burton group catalyst meeting barcelona, spain 22 october 2007 june leung oasis pki adoption tc the...
Post on 19-Dec-2015
216 views
TRANSCRIPT
The OASIS PKI Adoption TC Objectives and Case Studies
Burton Group Catalyst Meeting Burton Group Catalyst Meeting Barcelona, Spain 22 October 2007Barcelona, Spain 22 October 2007
June Leung June Leung OASIS PKI Adoption TCOASIS PKI Adoption TC
www.oasis-open.org
The PKI environment c. 2006 PKI is resurgent Embedded PKI is commonplace We’re all in the midst of a paradigm shift to
identity plurality Digital Certificates can be about relationships as
well as (or instead of) personal identity Successful PKI has always been application
specific, not general purpose
Resurgent, embedded PKI Closed (vertical) schemes
US PIV, Identrus, ICAO e-passports, CableLabs, Skype, BankID (Sweden)
Health smartcards France, Germany, Taiwan, Italy, Austria,
Australia … Digital Credentials
US Patent Office, France, Taiwan, Australia …
Identity plurality “Identity 2.0” (archetype: Cardspace)
Too soon to tell precise outcomes But it’s a progressive re-think of identity, context,
privacy, control etc. Fundamental concept is plurality of identities.
Stephen Kent’s critique:“For big CAs, there is an implicit assumption that a single
certificate is all that a user should need. This assumes that one identity is sufficient for all applications, which
contradicts experience”
The top five obstacles
According to OASIS Surveys 1 & 2:
1. Software applications don’t support PKI
2. Costs too high
3. PKI poorly understood
4. Too much focus on technology (not need)
5. Poor interoperability
PKIA TC: Fresh objectives Continue to overcome obstacles with targeted practical
initiatives that improve understanding of PKI Disseminate case studies Develop position papers that de-mystify legal,
governance and interoperability issues and modernise the PKI message so it reflects real needs
Liaise more closely with other OASIS efforts, esp. under the umbrella of the new IDtrust Member Section
Embedded PKI application: Device authentication schemesSome of the oldest, most successful PKIs are for
device authentication: GSM cell phone SIM cards SSL server certificates IPsec VPN devices CableLabs PKI for Cable TV set-top boxes
www.cablelabs.com/certqual/security
Embedded PKI application: Skype
Each Skype subscriber receives a digital certificate embedded in Skype install
“Zero User Interface” (ZUI) principle; i.e. Subscriber unaware of their certificate!
http://share.skype.com/sites/security
Embedded PKI application: Medicos’ smartcards France (500,000 doctors)
Rolling out 40 million PKI smartcardsfor patients, for secure e-health
Taiwan (300,000 doctors) Australia (10,000 doctors)
wide range of PKI enabled govt lodgments electronic prescribing in development certificates represent doctor’s qualifications planning “wholesale” supply of certs to hospitals etc. see www.hesa.gov.au
Vertical PKI application: University sector national PKI “Australian Access Federation”
an infrastructure to facilitate trusted communications and collaboration within and between higher education and research institutions both locally and internationally … in line with the objective of providing researchers with access to an environment necessary to support world-class research
Working with Shibboleth (single sign on) and inter-national grid computing
See www.hesa.gov.au
PKIA TC Policy Initiative: New legal view points in PKI Objective to de-mystify traditionally complex or
confusing aspects of PKI e.g. “Security Printer Model”
Conceptualizes backend CA as ‘minting’ certificates on order from RA, like printing cheques
Decouples CA from policy and from user liability When someone writes a bad cheque, nobody sues
the cheque printer! See http://tinyurl.com/2g4q4d
Aim to complete one or more papers late CY07
www.oasis-open.org
OASIS PKI Technical CommitteeOASIS PKI Technical Committeewww.oasis-open.org/committees/pkiwww.oasis-open.org/committees/pki
Stephen Wilson Stephen Wilson [email protected]@lockstep.com.au0414 4888510414 488851