Presentation is loading. Please wait.

Presentation is loading. Please wait.

WEQ-012 PKI Overview March 19, 2019

Published byMurat Akbulut Modified over 5 years ago

Similar presentations

Presentation on theme: "WEQ-012 PKI Overview March 19, 2019"— Presentation transcript:

1 WEQ-012 PKI Overview March 19, 2019
NAESB WEQ-012 PKI Overview March 19, 2019

2 North American Energy Standards Board OpenFMB PKI Presentation
Background & Introduction 2

3 History of WEQ PKI Standards
2006: NAESB WEQ-012 Public Key Infrastructure Business Practice Standards Developed – NAESB WEQ Version 001 2008: FERC Adopts NAESB WEQ Version 001 Business Practice Standards However, a process for the authorization for certificate authorities was required for implementation 2011: NAESB Board of Directors approves the Authorized Certification Authority (ACA) Process 2014: FERC Adopts NAESB WEQ Version 003 Business Practice Standards 2016: FERC NOPR NAESB WEQ Version Business Practice Standards

4 NAESB PKI Program Standards WEQ-012 Public Key Infrastructure TRUST
Specifications NAESB Accreditation Requirements for ACAs Process NAESB Board Certification Committee ACA Process TRUST

5 A Standard for Verifiable Trust
Three pillars to ensure trust ACA Certification Process A recurring NAESB process to ensure that Certificate Authorities are qualified to issue NAESB Digital Certificates ACA Accreditation / Obligation Specifications A detailed document describing requirements of a Certificate Authority in order to issue NAESB digital certificates. Reviewed annually at minimum – changes as needed to address vulnerabilities WEQ-012 Standard: End Entity Obligations FERC regulated entities must comply with the standards contained in WEQ-012, as specified within each NAESB standard that employs WEQ-012. Reviewed annually at minimum – changes as needed to address vulnerabilities

6 Trust is a Continuum Is not binary – have/do not have trust
Ranges from no trustworthiness to high trustworthiness NAESB’s PKI Program contains a series of documents that establish a trust framework for other NAESB standards to adopt Each NAESB standard specifies the level of trust required to establish trust for End Entity identification.

7 Foundational Trust Model
The WEQ-012 standard is designed for use by any/all NAESB standards that require PKI functionality, i.e. OASIS WEQ-012 is flexible, defines lowest to highest trust levels allowable in NAESB standards No trust, i.e. self-signed certs are prohibited NAESB standards that adopt WEQ-012 must specify the required Assurance Level, along with any other X.509 certificate fields that are required for that standard i.e. Common Name specifications

8 Demands of WEQ-012 WEQ-012 demands very little from any NAESB standard that wishes to adopt PKI Specify the requirements for Name fields in a digital Certificate, i.e. Subject Common Name (CN) O and OU fields MUST match EIR registration The required assurance level Additional X.509 field usage requirements, i.e. subject alternative name, key usage, etc.

9 Assurance Levels What is an assurance level
Four Levels: Rudimentary, Basic, Medium, High Each level indicates the depth of investigation into a parties identity before issuing a certificate Why do we need assurance levels Common frame of reference using standard identifiers owned by NAESB Some applications require certain level of assurance, i.e. OASIS requires Basic level Each NAESB standard that adopts WEQ-012 MUST specify it’s required assurance level

10 Assurance Level Descriptions
Rudimentary This level provides the lowest degree of assurance concerning the identity of the end entity. One of the primary functions of this level is to provide data integrity to the information being signed. This level is relevant to environments in which the risk of malicious activity is considered to be low. Basic This level provides a basic level of assurance relevant to environment where there are risks and consequences of data compromise, but they are not considered to be of major significance. This may include access to private information where the likelihood of malicious access is not high. Medium This level is relevant to environments where risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or risk of fraud, or involving access to private information where the likelihood of malicious access is substantial. High This level is reserved for those environments where the threats to data are high, or the consequences of the failure of security services are high. This may include very high value transactions or high levels of fraud risk.

