160 likes | 304 Views
The ABA PAG. Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information Technology University of Maryland. Background. American Bar Association Section of Science and Technology Law Electronic Commerce Division Information Security Committee
E N D
The ABA PAG Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information TechnologyUniversity of Maryland
Background • American Bar Association • Section of Science and Technology Law • Electronic Commerce Division • Information Security Committee • 1996 Digital Signature Guidelines • DRAFT PKI Assessment Guidelines (PAG) • DRAFT developed over a period of 5 years • Developed As An Educational Resource • Comments are due by October 18, 2001
ABA Information Security Committee A group of lawyers and non-lawyers who are practicing attorneys in corporate, private, and government practice, information technologists, auditors, notaries from various legal regimes, trade experts, academics, and others dedicated to exploring and advancing the legal and information security aspects of e-commerce and information technology.
Digital Signature Guidelines Provided basic technical and legal guidelines regarding the rights and responsibilities of certification authorities, certificate subscribers, and relying parties for digital signature applications of PKI. http://www.abanet.org/scitech/ec/isc/digital_signature.html
PKI Assessment GuidelinesDRAFT The draft PAG provides an overview of PKI, discusses specific technical, legal, business, and policy issues related to PKI operations, and provides guidelines for the assessment of particular PKIs and their components. http://www.abanet.org/scitech/ec/isc/pag/pag.html
Goals of the PAG • Provide a tool by which people can assess a PKI and its trustworthiness • Explain basic PKI assessment models, PKI assessment terminology, and the interface among, and implications of business, legal, and technical issues in PKI • Provide guidance for the selection of policies, standards, and legal agreements, including certificate policies (CPs), certification practice statements (CPSs), relying party agreements, and subscriber agreements
Goals (cont’d) • Promote smooth interoperation among different PKIs and their components; and • Provide an intellectual framework and educational resource for understanding PKI services, products, technologies, and emerging legal concepts
PAG is not intended: • dictate policies, processes, or legal doctrines • Mandate any particular models for assessment • Remain static • Be self-contained
Overview of Contents • PKI Overview • Glossary of Definitions and Acronyms • Tutorial on Public Key Technology • Legal Preface • PAG Provisions • Appendices • Bibliography with Online URLs
Legal Issues • Sources of Law • Agency Principles • Evidence and Expert Witnesses • Foundations and Presumptions • Consumer and Privacy Issues • Risk Management and Insurance
PAG Provisions • General, Legal, and Business Provisions • Initial Validation of Identity, Authority, and/or Other Attributes • Certificate Life Cycle Operational Requirements • Management, Operational and Physical security Controls • Technical Security Controls • Certificate, CRL, And OCSP Profiles • Specific Administration
General, Legal, and Business Provisions • Apportioning Legal Responsibilities and Potential Liability • Issue Summary • Relevant Considerations • Appropriate Requirements and Practices • Risk Management and Insurance • Financial Responsibility
Provisions (cont’d) • Interpretation and Enforcement • Fees • Publication and Repositories • Compliance Audit and Other Assessments • Consumer Issues, Information Practices, Privacy • Intellectual Property Rights
PKI Documentation • Policy Documents • Convey at a high level the requirements to which a PKI adheres and the practices the PKI employs to meet these requirements • “Certificate Policy” • “Certification Practice Statement” • Agreements • Bind participants to the requirements of the PKI • “Subscriber Agreement” • “Relying Party Agreement” • Security, Operational, and Auditing Practices • Detailed policies, guidelines, and procedures
Implications for Higher Ed • Policies and Procedures • NET@EDU PKI Working Group • EDUCAUSE Security Task Force • Policy and Legal Issues Committee • Contracts and Agreements • Academic Culture and Traditions • Practical Uses and Simplification • Coordination Across Communities
For more information, contact: Rodney PetersenPhone: 301.405.7349Email: rp72@umail.umd.edu URL: www.oit.umd.edu/ppURL: www.umd.edu/NEThics