-entity attribute assertion and management I.e.: –CA asserts and distributes your name attribute –VA asserts and distributes your status attribute –AA asserts and distributes your credit attribute

Extending Attribute Protocols for Status Management and “Other Things” Attribute Management Protocols A good, generalized and scaleable attribute management protocol can be the basis for a highly efficient and effective PKI Eliminates re-inventing the wheel, solves scaleability problems Relevant elements of the transaction are transmitted, nothing else

Extending Attribute Protocols for Status Management and “Other Things” Effective Attribute Management Protocol Characteristics Ability to serve signed attributes Ability to generate static collections of signed attributes Ability to serve dynamic collections of signed attributes Ability to deal with cacheing and freshness

Extending Attribute Protocols for Status Management and “Other Things” Real World Example: Certificate Status Management Most OCSP implementations rely upon CRLs (I.e. they proxy CRLs) Certificate Status is really just an attribute of the certificate being queried

Extending Attribute Protocols for Status Management and “Other Things” Status Management in an Attribute-driven model Relating the current semantics against the model: –CRL : static collection of status attributes –Online query : signed response of status attribute –OCSP : standard protocol front-end on CRL/online query

Extending Attribute Protocols for Status Management and “Other Things” Technical Benefits A singular protocol and method for resolving identity and attribute bindings Works online and off-line Can be applied to multiple attributes, not just status Is 100% backwards compatible Provides infinite design flexibility

Extending Attribute Protocols for Status Management and “Other Things” Business Benefits Most implementations hit a “Chinese Wall” when they attempt to scale Only cost effective way to scale Customers with 100,000 + users on 1.x products (circa 1997), also Powers Public CAs Provides business opportunities for Attribute Assertion Providers

Extending Attribute Protocols for Status Management and “Other Things” Current Real World Applications Pseudo-anonymous certificates High-assurance web transactions Value-based dynamic assertions Rollover and Revocation simplified Single certificate, many models (I.e. GUC)

Extending Attribute Protocols for Status Management and “Other Things” PKI Elements

Extending Attribute Protocols for Status Management and “Other Things” Future Implications Natural evolution is to Index attribute databases from certificates Truly Internet-wide certificates should ideally have minimized content Businesses are arising that focus exclusively on attribute management

Extending Attribute Protocols for Status Management and “Other Things” Conclusion A comprehensive attribute management system can provide the backbone for a global deployment of PKI Common PKI problems can be easily resolved through the use of attribute management Primary obstacles today are not technical, but rather philosophical