Upload
georgiana-allen
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Working Group Reports
Munich June 19-21, 2001Meeting Wrap-up
Applications Applications SummarySummary
Lisa Pretty (on behalf of Sandra Salvatori)
Recap
• Confirmed members desire to have case studies/success stories delivered by the Forum
• Reviewed/revised “applications reference form”• Developed “information capture list” for case
studies/success stories• Notary application presented by ACARNVS and
discussed by the group• Reviewed “information capture list” with group
and received volunteers to provide success stories input
Actions
• Send “applications reference form” and “information capture list” to BWG and Applications mailing lists for additional comments/revisions
• Follow-up with individuals indicating they would provide data for success stories
• Goal: draft 5 success stories prior to September• Re-initiate “industry overview” PKI Note series
working with Liaison partners and interested members
Best Practices Best Practices SummarySummary
Blair Canavan: Working Group Chair
Recap
• AICPA & Webtrust completed pending board approval
• Mission statement reviewed and revised pending board approval
“To define and promote a practical framework of internationally recognized standards, policies and procedures for the successful implementation and operation of PKI enabled solutions.”
• Advanced “whitebook” content
Context: Why Best Practices
• So as not to reinvent or repeat miss-steps as it pertains to PKI implementation– So you’ve been told you need PKI?– So you’ve decided to “pilot” and/or deploy
PKI?– Are you really ready for PKI?
• BPBWG may pre-empt or run contrary-to …
• Is the PKI community mature enough to advocate best practices?
Actions
• Topics (by email) to be submitted to BPBWG by July 30th
• Checklist/framework (what are existing rules of readiness)– Personnel, legal issues, environmental,
operational,
• Recommended and best practices• Liaison with Applications group for case
studies
Marketing & EducationMarketing & EducationSummarySummary
Bryta Schulz: Working Group Chair
Logistics
• BWG alias for Ed & Mktg established– Please subscribe
• ConCalls every second Wed of each month at 8:00 am Pacific Time (works for AP, Europe, North America) agenda will be emailed 1 week prior
USA Toll Number: +1-712-271-0329PASSCODE: ED AND MKTGLEADER: Bryta Schulz
– JUL-11-2001, 08:00 AM (PT),– AUG-08-2001, 08:00 AM (PT),– SEP-12-2001, 08:00 AM (PT),
Project Update: PKI Tutorial
• “How PKI Addresses e-Business Risks” white paper– Reviewed and signed off by BWG– Pending Board Approval
• Next Step: Production by Virtual Mgmt– To be distributed at Sept 2001 Meeting– Companion PPT to be revised to synch with
white paper
Project Update : PKI Technical Tutorial
• Project Lead: Walter Fumy • Coauthors: Bill Franklin & Nancy Bianco,
Michele Rubenstein• Outline draft circulated to group• Draft to BWG July 10, 2001• Draft to TWG August 8, 2001• Goal publish for Sept 2001 Meeting
Project Update: How PKI fits in E-Business
Purpose of the paper is to show where PKI fits in the overall security schema for e-business.
• New Project Leader: Dan Morrison, • Coauthors : Mike Jeffries, Bill Franklin, Andy Churley• Target audience: Business Managers• Out line Draft for comment by :August 6, 2001• Comments due by: August 14, 2001• 1st Doc Draft: Sept 10, 2001• 2nd Draft for BWG comment Oct 1st, 2001• Goal to publish at Dec 2001 meeting
Project Update : PKI note on Biometrics
• Project Leader: - Jeff Stapleton– 2nd draft date: March 15th, 2001– Published !!– Press Release – Distributed at CardTechSecureTech in Las
Vegas in May 2001!
New Project: Digital Signatures
• Project Lead: Bryta Schulz• Coauthors: Daniel Murton, Patrick Kanaishi,
Dan Morrison, Andy Churley• 1st Draft Outline July 9th, 2001• 1st Doc Draft for Ed & Mktg review Sept 10,
2001• Goal Publish Dec 2001.