11 Identification Requirements
Requests for Subscriber Certificates in the name of an affiliated organization shall include the organization name, address, and documentation of the existence of the organization in the EIR, applicable to all NAESB standards The Authorized Certification Authority or RA shall verify the information, in addition to the authenticity of the requesting representative and the representative’s authorization to act in the name of the organization. The higher the assurance level the more stringent the “investigation”

12 Identity proofing requirements
Assurance Level Identification Requirements (in person) Rudimentary/Level 1 The name associated with the subscriber is provided by the applicant and accepted without verification Basic/Level 2 Possession of a valid current primary Government Picture ID that contains applicant’s picture, and either address of record or nationality (e.g. driver’s license or passport) Medium/Level 3 Possession of verified current primary Government Picture ID that contains applicant’s picture and either address of record or nationality (e.g. driver’s license or passport) High/Level 4 Verification of two independent ID documents or accounts, meeting the requirements of Level 3 (in-person and remote), one of which must be current primary Government Picture ID that contains applicant’s picture, and either address of record or nationality (e.g. driver’s license or passport), and a new recording of a biometric of the applicant at the time of application NOTE: Committee leveraged best practices of established commercial practices such as CA/B Forum Baseline requirements, NIST guidelines, and industry specific requirements for these levels.

13 3.13 IDENTIFICATION AND AUTHENTICATION (SG.IA)
NISTIR 7628 REV 1compliant 3.13 IDENTIFICATION AND AUTHENTICATION (SG.IA) Identification and authentication is the process of verifying the identity of a user, process, or device, as a prerequisite for granting access to resources in a smart grid information system. NISTR Reference NAESB PKI Reference SG.IA-1 Identification and Authentication Policy and Procedures NAESB Accreditation Requirements for Authorized Certification Authorities WEQ-012 Standard End Entities WEQ-012 Standard End Entity Obligations SG.IA-4 User Identification and Authentication WEQ-012 Standard INITIAL REGISTRATION SG.IA-5 Device Identification and Authentication

14 ACA Audit Requirement

15 Certification Process

16 WEQ-012 ACA Responsibilities

17 Roles and Responsibilities
Registration Authority Responsible for validating the identity of a party seeking a digital certificate. Typically performed by an ACA or Local Registration Authority (LRA) Certificate Subscriber Employs a digital certificate for identification purposes (i.e. access to EIR, OASIS server ID) Certificate Authority Issues digital certificates to parties based on registration authority approval

18 List of Authorized Certificate Authorities on NAESB’s website
Where to find ACA’s List of Authorized Certificate Authorities on NAESB’s website As of February 2019, there were four: OATI Systrends GlobalSign SSL.com

19 Key Sizes and Life Expectancy
All Certificate Authority Certificates that expire after 12/31/2012, when they are replaced should be signed with keys of at least 4096 bits for RSA or DSA and at least 256 bits for ECDSA Subscriber Certificates issued after the effective date of these requirements (2/18/2014), shall contain public keys that are at least 2048 bits for RSA, DSA, or Diffie-Hellman, or 224 bits for elliptic curve algorithms. Limits an ACA “issuing key” to 4 years for certificate issuance and 6 years for CRL signing ACA Root certificate lifetime limited to 20 years Subscriber certificates still limited to two years max lifetime

20 North American Energy Standards Board OpenFMB PKI Presentation
Questions ?? Prepared by the North American Energy Standards Board 20

21 Reference Materials Rudimentary Current version of NIST SP A Digital Identity Guidelines: Enrollment and Identity Proofing, Section “Identity Assurance Level 1” Basic Current version of CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (CABF BRs) Section Authentication of Individual Identity. Medium Current version of CA-Browser Forum’s Guidelines For The Issuance And Management Of Extended Validation Certificates, Chapter “ Acceptable Method of Verification (4) Principal Individual High Current version of NIST SP A Digital Identity Guidelines: Enrollment and Identity Proofing, Section 4.5 “Identity Assurance Level 3”

Download ppt "WEQ-012 PKI Overview March 19, 2019"

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.

In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
1 Exemption AdministrationTraining Related to Accepting Certificates Prepared by the Streamlined Sales Tax Governing Board Audit Committee Prepared January.

1 Exemption AdministrationTraining Related to Accepting Certificates Prepared by the Streamlined Sales Tax Governing Board Audit Committee Prepared January.
By Garland Land NAPHSIS Consultant. Importance of Birth Certificates Needed for: Social Security Card School Enrollment Driver’s License Passport.

By Garland Land NAPHSIS Consultant. Importance of Birth Certificates Needed for: Social Security Card School Enrollment Driver’s License Passport.

Similar presentations

Ads by Google