Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Standards to Facilitate Interoperability in Federated Environments Scott Rea DigiCert, Inc In collaboration with Derek Simmel (PSC).

Published byDarrell Baker Modified over 8 years ago

Similar presentations

Presentation on theme: "Identity Standards to Facilitate Interoperability in Federated Environments Scott Rea DigiCert, Inc In collaboration with Derek Simmel (PSC)."— Presentation transcript:

1 Identity Standards to Facilitate Interoperability in Federated Environments Scott Rea DigiCert, Inc In collaboration with Derek Simmel (PSC).

2 Agenda What is Trust? Establishing a Trust Framework through standards and accreditation PKI as a Trust Framework What is the IGTF? How does IGTF Accreditation work today? Towards a more flexible RA process The status of the Standard What are next steps? Summary

3 What is Trust? –Confidence or assurance that a person, system, thing will behave exactly as you expect, or alternatively, in your best interests Trust cannot be established by technology alone –A framework for trust requires the following attributes: Technology (secure and audited) Policy & Procedures (published and proven) Relationships & Liability (legal agreements and licenses)

4 Establishing a Trust Framework through standards and accreditation Why Standards? – To obtain consistent behavior, we first need to define what behavior is expected, and then measure observed behavior against this – Standards are published documents that establish specifications and procedures designed to ensure the reliability of services – Standards address a range of issues, including but not limited to various protocols that help ensure service functionality and compatibility, facilitate interoperability and support user/data safety and security protections – Standards form the fundamental building blocks for development of products and services by establishing consistent protocols that can be universally understood and adopted – Standards also make it easier to understand and compare competing services – It is only through the use of standards that the requirements of interconnectivity and interoperability can be assured – Standards fuel the development and implementation of technologies that influence and transform the way we work, research and communicate Above is Adopted from IEEE.org

5 Establishing a Trust Framework through standards and accreditation The Importance of Accreditation – Accreditation is both a status and a process As a status, accreditation provides public notification that an entity, organization, service or program meets standards of quality and security set forth by an accrediting agency As a process, accreditation reflects the fact that in achieving recognition by the accrediting agency, the entity, organization, service or program is committed to self-evaluation and external review by peers or third party auditors, in seeking not only to meet the desired standards but to continuously seek ways in which to enhance the quality of provided services – Accreditation provides assurance that the program or service is engaged in continuous review and improvement of its quality, that it meets internationally endorsed standards in the community of interest, and that it is accountable for achieving stated objectives – Accreditation provides a formal process for ongoing evaluation and improvement – Accreditation provides a forum in which participants can exchange ideas on future needs of the community of interest and ways in which to best address these – Accreditation ensures public accountability of the accredited -- that it has the required processes and policies in place, and demonstrates the desired security and interoperability outcomes consistent with its goals and objectives

6 What is PKI? Public Key Infrastructure (PKI) underpins the security and trust infrastructure of the Internet, Grids and High Performance Computing industry. While the implementation of the protocol has manifest chinks in its armor from time to time, the protocol itself has stood the test of time as an effective mechanism for establishing trust and ensuring confidentiality, integrity and authenticating potentially previously unknown participants to securely interact via trusted transactions.

7 PKI: Identity Binding with Certificates Identities are bound to cryptographic keys Certificate Policy and Key Usage listed in certificate represents procedures for issuance of certificate and asserts scope for which certificate can be used Certificate provides reliability and assurance of the verified identity

8 What is a Certificate Authority (CA) An organization that creates, publishes, and revokes certificates. Verifies the information in the certificate. Protects general security and policies of the system and its records. Allows you to check certificates so you can decide whether to use them in business/security transactions. Has one or more trusted Roots, called a trust anchor embedded in applications Agree to abide by a known Certificate Policy (CP) and publish a corresponding Certificate Practices Statement (CPS) for audit and independent verification of practices E.g. DigiCert Web PKI CPS can be found here http://www.digicert.com/ssl-cps-repository.htm

9 Certification Authority Responsibilities CA generates “roots” in secure environment – ceremony, video recorded, audited, keys on HSMs CA undergoes rigorous third party audit of operations and policy CA private keys are held under extreme protections and used to sign web site certificates and status information CA applies for corresponding root certificates to be included into trusted root stores CA policy and operations must be in compliance with root trust store rules in order to be trusted by default, and may be distributed by software updates

