1 / 18

Public Key Superstructure It’s PKI Jim, but not as we know it!

Public Key Superstructure It’s PKI Jim, but not as we know it!. 7 th Annual “IDtrust” Symposium 5 March 2008, Gaithersburg MD, USA Stephen Wilson Lockstep Consulting Pty Ltd. About Lockstep. Consultants specialised in PKI, smartcards & privacy

nowen
Download Presentation

Public Key Superstructure It’s PKI Jim, but not as we know it!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public Key Superstructure It’s PKI Jim, but not as we know it! 7th Annual “IDtrust” Symposium 5 March 2008, Gaithersburg MD, USA Stephen Wilson Lockstep Consulting Pty Ltd

  2. About Lockstep • Consultants specialised in PKI, smartcards & privacy • Developing novel de-identification and online safety solutions

  3. About Lockstep • Asia PKI Forum • Gatekeeper Policy Committee • Aust. Law Reform Commission

  4. Historical PKI experience

  5. The passport metaphor • Non-descript applications • impossible for CAs to manage risk • Stranger-to-stranger e-business • “It’s good to trust but it’s better not to” • Novel TTP business models • Imposed incredible CPSs upon users • Notion of a single identity • “Interoperability” = cross certification

  6. “Cross-certification and policy mapping has been a rat hole that has sucked up vast amounts of energy better spent elsewhere” Anonymous, Feb 2008

  7. “Fading PKI Market” June 2003 PKI thickets 1999 RSA Conference Identrus Verisign IPO 1999 2002 2005 2008

  8. PKI in practice • Works best in closed communities • Automates transactions in context • This is a Good Thing • Embedded keys & certificates • Fits with identity plurality

  9. PK Superstructure

  10. Security Printer Distribute bar code labels Announcements Announcement Fax OCR Affix bar code CA as Security Printer Stock Exchange Listed Company Achieve Listing Listing Rules Listing Rules Listing Rules Listing Rules Listing Rules Listing Rules ListingsDepartment Officer

  11. CA as Security Printer CA Distribute certificates, keys Stock Exchange Listed Company Listing Rules Listing Rules Listing Rules Listing Rules Listing Rules Listing Rules ListingsDepartment Announcements Announcement Message App Message App Digitally sign

  12. Security printer implications • Decouples registration from production • Manages risks associated with registration & production separately • No contract between Subscriber & CA • No exposure of CPS to Subscriber • Easier to novate CA service providers • Accreditation not affected by new Policies

  13. Context Credentials Subject: - - - Ext: Lic No. xyz Issuer: Health Org Policy OID: - - - Public Key: - - - Health Org CA Subject: - - - Validity: - - - Issuer: Root CA Policy OID: - - - Public Key: - - - Signed: Health Root CA Health Organisation “Relationship Certificates” e-Prescription Patient name - - Med - - - Dose - - - Repeats - - - Signed: Dr Lic. xyz Signed: Health Org CA Transaction User Certificate CA Certificate

  14. “Relationship Certificates” • Form of “Authorization PKI” • Kill the holy cow of authentication being primary over authorization • Preserves X.509 formats, software • Not SPKI: no ‘primary’ ID certificate • Not Attribute Certs: we can sign with cert

  15. Certificate Serial No. Poll Key CA Candidate Candidate Candidate Dig Sign Register smartcard Enrol to vote Candidate Roll Identify voter Candidate Generate key pair Install anon. certificate Candidate 2 1 Certificate Serial No. Poll Key Smartcard distribution process Candidate 2 Signed ballot Candidate Dig Sign Candidate 1 Lockstep anonymous e-voting B. Register C. Vote A. Background

  16. (1) Distribute investigator packs (3) Load pt smartcard with Stepwise anonymous ID Certificate Patient ID Study ID Key (2) Enrol patient into study Dig Sign Lockstep clinical study privacy Study sponsor Logistics Certificate Server Randomisation Collection

  17. Certificate Patient ID Study ID Key (6) De-identified securefollow up data, “sealed” with Stepwise ID (5) Investigations as per protocol Tests Lockstep clinical study privacy (4) Patient presents for follow-up Study sponsor Logistics Certificate Server Randomisation Collection

  18. Discussion See also www.lockstep.com.au/technologies swilson@lockstep.com.au

More Related