X.509/PKI There is progress...

Topics

Why PKI? Why not PKI?

The Four Stages of X.509/PKI

Other sectors• Federal Activities - fBCA, NIH Pilot, ACES, other

• Healthcare- HIPPA

• State governments - E-Sign, Draft CP

• Corporate Deployments

The Industry

Higher Ed

TAG, PAG

Why X.509/PKI?

Single infrastructure to provide all security services

Established technology standards, though little operational experience

Elegant technical underpinnings

Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption

Low cost in mass numbers

Why Not X.509/PKI?

High legal barriers

Lack of mobility support

Challenging user interfaces, especially with regard to privacy and scaling

Persistent technical incompatibilities

Overall complexity

D. Wasley’s PKI Puzzle

The Four Planes of PKI

on the road to general purpose interrealm PKI

the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKI

simplifications in policies, technologies, applications, scope

each plane provides experience and value

The Four Planes are

Full interrealm PKI - (Boeing 777) - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues

Simple interrealm PKI - (Regional jets) - multipurpose within a community, operating under standard policies and structured hierarchical directory services

PKI-light - (Corporate jets) - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; can be extended within selected communities

PKI-ultralight (Ultralights) - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane...

Examples of Areas of Simplification

Spectrum of Assurance Levels

Signature Algorithms Permitted

Range of Applications Enabled

Revocation Requirements and Approaches

Subject Naming Requirements

Treatment of Mobility

...

PKI-Light example (HEPKI)

CP: Wasley, etal. Draft HE CP stubbed to basic/rudimentary

CRL: ?

Applications: (Signed email)

Mobility: Password enabled

Signing: md5RSA

Thumbprint: sha1

Naming: dc

Directory Services needed: Inetorgperson

PKI-Light example (Texas-Houston)

CP: Verisign

CRL: Verisign

Applications: authentication

Mobility: USB dongl;e

Signing: md5RSA

Thumbprint: sha1

Naming: X>500

Directory Services needed: I?

Deployment: 5,000 medical students

PKI-Ultralight (MIT)

CP: none

CRL: limit lifetime

Applications: Internal web authentication

Mobility: one per system; also password enabled

Signing: md5RSA

Thumbprint: sha1

Naming: X,500

Directory Services needed: none

Deployment: approximately 350,000 over five years

Federal Activities

fBCA became operational June 7; talking with several possible peers (States of Illinois and Washington)

NIH Pilot for grant submissions - Peter Alterman, NIH

ACES - not much visible activity; Dept of Ed backed out of for student loan administration

fPKI TWG - http://csrc.nist.gov/pki/twg

others

Internet2/NIH/NIST research conference

...

Healthcare

HIPPA - Privacy specs issued

HIPPA - Security specs not yet done

Two year compliance phase-ins

Little progress in community trust agreements

Non-PKI HIPPA Compliance Options

Other deployments

Success stories within many individual corporations for VPN, authentication

No current community-wide deployments

ABA guidelines

Others...

State Governments• E-Sign FlowChart

• NECCC Draft State Certificate Policy

Other countries• EuroPKI

• Extensive work in the Netherlands

• Inter-governmental discussions?

The Industry

What's the problem with PKI then? It all boils down to one thing: Complexity.

Wanted: PKI Experts By Scot Petersen

July 18, 2001

The Industry

Baltimore in peril

PKIforum slows down

OASIS-SAML work (XML to leaven PKI) gains buzz

RSA buys Securant

The Industry

Browsers that don’t take community roots

Communications tools that want certs we don’t want to give them

Path math that sometimes don’t compute

Technology that doesn’t interoperate...

Higher Education

HEBCA

HEPKI-TAG

HEPKI-PAG

PKI-labs

Campus activities