10 Certification Authority Responsibilities When issuing a SSL/TLS cert to a web site, the CA verifies certain information relating to ownership of the site with the respective domain and verifies control of keys being used. The strongest verification of site and domain ownership with multiple verification of direct contacts etc., allows issuance of the highest standard of assurance for SSL certificates –This highest tier of verification is called Extended Validation or EV –EV issued certs are recognized in browser GUI e.g. green bar

11 Policy Structure for PKIs RFC 3647 : Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework Published in 2003, as an update to 2527 CPs and CPSs play a central role in documenting the requirements and practices of a PKI This is how a CA conveys to a Relying Party what it does to bind identities to keys and how it protects the infrastructure that facilitates that process

12 Policy Structure for PKIs RFC 3647 : CP definition – "a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements" RFC 3647 : CPS definition – "A statement of the practices which a certification authority employs in issuing certificates." – “A more detailed description of the practices followed by a CA in issuing and otherwise managing certificates may be contained in a certification practice statement (CPS) published by or referenced by the CA.”

13 CP vs CPS Relationship Between Certificate Policy and Certification Practice Statement –A CP and CPS address the same set of topics that are of interest to the relying party in terms of the degree to and purpose for which a public key certificate should be trusted. –Their primary difference is in the focus of their provisions. The purpose of the CP is to establish what participants must do The purpose of the CPS is to disclose how the participants perform their functions and implement controls

14 PKI: A Trust Framework A framework for trust requires the following attributes: – Technology (secure and audited) – Policy & Procedures (published and proven) – Relationships & Liability (legal agreements and licenses) PKI as a Trust Framework: – Technology: Public Key Cryptography – Policy & Procedures: RFC 3647 compliant documentation e.g. Certificate Policy (CP) & Certification Practices Statement (CPS), and sometimes Registration Practices Statement (RPS) – Relationships & Liability: Included in CP, community standards (authentication profiles) and accreditation program

15 Framework RFC 3647 defines a Framework of 9 areas that a CP/CPS should address: – 1. Introduction – 2. Publication and Repository – 3. Identification and Authentication – 4. Certificate Life-Cycle Operational Requirements – 5. Facilities, Management, and Operational Controls – 6. Technical Security Controls – 7. Certificate, CRL, and OCSP Profile – 8. Compliance audit – 9. Other Business and Legal Matters

16 Framework “PKIs can use this simple framework of nine primary components to write a simple CP or CPS. Moreover, a CA can use this same framework to write a subscriber agreement, relying party agreement, or agreement containing subscriber and relying party terms.” “This simple framework may also be useful for agreements other than subscriber agreements and relying party agreements. For instance, a CA wishing to outsource certain services to an RA or certificate manufacturing authority (CMA) may find it useful to use this framework as a checklist to write a registration authority agreement or outsourcing agreement.”

17 IGTF: A PKI-based Trust Framework Common criteria and model – globally unique and persistent identifier provisioning – not fully normative, but based on minimum requirements Trust is stratified by Authentication Profiles – technology and assurance ‘profiles’ in the same trust fabric – ‘Classic’traditional public key infrastructure – ‘MICS’dynamic ID provisioning leveraging federations – ‘SLCS’on-demand short-lived token generation a basis for ‘arbitrary token’ services – ‘IOTA’ adequate to ensure unique, non-re-assigned identities only with potentially lower assurance applications

18 IGTF: Interoperable Global Trust Federation supporting distributed IT infrastructures for research 3 regional coordination groups (AP, EMEA, Americas) ~80 authorities and ~10 cross-national infrastructure members ~100 000 subscribers Single integrated trust fabric with differentiated LoA May 2014

19 IGTF – Interoperable Global Trust Federation supporting distributed IT infrastructures for research IGTF brings together – e-Infrastructure resource providers, user communities and identity authorities to agree on – global, shared minimum requirements and assurance levels – inspired and coordinated by the needs of relying parties: EGI, HPCI, PRACE-RI, PRAGMA, OSG, XSEDE, … as well as most national e-infrastructure providers

