1 / 10

Secure Identity Services Accreditation Corporation

Secure Identity Services Accreditation Corporation. NIST PKI R&D Workshop April 17, 2007. Overview of SISAC. Wholly-owned subsidiary of the Mortgage Bankers Association (MBA)

phallon
Download Presentation

Secure Identity Services Accreditation Corporation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Identity Services Accreditation Corporation NIST PKI R&D Workshop April 17, 2007

  2. Overview of SISAC • Wholly-owned subsidiary of the Mortgage Bankers Association (MBA) • Responsible for defining and maintaining interoperable policy, technical and accreditation requirements for issuing and managing digital certificates to be used in support of electronic mortgage processes and applications • More information can be found at www.sisac.org

  3. SISAC Model – Accreditation SISAC 6. Audit Letter 7. Accredit 3. Accredit 2. Apply 4. Apply 1. Requirements Accredited Auditors Accredited Issuing Authorities (AIAs) 5. Audit 8. Credential Reliance Relying Parties Relying Parties

  4. SISAC Model – Operations SISAC Accreditation, Policy and Technical Requirements AIA1 (Approved CPS, Root Key and Policy IDs) AIA2 (Approved CPS, Root Key and Policy IDs) AIAn (Approved CPS, Root Key and Policy IDs) Issuance, Management & Validation Services Issuance, Management & Validation Services Issuance, Management & Validation Services Certs Certs Certs Validation Services Validation Services Validation Services Subscribers Relying Parties Subscribers Relying Parties Subscribers Relying Parties

  5. Assurance Levels

  6. SISAC Subscriber Certificate Taxonomy

  7. CA Certificate Profile • Non-critical authorityKeyIdentifier • Non-critical subjectKeyIdentifier • Critical basicConstraints with cA=TRUE • Non-critical keyUsage with keyCertSign and cRLSign asserted • Non-critical certificatePolicies with SISAC approved policy OID asserted • Non-critical cRLDistributionPoints containing location of CRL information • Non-critical authorityInfoAccess containing location of OCSP Responder

  8. User Certificate Profile • Non-critical authorityKeyIdentifier (must be same as subjectKeyIdentifier defined in CA Certificate for CA that issued this Device Certificate) • Non-critical subjectKeyIdentifier • Non-critical keyUsage with appropriate key usage bits asserted (except for keyCertSign and cRLSign, which are reserved for CA Certificates only) • Non-critical certificatePolicies with SISAC approved policy OID asserted • Non-critical cRLDistributionPoints containing location of CRL information • Non-critical authorityInfoAccess containing location of OCSP Responder

  9. Device Certificate Profile • Non-critical authorityKeyIdentifier (must be same as subjectKeyIdentifier defined in CA Certificate for CA that issued this Device Certificate) • Non-critical subjectKeyIdentifier • Non-critical keyUsage with appropriate usage asserted (except for keyCertSign and cRLSign, which are reserved for CA Certificates only) • Non-critical extendedKeyUsage with appropriate usage asserted based on device application (e.g., SSL); must adhere to extendedKeyUsage OIDs defined in RFC 3280 • Non-critical certificatePolicies with SISAC approved policy OID asserted • Non-critical cRLDistributionPoints containing location of CRL information • Non-critical authorityInfoAccess containing location of OCSP Responder

  10. Issues and Lessons Learned • Key generation tags need to match with certificate profile keyUsage extension • Interest in carrying static attribute information • Considering optional, non-critical private extensions that are application specific (e.g., notary) • Certificate renewal notices need to go out before certificates expire • Interest in defining software vs. hardware token at the Medium Assurance level • Will probably follow what FPKI did • Staying consistent with the FPKI/FPBCA policies has helped greatly • Parts of the mortgage industry exist in Government • Applications driving use of certificates • Electronic notary services • MERS Registry • Electronic closing and recording (coming…)

More Related