Policy & PrivacyPolicy & PrivacySummarySummary
Jan Lovorn, Working Group Chair
Project – White Paper
Write a white paper describing how PKI, currently and in the future, can enable e-business beyond providing authentication and data integrity security services. The white paper will focus on three business areas: law enforcement, health care, and financial services. It will address privacy and data protection mandates in these sectors, as well as issues such as archive, business continuity, and off-line retention and management of business information. This will also serve as input to the Technical Working Groups on what business requires in order to make the emerging PKI confusion into a (hopefully) seamless and transparent experience for the end user.
Action: Business areas assigned and draft due for September meeting
Project – White Paper
Write a white paper to understand, compare and differentiate audit requirements used by bodies such as AICPA, APEC, Australia's Gatekeeper, Italy's AIPA, Identrus, etc. Working with these bodies, the paper will identify where requirements are identical and where they differ and address the interoperability of audit requirements.
Action: Assigned, Arthur Andersen lead project
Research Information Project
Develop a guide (toolkit?) for planning policy and procedure development in support of PKI implementation. It is a tool to define process of implementing PKI and provide scoping to help PKI implementers in the development of their organization’s policy. This will also help organizations through the maze of documentation required for PKI. Possible components include:
• PKI Policy Questionnaire• Selected PKI Policy Elements and Documents• Templates, Guidelines and Support Resources• Entities which must be engaged. Action: Two interim meetings, worked on in meetings
Implementing PKI Policy Guide
Input from PKI
Decision Process
•Application(s)
•Workflows
•Players
Implementing PKI Policy Guide
Implementing Policy Guide
Implementing Policy Guide
IssuerRelaying
Party
Issuer
Issuer
Internal
(for internal use)External
(Hosting)
Technical Working GroupTechnical Working GroupSummarySummary
Andrew Nash: Co-chair (missing Mark Davis)
TWG Success – Again!
Participants DecemberSydney
MarchSan Jose
JuneMunich
Vendor 13 45%
14 35% 21 75%
ISV/Exploiter 12 41%
19 48% 2 7%
Customer** 4 9% 7 17% 5 18%
29 40 28** Customers include consultants
In Progress:
3 Major Interoperability Projects
4 White Papers
3 Implementation Guidelines
Complete:
3 Major Interoperability Projects
2 White Papers
But no Mark Davis – sniff!
Fine Tuning
• Implementation guidelines– Represent agreements amongst vendors at PKI Forum– Need definition of purpose & form
• Meetings are well run, but participation between meetings is lacking– Not enough comment on drafts distributed on mailing
lists– Intervening virtual meetings could be held
• Record meetings for later webcast• Customer BOF to air issues
Path Construction White PaperSteve Lloyd
• Stephen Farrell of Baltimore & Steve Lloyd of Entrust are project leaders
• Steve Lloyd focusing on LDAP/repository• David Cross (Microsoft) focusing on web based access• Some problem areas now resolved by standards bodies:
– LDAP– Forward/backward link terminology
• Discussed abstract• Paper will not dictate path construction algorithm to
vendors • White paper followed by implementation guideline• LDAP requirements to be communicated to LDAP white
paper authors
CESGRichard Lampard
• 10 vendors demonstrated S/MIMEv3 signed email communication in Feb 2001
• Multilateral demo with heterogeneous CA hierarchy
• PKI Issues– Directory schema usage– Revocation based on CRLs – 50% of email
clients did not handle revocation checking– OID usage
CESG Phase II
• Kickoff meeting held on 14 Jun 2001• Balancing UK Govt standards & market realities
– S/MIMEv3, as per UK Govt standard– Both DSA & RSA algorithms– Open source reference implementation being sought
• More focus on cert profiles in this phase• Plan to showcase demo at Information Security show
in Apr 2002• Plan to integrate with the EEMA PKI Challenge• New participants still welcome
Application Certificate UsageDavid Crowe
• Results submission procedure proposal was approved• Open issues:
– Should results be published publicly or for members only?– Should results be printed (or published on web site only)?