20 IGTF Structure Interoperable Global Trust Federation (IGTF) www.igtf.net www.igtf.net The Americas Grid Policy Management Authority (TAGPMA) www.tagpma.org North America, www.tagpma.org Central America, South America, Caribbean European Grid Policy Management Authority (EUGridPMA) www.eugridpma.org Europe, Middle East, Africa www.eugridpma.org Asia Pacific Grid Policy Management Authority (APGridPMA) www.apgridpma.org Asia, Pacific, Australia, New Zealand www.apgridpma.org

21 IGTF Community High Performance Computing (HPC) – primarily with the HPC computational science communities – National and international HPC cyberinfrastructures, e.g., European Grid Infrastructure (EGI) U.S. National Science Foundation (NSF) XSEDE Partnership for Advanced Computing in Europe (PRACE) U.S. NSF & DoE Open Science Grid Worldwide Large Hadron Collider (LHC) Grid (WLCG) High Throughput Computing (HTC) – cloud computing and high-scaling computing on collections of distributed nodes Grid/Cloud Distributed Computing & Storage National, Institutional and Commercial CAs

22 IGTF Community Grid / Cloud computing & Web Services – Distributed computing with standards-based interfaces for secure authentication and secure communications Open Grid Forum (OGF) www.ogf.orgwww.ogf.org Organization for the Advancement of Structured Information Standards (OASIS) www.oasis-open.orgwww.oasis-open.org World Wide Web Consortium www.w3.orgwww.w3.org Certificate Authority/Browser Forum www.cabforum.orgwww.cabforum.org Internet Engineering Task Force www.ietf.orgwww.ietf.org

23 IGTF Community Public Key Infrastructure (PKI) – X.509 digital certificates data signed using a secure, cryptographic checksum typically used for identity credentials – hosts, services, people – Certificate Authorities (CAs) securely issue digital certificates – Registration Authorities (RAs) verify identity of end entities requesting certificates – Relying Parties (RPs) any person or organization that trusts a CA and depends (relies) upon the CA to issue certificates – Internet Protocols, e.g., SSL, TLS

24 Accreditation – an exercise in building Trust Accreditation process – Extensively documented public practices (CP/CPS, RFC3647) – Interviewing and scrutiny by peer group (the PMA) – Assessment against the Authentication Profiles – Technical compliance checks (RFC5280 and GFD.125) Periodic, peer-reviewed, self-audits – Based on Authentication Profiles, standard reference: GFD.169 – OGF & IGTF, inspired by NIST SP800-53/ISO:IEC 27002 Federated assessment methodology by region (IGTF) 2011-06-10 International Grid Trust Federation 2005 - 2011 https://www.eugridpma.org/guidelines/accreditation

25 IGTF Accreditation Process Today Membership Application – Organization applies for membership as an Identity Provider – PMA members vote to accept/decline membership Member requests accreditation of a CA – Member describes CA and desired Authentication Profile to be accredited against – A PMA Mentor is assigned – Two PMA peer member reviewers are assigned Reviewers examine CA Certificate Policy and Certification Practice Statement (CP/CPS) – Reviewers work with applicant to verify compatibility of services to Authentication profiles and resolve issues – PMA members vote to accept/decline CA based on report/recommendation of Reviewers Operational Review – Reviewers test operational aspects of CA – Upon successful completion of operational tests, CA is considered “Accredited” CA operators prepare and submit CA certificate and data for IGTF distribution – A designated PMA “trusted introducer” verifies CA certificate and related data, digitally signs file containing the CA certificate and data, and submits it to IGTF – IGTF adds the new CA certificate and data to a pre-release collection for testing, and upon successful testing adds it to the next scheduled public IGTF distribution – (optional) The CA operator applies to the TERENA Academic Certification Authority Repository (TACAR) to have their CA certificate added to the TACAR distribution. A designated PMA “trusted introducer” verifies CA certificate and related data, digitally signs file containing the CA certificate and data, and submits it to TACAR for inclusion in the TACAR distribution.

