EEMA & “pkiC”

Frank JorissenDeputy Vice President, Utimaco Safeware AG

Vice Chair, EEMA (frank.jorissen@utimaco.be)

IDA - Meeting of National Security Experts on PKI Interoperability

WHAT IS EEMA?• A European, independent, non-profit forum • Formed 1987• Assisting Users, Vendors & Service Providers• Close to 250 member organisations

- “Vendors” including: Microsoft, IBM, Compaq, Alcatel, - “Vendors” including: Microsoft, IBM, Compaq, Alcatel, Siemens, Lotus, SAP, iD2, Entrust, GlobalSign, VeriSign, Siemens, Lotus, SAP, iD2, Entrust, GlobalSign, VeriSign, Baltimore, Bull, Identrus, Utimaco Safeware, BTBaltimore, Bull, Identrus, Utimaco Safeware, BT

- “Users” including Unilever, Reuters, Shell, Volvo, BP, Exxon, - “Users” including Unilever, Reuters, Shell, Volvo, BP, Exxon, ING Bank, Glaxo Wellcome, Hoffmann la Roche, ING Bank, Glaxo Wellcome, Hoffmann la Roche, AstraZeneca, SWIFT, ICC, UK Post, etc. AstraZeneca, SWIFT, ICC, UK Post, etc.

+ + Most PTO’s and Service ProvidersMost PTO’s and Service Providers

--> --> A major force in the growth of EU E- Business

EEMA Interest Groups

ICT Security initiatives:--> “PKI Challenge”--> “PKI Challenge”--> ECAF Model--> ECAF Model

--> ISSE2000 Conference--> ISSE2000 Conference--> EESSI Steering Group liaison--> EESSI Steering Group liaison

--> PKI Forum liaison (NEW !)--> PKI Forum liaison (NEW !) ......

+ Other E-business-related Interest Groups: Directories, Unified Messaging, Users, EDI / E-Commerce, Knowledge Management, Events & Marcom, Standards

WHAT IS “WEMA” ?• World Forum for electronic business• Virtual Composition of all “EMA’s” worldwide:

USUS: ‘EMA’: ‘EMA’Europe: ‘EEMA’Europe: ‘EEMA’Australia: ‘ECA Tradegate’Australia: ‘ECA Tradegate’Brazil: ‘BRISA’Brazil: ‘BRISA’Japan: ‘JEMA’Japan: ‘JEMA’Asia/Oceania: ’AOEMA’Asia/Oceania: ’AOEMA’Russia: ‘RANS’Russia: ‘RANS’

PKI Challenge(pkiC)

“Challenges”:a rich WEMA

Interoperability Tradition

• Since the early 90’s• On evolving technologies: X400, X500, SMTP, LDAP, S/MIME,

X.509,...• By “WEMA” organisations worldwide• EEMA + EMA (+... ?): PKI “Challenge showcases”, during the

period 1999-2002• EMA’s Challenge was demonstrated at last EMA Annual

Conference, April 2000

EMA “Challenge99/2000”=

FBCA

• “Federal Bridge CA” = a US Federal Gov’t effort to solve the practical interoperability problems between the PKI’s&PKA’s of various Federal agencies (GSA, NASA, NIST, DoD,…)

• This ad hoc solving of US Fed Gov’t PKI interoperability issues is narrower than what most vendors & users want:no “client to-CA/RA” interoperability

• Nevertheless the “Bridge CA” concept has strong merits for CA/domain - CA/domain interoperability in general !

• See http://csrc.nist.gov/pki/documents/emareport_20001015.pdf

pkiC Objectives:• Core Objective& Main Differentiator:

To provide a low-threshold, well-managed&funded test infrastructure,that will effectively enable PKI interoperability between many, global PKI&PKA vendors at the level of both PKI & PKA (=PKI-enabled apps)--> PKI “as an (open) operating system” for various PKA’s

• Based on stable standards, eg PKIX, CMP, X.509v3, S/MIMEv3,…;• Also considering EU-specific requirements (to the extent possible & reasonable in the period

2001-2002...):eg the European Electronic Signature Directive & the accompanying “EESSI standards” by ETSI and CEN/ISSS;

• To disseminate, demonstrate & promote ‘open’ results;• currently 3 strong liaisons: EESSI, TeleTrusT, PKI Forum

Crypto

Applications

Crypto

Applications

END ENTITY A END ENTITY B

COMMUNICATIONS

DirectoryServices

PKI A

CA

RARA

PKI B

CA

RA RA

I

X.509 V3X.509 V3

X.509 V3X.509 V3

II

CA

III

Scope of interoperabilityin C2K context:

Today’s Status

• Project accepted under the “Fifth Framework program” (FP5/IST) - all consortium members sign a contract with the Commission & get funding;

• Contract signature expected November/December

• ==> Project kick-off : NY 2001 ==> Project kick-off : NY 2001 Duration: 2 years Duration: 2 years

Time Plan & WP’s

“Phase 1”: Project Infrastructure & Management

Phase 1: Project Infrastructure & Management

WP1: Project Co-ordination, management & QA WP2: produce scope and definition of the criteria for

interoperability of PKI products and services WP3: performing awareness activity & identifying

participants, negotiating and contracting with them. WP4: producing the detailed plan and specifications

for the interoperability tests WP5: building the test infrastructure

“Phase 2”: Interoperability Testing

Phase 2: The Interoperability Testing

WP3 (part) - identifying potential participants, negotiating and contracting with them.

WP6 - performing the interoperability tests WP7 - demonstrating and disseminating the

results of WP6 at “ISSE2002” and “EBE2002” (= Annual EEMA) Conference. Perhaps also at liaison partner events.

WP8 - writing the final project report

Who participatein “phase 1” ?

Consortium members:

Baltimore, Belgacom, EEMA, Entegrity, Entrust, GlobalSign, iD2, KPMG, Makra, Security&Standards, UK Post,

University of Leuven (“COSIC” & “ICRI” Labs), University of Salford,

Utimaco Safeware

Who will be involved in “phase 2” ?

• “Active” Participants• “Passive” Participants

--> OPEN PARTICIPATION, BUT LIMITED NUMBERS !

Utimaco & PKI/PKA interoperability

• Project Co-ordination of pkiC, but also:• Participant in TIE (Esprit),• DTRUST interoperability,• Entrust interoperability in Award winning BOLERO (SWIFT)

project context,• Award winner in SPHINX,• …etc..: commitment to be an ‘open’ PKA/PKI vendor (via

membership of EEMA, TTT, PKI Forum,...)

SPHINX

• Pilot project of German government • Will lead to end-to-end security all over the

German Gov‘t Administration• Sphinx is based on the MailTrusT specification,

which is now a subset of international accepted Standards (SMIME, X.509, PKCS#10, etc)

• Since 1998 several products of different vendors were tested

SPHINX Step 2 - Features

S/MIMEv2

X.509v3 + extensions

CRLv2 + extensions

LDAPv3

Double key pair

Decentralised key generation

......

SPHINX&

Utimaco

• Utimaco plays a major role in the SPHINX project since the beginning

• Utimaco´s ‘SafeGuard Sign&Crypt‘ isSPHINX certified in each implemented step (currently step 2).