150 likes | 296 Views
SAFE Public Key Infrastructure (PKI). 2005 EDUCAUSE/Dartmouth PKI Deployment Summit. Topics. SAFE What is SAFE? History? Framework Architecture SAFE Bridge Authority Architecture Timeline Current Test environment for the SBCA Architecture Services Test Package.
E N D
SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit SAFE BioPharma Association CONFIDENTIAL
Topics • SAFE • What is SAFE? • History? • Framework • Architecture • SAFE Bridge Authority • Architecture • Timeline • Current Test environment for the SBCA • Architecture • Services • Test Package SAFE BioPharma Association CONFIDENTIAL
SAFE – Secure Access For Everyone SAFE is a Bio-pharmaceutical Industry Standard that specifies technical, legal, and regulatory compliance standards SAFE delivers unique electronic identity credentials for legally enforceable & regulatory compliant digital signatures across the global biopharmaceutical environment for Business-to-Business and Business-to-Regulator transactions SAFE BioPharma Association CONFIDENTIAL
SAFE & Bio-Pharmaceutical Community CONCEPT • Trusted e-identity credentials • Closed contractual system • Accredited • Business focus DRIVERS • Regulatory compliance • Business efficiency • Cost savings MAY 2003 SAFE strategic PhRMA initiative DEC 2003 Seed investment 12 bio-pharmaceuticals JUN 2004 SAFE Standard v1.0 DEC 2004 SAFE-Biopharma 8 bio-pharmaceutials JUL & AUG 2005 SAFE Bridge IOC & SAFE Standard v2.0 SAFE BioPharma Association CONFIDENTIAL
SAFE-Biopharma Agreement Agreement Member Issuer • SAFE Standard • Business/Legal • Governance • Specifications • Full • For-Profit Entities • Not-For-Profit Entities • Government Orgs • Services • SAFE Bridge CA • Directory • Issuer Services for Medical Practitioners/Others • Associate • Medical Practitioners • Other Entities/Individuals designated by SAFE Agreement SAFE Community Framework • Services • CA / RA / CSA • Credentials for Members • Identity Proofing SAFE BioPharma Association CONFIDENTIAL
C P C P C P SAFE Architecture SAFE Issuer Registration and Certificate Management Systems OCSP Request OCSP Response Cross Certificates SAFE Certificate SAFE Certificate OCSP SAFE Cert. Response Subscriber Authentication SAFE- Biopharma SAFE Bridge CA Central Systems End-User Systems Machine Systems OCSP Request Validation Request & Response Signing & Validation Request & Response Signing & Validation Request & Response OCSP Request OCSP Response SAFE Member SAFE Enabled Applications Details contained in associated SAFE BioPharma Association CONFIDENTIAL Details contained in SAFE CP Technical Specification
SAFE Bridge Authority (SBCA) Physical Layout SAFE BioPharma Association CONFIDENTIAL
SBCA Operational Authority – Cybertrust 2004 Sep SAFE SBCA RFP 2005 Jan Cybertrust chosen as operational authority for SBCA Jan - Mar Contract negotiations Mar - Jul Development of CPS, policies & procedures, test environment, and production environment Jun 30 SBCA Root Key generation ceremony Jul 26-27 SBCA acceptance testing [in progress] Jul 29 Acceptance for Initial SBCA operations [planned] Aug - Dec Initial Cross certification with initial SAFE Issuers [planned] SAFE BioPharma Association CONFIDENTIAL
SBCA Test Environment • Provides emulation of SBCA: • SBCA pre-production testing • SAFE Issuers cross-certifying with the SAFE Bridge CA • SAFE Application Testing • Accredited SAFE Product Certification Labs • Availability: • Operational NOW • Download package at http://safe-biopharma.org • No guaranteed service level • No support available SAFE BioPharma Association CONFIDENTIAL
SBCA Test Environment SAFE BioPharma Association CONFIDENTIAL
SBCA Test Environment Package • SAFE_CROSS-CERT_TEST_PKG • Version: 1.3 • Released: 7/12/2005 • TEST Readme file • Test package components: • 2 Test Issuers • Emulates 2 test-only SAFE Issuers, cross-certified by test-only SBCA • Valid and revoked digital signature certificates - PKCS#12 format • Certificates provide all OCSP, CRL and directory URIs • Cross-Certificates are available via URL • OCSP • Accepting both signed & unsigned OCSP requests • Only tested unsigned request • Only URL to access OCSP Responders • CRL • For each test CA • Certificate is available via URL • Cross Certificate Request • PKCS#10 certificate request from the test SBCA • The request is provided in both Binary and Base 64 formats SAFE BioPharma Association CONFIDENTIAL
SAFE Bridge Certificates - Test • Every CA has also issued an OCSP Responder certificate • The responder certificate is not explicitly trusted, but can be verified using the CA cert • Except for the self signed roots, all certificates have the Authority Information Access (AIA) extension • OCSP entry points to an internet accessible OCSP server • caIssuers entry points to an internet accessible URL for the issuing CA’s certificate(s) contained in PKCS#7 files • Except for the self signed roots, all certificates have the CRL Distribution Point (CRLDP) extension • HTTP URL points to an internet accessible location • The above properties allow certificate paths to be built and validated from any user certificate to either trusted root certificate • Even without prior “knowledge” of the existence of the bridge! SAFE BioPharma Association CONFIDENTIAL
SAFE Bridge CA Test Structure MagiCure Water TEST CA Cybertrust SAFE Issuer TEST Root CA Cybertrust From Bridge MagiCure Water From Bridge SAFE Bridge CA TEST Cybertrust SAFE Issuer Test Sub CA End Entities End Entities SAFE BioPharma Association CONFIDENTIAL
OCSP OCSP OCSP OCSP SAFE Bridge CA - Test MagiCure Water Cybertrust SBCA Test Sub CA SAFE BioPharma Association CONFIDENTIAL
Questions Contact information: Russel F Weiser PKI SME Cybertrust Inc. Russ.Weiser@cybertrust.com Cell 801-631-1685 SAFE contact information: Terry Zagar SAFE Core Team SAFE-BioPharma Association terry.zagar@ngc.com Phone 301-527-6780 SAFE BioPharma Association CONFIDENTIAL