26 IGTF Common Criteria 2011-06-10 International Grid Trust Federation 2005 - 2011

27 IGTF Accreditation Challenges Current grid implementations require a reliable and trustworthy source of Identity certificates where key accountability of ID proofing rests with the local project administration. In order to obtain credentials that will be provisioned locally but recognized globally, previously a project typically had to invest significant resources into the establishment of an X.509 credential service and have their implementation validated by one of the area Policy Management Authorities (PMA's) of the IGTF. The set‐up and operation of an accredited Identity Provider (IDP) service (typically a CA) is often one of the major barriers facing new researchers trying to conduct new or collaborate on existing projects.

28 Efficient Federated identity Accreditation Provisioning of federated Identity credentials requires an IDP service aspect and an Identity Proofing aspect Typically the Identity Proofing aspect of the process is provisioned by local personnel associated with the project The IDP aspect requires significant resources in order to qualify for accreditation recognized globally Both aspects are required to be addressed as part of the current Accreditation process However, by decoupling the IDP aspect from the Identity Proofing (typically performed by a Registration Authority (RA)), there are a potential number of benefits that may be gained

29 Benefits of Decoupling IDP & RA Project start up is less onerous with more flexibility to focus on one aspect at a time Potential for smaller, lower cost projects should lead to an expanded participation rate Economies of scale for the most expensive aspect (IDP) by defraying operating costs over multiple projects Separation of control aligns with the different cost centers – IDP is typically a new capital cost – RA is mostly an existing submerged cost

30 Benefits of Decoupling IDP & RA Project start up is less onerous with more flexibility to focus on one aspect at a time Potential for smaller, lower cost projects should lead to an expanded participation rate Economies of scale for the most expensive aspect (IDP) by defraying operating costs over multiple projects Separation of control aligns with the different cost centers – IDP is typically a new capital cost – RA is mostly an existing submerged cost

31 Towards a more flexible RA process How can we effect this change? – Create separate standards for IDPs and RAs and allow for independent accreditation of each – CPS for IDP includes RA components – RPS as an RA-dedicated standard has become a common practice for commercial CAs – The RPS is a subordinate document of practices to the CPS, but allows direct correlation and comparison – Create an RPS template for IGTF RAs to be accredited against: NOTE: a template speeds adoption and promotes consistency

32 Status of the Standard 2012: – Proposed use of RPS as its own Standard – Draft RPS template created based on analysis of RFC 3647 sections pertinent to RAs – Agreement in IGTF to collectively work on creating a new standard RPS template 2013: – TAGPMA Face-to-Face meetings used to review drafts, edit and progress proposed standard – Trial use of proposed standard by some community members 2014: – TAGPMA and EUGridPMA Face-to-Face meetings used to review drafts, edit and progress proposed standard 2015: – Proposed Standard reviewed by TAGPMA, EUGridPMA, and presented for consideration at APGridPMA – Standard considered final draft ready

33 Next Steps Following the comment period, RPS Template standard to be published Checklists for audit against standard to be developed Validation of new standard against existing Grid implementations – Members from each PMA region are already using a version of the draft standard Evaluate whether to introduce a new class of membership for IGTF i.e. RA class

34 Summary Next chapter of IGTF is to allow more granular Registration Authority accreditation to occur independent of the current Authentication Provider accreditation process Separating IDP function from RA function within IGTF Accreditation process lends to a more efficient and potentially cost effective implementation The Development of a new RPS Standard proposed, and after 3 years of discussion, review and edit, is now in final draft for release The new Standard is expected stimulate more participation in research involving Grids and Clouds, by making projects easier to initiate and maintain, and thus lowering costs https://www.gridpma.org

Download ppt "Identity Standards to Facilitate Interoperability in Federated Environments Scott Rea DigiCert, Inc In collaboration with Derek Simmel (PSC)."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Health Ingenuity Exchange (HingX) Best Practices for User Groups and Resource Registration.

Health Ingenuity Exchange (HingX) Best Practices for User Groups and Resource Registration.
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Assuring e-Trust always www.certiver.com 1 Guaranteeing Electronic Trust at all times.

Assuring e-Trust always 1 Guaranteeing Electronic Trust at all times.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Similar presentations

Ads by Google