130 likes | 316 Views
AN APEC PERSPECTIVE. Steve Orlowski Chair eSecurity Task Group APEC Telecommunications and Information Working Group. BACKGROUND. Established 1997 under the APEC Telecommunications and Information Working Group Two main areas: electronic security (added 2000) electronic authentication
E N D
AN APEC PERSPECTIVE Steve Orlowski Chair eSecurity Task Group APEC Telecommunications and Information Working Group
BACKGROUND • Established 1997 under the APEC Telecommunications and Information Working Group • Two main areas: • electronic security (added 2000) • electronic authentication • Sub group - PKI Interoperability Expert Group • Liaison with other international bodies
CURRENT ACTIVITIES • APEC Cybersecurity Strategy • CERT capacity building • Cybercrime legislation survey • IT security training material • Compendium of IT security standards • IT security skills recognition • Encryption policies • Electronic authentication
ELECTRONIC AUTHENTICATION • Issues paper published (hard copy and electronic) • covers all technologies • PKI interoperability - mapping of accreditation schemes
ISSUES PAPER • Business models • Technology • User requirements • Trust • Cultural differences • Legal issues
PKI INTEROPERABILITY • Differing Approaches • APEC mapping of accreditation schemes • legal • policy • technical • APEC high level principles for schemes
APPROACHES • Hierarchies • root CA • Cross certification • CA to CA • Cross recognition • scheme to scheme
CROSS RECOGNITION • Developed by APEC • Maps accreditation schemes rather than individual CAs • Public or private sector • Assurance and evidence of legal effect • Accreditation certificate • unilateral cross certificate • similar to TSP data • Certificate trust lists
CA MAPPING • Based on RFC 2527 • Approx 200 points of comparison • Rough equivalence • Australia - Gatekeeper grade 2 (mid level) • Canada - GoC PKI medium • EU - qualified • Singapore - advanced • United States - FBCA medium • Identrus (Australian implementation) • Hong Kong to join
HIGH LEVEL GUIDELINES • Based on a series of questionnaires • High level principles developed • Accepted by TEL 27
PRINCIPLES • Legal • recognition of foreign schemes • technology not mandated • Policy • based on internationally recognised standards • Technical • identification and naming • FIPS, common criteria or equivalent technology • archives • directory access
STANDARDS REQUIREMENTS • Cryptographic modules • FIPS 140-2 to ISO April 2003 • Implementations • physical • personnel • administrative • overall technical • CA protection profile for issue of qualified certificate or equivalent?
REFERENCES • eSTG Website http://www.apectelwg.org/apec/atwg/preatg.html • Principles http://www.apectel27.org.my/ESTG-8.doc • Mappings (not EU) http://www.apectel27.org.my/ESTG-5.doc