Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.

Similar presentations


Presentation on theme: "1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise."— Presentation transcript:

1 1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise Security Expo 2001 June 5, 2001

2 2 © Cooley Godward 2001 Introduction l Dichotomy l Challenges l Models l Mechanisms and criteria l Path forward

3 3 © Cooley Godward 2001 Dichotomy l “UBIQUITOUS PKI!!!!!” l …but many barriers è Need: common recognition mechanism

4 4 © Cooley Godward 2001 Challenges - traditional technology vs. PKI l Traditional technology

5 5 © Cooley Godward 2001 Challenges - traditional technology vs. PKI l Public key infrastructure l CP and CPS l Complicated by varied requirements of particular sectors (verticals)

6 6 © Cooley Godward 2001 Challenges - recognition l No universally acceptable mechanism for recognizing the sufficiency of a PKI deployment l Uncharted legal waters l Several efforts and proposals - most focus on technical and business l General model

7 7 © Cooley Godward 2001 Models - Simple assessment model Assessment Criteria Assessor PKI System or Component assesses develops influences Key Subject Object

8 8 © Cooley Godward 2001 Mechanisms and criteria l PAG l RFC 2527 l WebTrust l Common Criteria l BS7799 l FIPS 140-2 l Gatekeeper l Others

9 9 © Cooley Godward 2001 PKI Assessment Guidelines (PAG) l Five year project of the Information Security Committee of the American Bar Association l Follow up work to the Digital Signature Guidelines (1996) l Participation by over 400 legal, technical, and business people

10 10 © Cooley Godward 2001 PAG (cont’d) l D.2.1.4.1The Effect of Contractual Privity Upon Relying Party’s Responsibilities Expressed as Covenants or Imposed by Law l Issue Summary. This section discusses the issue of whether the relying party is in privity of contract with the other PKI participants… l Relevant Considerations. Threshold question is whether the PKI attempts to create contractual privity between the CA and the relying party… l Appropriate Requirements and Practices. It is necessary for the PKI to decide how to present relying party covenants; unlike other participants, however, relying party covenants tend to be small enough in number to make it feasible to list in this section, or perhaps cross reference.

11 11 © Cooley Godward 2001 Detailed model Note Vanguard advice: “avoid complicated charts…”

12 12 © Cooley Godward 2001 RFC 2527 l Framework for PKI policy documents l Certificate Policies l Certification Practice Statements

13 13 © Cooley Godward 2001 RFC 2527 (cont’d) l 1. INTRODUCTION l 2. GENERAL PROVISIONS l 3. IDENTIFICATION AND AUTHENTICATION l 4. OPERATIONAL REQUIREMENTS l 5. PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS l 6. TECHNICAL SECURITY CONTROLS l 7. CERTIFICATE AND CRL PROFILES l 8. SPECIFICATION ADMINISTRATION

14 14 © Cooley Godward 2001 WebTrust l Framework to assess adequacy and effectiveness of controls employed by CAs l Designed specifically for the examinations of CA business activities l Builds on X9.79 work of the American Banker’s Association

15 15 © Cooley Godward 2001 WebTrust (cont’d)

16 16 © Cooley Godward 2001 X9.79 - CA Control Objectives l National standard - approved by ABA (the other ABA - American Banker’s Association) and ANSI l Being proposed to ISO TC68 as an international work item

17 17 © Cooley Godward 2001 X9.79 (cont’d)

18 18 © Cooley Godward 2001 Common Criteria l Some view as replacement for the Orange Book, ITSEC, etc. l International acceptance l Focus on protection profile

19 19 © Cooley Godward 2001 BS7799 - Code of Practice for Information Security Management l British Standard being used in several other European countries l General Information Security standard, not focussed on PKI l Certification scheme called c:cure similar to ISO 9000 l Now ISO/IEC 17799:2000

20 20 © Cooley Godward 2001 FIPS 140-2 l Security requirements of a cryptographic module utilized for protecting sensitive information l Four increasing levels of security è Covers areas such as roles and authentication; physical security; OS security; cryptographic key management; EMI/EMC; self-tests; design assurance; and mitigation of other attacks

21 21 © Cooley Godward 2001 FIPS 140-2 (cont’d) 4.5.2 Single-Chip Cryptographic Modules SECURITY LEVEL 2 - All Level 1 requirements plus:  chip covered with tamper-evident coating or contained in a tamper-evident enclosure  coating or enclosure shall be opaque within the visible spectrum. SECURITY LEVEL 3 - All Level 2 requirements plus:  Either: chip covered with hard opaque tamper-evident coating, or  the chip shall be contained within a strong enclosure.  The enclosure shall be such that attempts at removal or penetration shall have a high probability of causing serious damage to the cryptographic module (i.e., the module will not function).

22 22 © Cooley Godward 2001 Gatekeeper l Australian PKI strategy and enabler for the delivery of Government online l Accreditation Criteria published l Covers procurement, security policy/planning, physical security, technology evaluation, personnel vetting, legal issues, and privacy considerations

23 23 © Cooley Godward 2001 Path forward l Development of internationally acceptable suite of criteria, NOT development of an international approach to PKI l Common Criteria, WebTrust, & PAG promising l Common Criteria è Industry specific protection profiles è Global recognition l WebTrust è PKI-specific set of criteria

24 24 © Cooley Godward 2001 On going activities l Update to RFC 2527 l Industry specific protection profiles l Other industry and governmental activities è PAG out for public comment è X9.79 into ISO

25 25 © Cooley Godward 2001 Resources for more info l ABA - http://www.abanet.org/scitech/ec/isc/ l RFC 2527 - http://www.ietf.org/rfc.html l WebTrust - http://www.aicpa.org/webtrust/princrit.htm l X9.79 - http://webstore.ansi.org/ansidocstore/ l Common Criteria - http://www.commoncriteria.org/ l FIPS 140 - http://csrc.nist.gov/cryptval/140-1.htm l Gatekeeper - http://www.govonline.gov.au/projects/publickey/

26 26 © Cooley Godward 2001 Questions?

27 27 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Cooley Godward LLP 703.456.8137 (phone) - 703.456.8100 (fax) rsabett@cooley.com www.cooley.com


Download ppt "1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise."

Similar presentations


Ads by Google