TeleTrusT - Competence Association for Applied Cryptography and Biometrics

Arno Fiedler (Nimbus Network)

TeleTrusT Deutschland e. V.E-Mail: arno.fiedler@teletrust.de

http://www.teletrust.de

PKI-Forum, Amsterdam, 20 June 2002

Short Presentation for Project:

“Unified ISIS-MTT-Specifications for

Interoperability and Test Systems“

TeleTrusT - General

• Promoting the trustworthiness of information and communication technology

• Applied Cryptography & Biometrics

• founded in 1989

• 110 members: major user sectors, research organisations, developers and manufacturers of security products, government agencies, and test institutes.

• non-profit, political independent

ISIS-MTT – The Foundation

European Bridge-CA

ISIS-MTTCommon ISIS-MTT Specification for Interoperability and Test Systems

„E-Business“

Aut

hen

tifiz

ieru

ng

von

U

sern

und

Ser

vern

Ver

trau

liche

K

omm

unik

atio

n(S

SL)

Dat

eiv

ers

chlü

ssel

ung

Ver

schl

üsse

lte E

-Mai

l(S

/MIM

E)

Dat

ena

uthe

ntiz

ität

und

-in

teg

ritä

t(e

lekt

ron.

Sin

gatu

r)

Zei

tste

mpe

ldie

nst

VP

N

Sin

gle

Sig

n O

n

wei

tere

PK

I-D

iens

te

Objectives of the project:

• Synthesis of already available specifications towards a unified and open standard.

• This standard should take into account the current technical and legal requirements and should receive active support by the market players.

• Development of a test specification and a test bench, which allows the applications developers to prove their ISIS-MTT-interoperability

• Investment protection for users because of exchange-ability of single components.

Involved partner organizations:

T7 e. V. i. G. (direct) (ISIS-Spec.)• interest group of leading (german) providers of certification

services .

TeleTrusT e. V. (direct) (MailTrusT-Spec.)• competence association of major companies and organizations

concerned with trusted digital communication.

Additional Bodies comprise (selection):• AG INDI (indirect)

• Bundesverband Deutscher Banken (indirect)

• Media@kom-Projektpartner (indirect)

• Arbeitsgemeinschaft Karten im Gesundheitswesen (indirect)

ISIS-MTT document structure:●     Part 1: Certificate and CRL Profiles,●     Part 2: PKI Management,●     Part 3: Message Formats,●     Part 4: Operational Protocols,●     Part 5: Certificate Path Validation,●     Part 6: Cryptographic Algorithms,●     Part 7: Cryptographic Token Interface,

● Profile: SigG-conforming Systems and Applications and

●     Profile: Optional Enhancements to the SigG-Profile.

CORE-SPEC

OPTIONAL

# Object Content of the ISIS-MTT-Core-Profile

1 Certificate Profile Standard X.509 V3; Qualified Certs According ETSI QCP (RFC 3039 ) Attributes allowed in Key Certificates

1.3 Attribut Certificate Standard X.509 V2

1.4 CRL Standard CRL (including Delta CRL)

2 PKI Management Simple PKI-Management as in CMC

3 S/MIME Subset of S/MIME for mail

4.2 LDAP Standard LDAP V.3, no restrictions to DIT

4.3 OCSP Standard OCSP Optional extension for positive statement

4.4 TSP Standard TSP, no profiling yet

5 Certificate Path Validation

Standard PKIX procedures

6 Algorithms etc look to: www.teletrust.de

7 PKCS#11 Profile

ISIS-MTT- behind the cover

C lient A pp lica tion

C ryptograph ic L ib rary

C S P

C A

C ryptograph icToken

(ch ipcard orsoftware P S E )

C ertifica tion S ervice P rovider (C S P )

LD A P serverO C SP server

D epository

C A

T im e S tam pS ervice

M ail C lien tA pp lica tion

S ignature &C ert.P ath

V erifica tionM odule

F ile S ecurityA pp lica tion

S ignatureC reationM odule

K ey andC ertifica te

M anagem ent

C lien t A pp lica tion

M ail C lien tA pp lica tion

F ile S ecurityA pp lica tion

certifica tes, C R Lscross-certs(P art 1 )