• David Crowe assumes a background role• Microsoft is planning to submit some results soon• Tony Rogers (of CA) is setting up cert repository
– Reside on PKI Forum web site
• Received certs from Microsoft & CA
SKID Implementation GuidelineSteve Lloyd
• First implementation guideline reviewed• AKIDs & SKIDs can be calculated in multiple
ways• Recommendation is that requesting CA
provide its SKID to the foreign CA in the cross-certificate request
• Unanimous agreement!!!• But, are we getting too close to setting
standards?
User & CA Cert Implementation Guidelines
Richard Lampard
• Draft papers issued on 30 May 2001• The guidelines focus mainly on cert profiles• Action plan:
– Issue revisions reflecting comments already received
– Vendors to get Engineering concurrence 6 weeks later
• CRL implementation guidelines planned
CMP Project UpdateSteve Lloyd
• Steve provided a synopsis on the project, for Bob Moskowitz’s, for the benefit of new attendees
• The project has completed its 1st phase, & is planning 2nd phase
• Lessons learned (from 1st phase) being written up
TeleTrust European Bridge CAHolger Reif
• Hub architecture defined• Trusted root CAs are maintained in a trust list• Three means of implementing inter-domain trust were
discussed• Publication & retrieval of revocation status were discussed
– Revocation information maintained by members rather than Bridge
• Used PKI Forum CA-CA Interoperability paper as basis for trust model
• Focused on e-mail apps initially• Multiple CA and 3rd party product vendors• Interoperability testing taking place
PKI Challenge (pkiC) UpdateFrank Jorissen
• MOU between EEMA & PKI Forum now in force– Liaison also exists between EEMA & CESG
• ECAF Model part 2 initiated, will focus on PKA (public key applications)
• pkiC is vendor led• Mission is to achieve “PKI as an open operating
system” for various PKAs• Focusing on stable & commercially stable standards• Two groups involved in project:
– Project Consortium: companies planning & running pkiC– Testing participants: companies involved in testing
pkiC WP2 Update
• Although directories will be involved, directory interoperability is not the focus of pkiC
• Testing against reference implementation (in development)
• PKA Interoperability– S/MIME signed & encrypted email (essential)– Secure documents, signed web objects, secure
time stamping, applications using qualified certificates (under consideration)
pkiC WP2 Update
• PKI interoperability– CA certification with 3-level hierarchy (essential)– Certification by file exchange (essential)– Remote enrollment (under consideration)– Smart cards (under consideration)– IETF/EESSI qualified certificates (under consideration)– CA/RA interoperability (under consideration)
• Directory & validation services– LDAP (essential)– Directory schema & naming conventions (essential)– (others under consideration)
Token Interoperability/Portability
Andrew Nash• Draft white paper distributed• TWG review • Structural suggestions and review comments
provided • WP approval targeted at September meeting
Wireless CertificatesOliver Pfaff
• 2 approaches to delivery of Internet to wireless devices:– NTT DoCoMo (HTML proxy-based)– WAP (WAP gateway-based)
• Wireless PKI (WPKI) developed through WAP Security Group (WSG), has specs:– WTLS cert– WAPCert– WPKI definition
• Very large consumer PKI domains anticipated for wireless devices
• Deployment could be held back if multiple infrastructures• WAP on current generation GSM devices unpopular, due to
high cost & low bandwidth
Technical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working Group
Technically Innovative Leadership
Meeting Wrap-up
• 83 people attended meeting over 3 day period– 5 non-members– 11 countries represented– 6 customers/end users of PKI
• Series of European presentation re:PKI Deployment• Strengthened liaison relationship with TeleTrusT• Advanced/re-initiated activities in all working groups• Lots of networking -- fun evening out with Siemens
Informal Survey
• How many people committed to contribute to at least one project prior to the next meeting?
• How many people plan to attend the Q3 meeting September 18-20 at the Eaton Centre Marriott in Toronto?
• How many people will attend Q4 meeting December 4-6 in Singapore?– APAC meeting travel issue?– Would other location result in higher attendance?– Is four meetings a year too many?
PKI Forum’s Unique Role
ADVOCATINGindustry cooperation
ADVANCINGmarket awareness
ACCELERATINGPKI adoption