190 likes | 320 Views
Extending Attribute Protocols for Status Management and “Other Things”. Building trust on the internet. Patrick Richard, Xcert International. Company Background. Size: 80+ employees Incorporated: 1996 (Vancouver, BC) HQ: Walnut Creek, CA
E N D
Extending Attribute Protocols for Status Management and “Other Things” Building trust on the internet Patrick Richard, Xcert International
Company Background • Size: 80+ employees • Incorporated: 1996 (Vancouver, BC) • HQ: Walnut Creek, CA • Funding: Private, backed by founder of RSA & Verisign) • Key partners & customers:
Extending Attribute Protocols for Status Management and “Other Things” • Agenda (40 minutes) • Conceptual History • Products in Action • Application Potential
PKI Enables Risk Management • PKI provides a means to reduce the risk of business-to-business and business-to-consumer internet transactions • PKI enables institutions to define trust relationships that can be: • Published • Audited • Insured
Digital Certificates Role in Risk Management Digital certificates are the ONLY technology to satisfy the requirements for secure transactions among trusted parties.
Certificate Formats and Risk Management • Digital Certificates, as they are commonly used: • contain generalized end-entity information • this is used as part of the risk mitigation process • Examples: name, email address, where you work, etc..
Certificate Attributes and Risk Management • The collection of information carried in a Certificate is the lowest common denominator for risk-managing transactions • Sometimes too little information • Sometimes too much • Normally no one cares who you are… they care about your ability to transact.
What is important • Are the transaction-specific bindings between the participants and their relevant attributes • Example: • Joe Customer is the owner of the card • The card is still valid • The card has enough credit space for a transaction
The key concept • PKI is really the practice of end-entity attribute assertion and management • I.e.: • CA asserts and distributes your name attribute • VA asserts and distributes your status attribute • AA asserts and distributes your credit attribute
Attribute Management Protocols • A good, generalized and scaleable attribute management protocol can be the basis for a highly efficient and effective PKI • Eliminates re-inventing the wheel, solves scaleability problems • Relevant elements of the transaction are transmitted, nothing else
Effective Attribute Management Protocol Characteristics • Ability to serve signed attributes • Ability to generate static collections of signed attributes • Ability to serve dynamic collections of signed attributes • Ability to deal with cacheing and freshness
Real World Example: Certificate Status Management • Most OCSP implementations rely upon CRLs (I.e. they proxy CRLs) • Certificate Status is really just an attribute of the certificate being queried
Status Management in an Attribute-driven model • Relating the current semantics against the model: • CRL : static collection of status attributes • Online query : signed response of status attribute • OCSP : standard protocol front-end on CRL/online query
Technical Benefits • A singular protocol and method for resolving identity and attribute bindings • Works online and off-line • Can be applied to multiple attributes, not just status • Is 100% backwards compatible • Provides infinite design flexibility
Business Benefits • Most implementations hit a “Chinese Wall” when they attempt to scale • Only cost effective way to scale • Customers with 100,000 + users on 1.x products (circa 1997), also Powers Public CAs • Provides business opportunities for Attribute Assertion Providers
Current Real World Applications • Pseudo-anonymous certificates • High-assurance web transactions • Value-based dynamic assertions • Rollover and Revocation simplified • Single certificate, many models (I.e. GUC)
Future Implications • Natural evolution is to Index attribute databases from certificates • Truly Internet-wide certificates should ideally have minimized content • Businesses are arising that focus exclusively on attribute management
Conclusion • A comprehensive attribute management system can provide the backbone for a global deployment of PKI • Common PKI problems can be easily resolved through the use of attribute management • Primary obstacles today are not technical, but rather philosophical