O C SP(P art 4 )

s igned, encrypted em ails(P art 3 )

s igned, encrypted files(P art 3 )

LD A P(P art 4 )

certifica tionrequest(P art 2 )

TS P(P art 4 )

m anagem entpro toco ls(P art 2 )

s ignatures(P art 5 )

verifica tion(P art 5 )

a lgorithm s (P art 6 )

A P I ca lls(P art 7 )

in teroperab ility aspectscovered by theIS IS -M TT S pecifica tion

CA

S

EMPFÄNGER

CA

X

S ENDER

ISIS-MTT and the Infrastructure:

Actions planned for 2002

• Development of a usable test bench for realistic test of applications and services.

• Awarding of a “Quality Seal” for applications with proven interoperability.

• Further development of ISIS-MTT specification.• Further contribution from the specification to the

international standardization.• Strengthening of public relations and project

management.• Development of a XML-Profile.

Core theses for ISIS-MTT:

• ISIS-MTT is a free-of-charge offering to PKI integration to all applications developers.

• ISIS-MTT is internationally aligned, existing standards are used an extended

• ISIS-MTT defines a complete security architecture: encryption, authentication and signing.

• ISIS-MTT provides for different security levels; legal binding according to German signature law is just an option.

• ISIS-MTT interoperability criteria are publicly defined and provable through a test bench.

CUT

EEComponent

CUT

CAComponent

Tester

Web-Browser

Web-Server

LDAP-Server

Mail-Server

http

Test Tools

pop3

ldap

smtpLDAP-Client

ldap

smtp

CGI-Skriptsocsp

http

httpocsp

FileTransfer

FileTransfer

FileTransfer

Web-ClientDNS-Serverdns

Test Data

Testbed Prototype Platform

ISIS-MTT-Serviceprovider:

DATEV e. G. D-TRUST GmbH

ITSG Deutsche Telekom AG Telesec

TC Trustcenter CCI Sema Group

Fraunhofer IBT Addtrust AB

Medizon AG WV Deutscher Apotheker

ISIS-MTT-Application-Provider:

Applied Security GmbH BGS Systemplanung GmbH

Curiavant GmbH CV Cryptovision GmbH

DATEV e. G. DE-CODA GmbH

Microsoft Inc. Secartis GmbH

Secrypt GmbH SECUDE GmbH

Signcard GmbH TÜV Süddeutschland

Utimaco AG Faktum GmbH

ISIS-MTT-actual and potential user:

Deutsche Bank AG Dresdner Bank AG

Daimler-Chrysler BSI

Kassenärztliche BV Siemens AG

Siemens BMW

Sparkassen Informatik Bank 24

Cable & Wireless SAP

Giesecke & Devrient Athur Andersen

ISIS-MTT-Lessons learned:

• Don´t discuss the legal aspects too much, you can´t find a 100 percent solution! (not even 80 %)

• To get a committment for a profile like ISIS-MTT is hard work, lobbying doesn´t work via e-mail.

• Try to understand the needs of the different markets, but take care about „specific requirements“ which are propriatory.

• Keep the project interesting, the work is never done.(Testbench, XML....

Contacts for the project

• TeleTrusT: www.teletrust.deMr. Prof. Helmut Reimer, TeleTrusT e.V. Helmut.Reimer@teletrust.de

Mr. Schneider und Herr Giessler (Editor), Fraunhofer SIT Mr. Bauspiess, Secorvo

• T7 e. V. i. G.: www.t7-isis.deMr. Bernd Kowalski, DT AG, telesec; bernd.kowalski@t-systems.deMr. Lindemann, TC TrustcenterMr. Pfeuffer, DatevMr. Horvath (Editor), SecunetMs. Ulrike Korte, Sparkassen Informatik Kooperation

• Project management and public relations:

Mr. Fiedler, Nimbus Network; Arno.Fiedler@teletrust.de