1 / 18

X.509/PKI There is progress...

X.509/PKI There is progress. Why PKI? Why not PKI? The Four Stages of X.509/PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other Healthcare- HIPPA State governments - E-Sign, Draft CP Corporate Deployments The Industry Higher Ed TAG, PAG. Topics.

issac
Download Presentation

X.509/PKI There is progress...

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. X.509/PKI There is progress...

  2. Why PKI? Why not PKI? The Four Stages of X.509/PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other Healthcare- HIPPA State governments - E-Sign, Draft CP Corporate Deployments The Industry Higher Ed TAG, PAG Topics

  3. Single infrastructure to provide all security services Established technology standards, though little operational experience Elegant technical underpinnings Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption Low cost in mass numbers Why X.509/PKI?

  4. High legal barriers Lack of mobility support Challenging user interfaces, especially with regard to privacy and scaling Persistent technical incompatibilities Overall complexity Why Not X.509/PKI?

  5. D. Wasley’s PKI Puzzle

  6. on the road to general purpose interrealm PKI the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKI simplifications in policies, technologies, applications, scope each plane provides experience and value The Four Planes of PKI

  7. Full interrealm PKI - (Boeing 777) - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues Simple interrealm PKI - (Regional jets) - multipurpose within a community, operating under standard policies and structured hierarchical directory services PKI-light - (Corporate jets) - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; can be extended within selected communities PKI-ultralight (Ultralights) - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane... The Four Planes are

  8. Spectrum of Assurance Levels Signature Algorithms Permitted Range of Applications Enabled Revocation Requirements and Approaches Subject Naming Requirements Treatment of Mobility ... Examples of Areas of Simplification

  9. CP: Wasley, etal. Draft HE CP stubbed to basic/rudimentary CRL: ? Applications: (Signed email) Mobility: Password enabled Signing: md5RSA Thumbprint: sha1 Naming: dc Directory Services needed: Inetorgperson PKI-Light example (HEPKI)

  10. CP: Verisign CRL: Verisign Applications: authentication Mobility: USB dongl;e Signing: md5RSA Thumbprint: sha1 Naming: X>500 Directory Services needed: I? Deployment: 5,000 medical students PKI-Light example (Texas-Houston)

  11. CP: none CRL: limit lifetime Applications: Internal web authentication Mobility: one per system; also password enabled Signing: md5RSA Thumbprint: sha1 Naming: X,500 Directory Services needed: none Deployment: approximately 350,000 over five years PKI-Ultralight (MIT)

  12. fBCA became operational June 7; talking with several possible peers (States of Illinois and Washington) NIH Pilot for grant submissions - Peter Alterman, NIH ACES - not much visible activity; Dept of Ed backed out of for student loan administration fPKI TWG - http://csrc.nist.gov/pki/twg others Internet2/NIH/NIST research conference ... Federal Activities

  13. HIPPA - Privacy specs issued HIPPA - Security specs not yet done Two year compliance phase-ins Little progress in community trust agreements Non-PKI HIPPA Compliance Options Healthcare

  14. Success stories within many individual corporations for VPN, authentication No current community-wide deployments ABA guidelines Others... State Governments E-Sign FlowChart NECCC Draft State Certificate Policy Other countries EuroPKI Extensive work in the Netherlands Inter-governmental discussions? Other deployments

  15. The Industry • What's the problem with PKI then? It all boils down to one thing: Complexity. • Wanted: PKI ExpertsBy Scot Petersen • July 18, 2001

  16. The Industry • Baltimore in peril • PKIforum slows down • OASIS-SAML work (XML to leaven PKI) gains buzz • RSA buys Securant

  17. The Industry • Browsers that don’t take community roots • Communications tools that want certs we don’t want to give them • Path math that sometimes don’t compute • Technology that doesn’t interoperate...

  18. Higher Education • HEBCA • HEPKI-TAG • HEPKI-PAG • PKI-labs • Campus activities

More Related