X.509/PKI There is progress.... Topics Why PKI? Why not PKI? The Four Stages of X.509/PKI Other...
-
Upload
susan-flowers -
Category
Documents
-
view
216 -
download
4
Transcript of X.509/PKI There is progress.... Topics Why PKI? Why not PKI? The Four Stages of X.509/PKI Other...
X.509/PKI There is progress...
Topics
Why PKI? Why not PKI?
The Four Stages of X.509/PKI
Other sectors• Federal Activities - fBCA, NIH Pilot, ACES, other
• Healthcare- HIPPA
• State governments - E-Sign, Draft CP
• Corporate Deployments
The Industry
Higher Ed
TAG, PAG
Why X.509/PKI?
Single infrastructure to provide all security services
Established technology standards, though little operational experience
Elegant technical underpinnings
Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption
Low cost in mass numbers
Why Not X.509/PKI?
High legal barriers
Lack of mobility support
Challenging user interfaces, especially with regard to privacy and scaling
Persistent technical incompatibilities
Overall complexity
D. Wasley’s PKI Puzzle
The Four Planes of PKI
on the road to general purpose interrealm PKI
the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKI
simplifications in policies, technologies, applications, scope
each plane provides experience and value
The Four Planes are
Full interrealm PKI - (Boeing 777) - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues
Simple interrealm PKI - (Regional jets) - multipurpose within a community, operating under standard policies and structured hierarchical directory services
PKI-light - (Corporate jets) - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; can be extended within selected communities
PKI-ultralight (Ultralights) - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane...
Examples of Areas of Simplification
Spectrum of Assurance Levels
Signature Algorithms Permitted
Range of Applications Enabled
Revocation Requirements and Approaches
Subject Naming Requirements
Treatment of Mobility
...
PKI-Light example (HEPKI)
CP: Wasley, etal. Draft HE CP stubbed to basic/rudimentary
CRL: ?
Applications: (Signed email)
Mobility: Password enabled
Signing: md5RSA
Thumbprint: sha1
Naming: dc
Directory Services needed: Inetorgperson
PKI-Light example (Texas-Houston)
CP: Verisign
CRL: Verisign
Applications: authentication
Mobility: USB dongl;e
Signing: md5RSA
Thumbprint: sha1
Naming: X>500
Directory Services needed: I?
Deployment: 5,000 medical students
PKI-Ultralight (MIT)
CP: none
CRL: limit lifetime
Applications: Internal web authentication
Mobility: one per system; also password enabled
Signing: md5RSA
Thumbprint: sha1
Naming: X,500
Directory Services needed: none
Deployment: approximately 350,000 over five years
Federal Activities
fBCA became operational June 7; talking with several possible peers (States of Illinois and Washington)
NIH Pilot for grant submissions - Peter Alterman, NIH
ACES - not much visible activity; Dept of Ed backed out of for student loan administration
fPKI TWG - http://csrc.nist.gov/pki/twg
others
Internet2/NIH/NIST research conference
...
Healthcare
HIPPA - Privacy specs issued
HIPPA - Security specs not yet done
Two year compliance phase-ins
Little progress in community trust agreements
Non-PKI HIPPA Compliance Options
Other deployments
Success stories within many individual corporations for VPN, authentication
No current community-wide deployments
ABA guidelines
Others...
State Governments• E-Sign FlowChart
• NECCC Draft State Certificate Policy
Other countries• EuroPKI
• Extensive work in the Netherlands
• Inter-governmental discussions?
The Industry
What's the problem with PKI then? It all boils down to one thing: Complexity.
Wanted: PKI Experts By Scot Petersen
July 18, 2001
The Industry
Baltimore in peril
PKIforum slows down
OASIS-SAML work (XML to leaven PKI) gains buzz
RSA buys Securant
The Industry
Browsers that don’t take community roots
Communications tools that want certs we don’t want to give them
Path math that sometimes don’t compute
Technology that doesn’t interoperate...
Higher Education
HEBCA
HEPKI-TAG
HEPKI-PAG
PKI-labs
Campus activities