Delivering Certificates or Trust Building Robust PKIs Alan T Liddle Msc BSc PgDip FBCS CEng CITP AMP MIMMM

Transcription

1 Delivering Certificates or Trust Building Robust PKIs Alan T Liddle Msc BSc PgDip FBCS CEng CITP AMP MIMMM Trustis Limited Building 273 Greenham Business Park RG19 6HN

2 Agenda Introduction PKI Standards Specific requirements General compliance Enforcement regimes Building Robust PKIs Topics for consideration Questions 2

3 PKI for a Typical Large Enterprise Corporate PKI for internal use: Discover Phase Design and Signoff Phase Offline Root CA Multiple Sub CA support - different Assurance requirements HSM Policy Pre-Production / Testing Phase Production Phase Transition process Setup of PMA Comprehensive and flexible Policy Documentation Set Controls and Procedures Audited KSC Based on Microsoft - tightly coupled to AD. Managed Service Support Wrapper 3

4 What is a PKI - Our View A Trust Model. A Policy (Legally or contractually enforceable). Assurance standard and mechanisms Entities that rely on and operate within the trust environment. Fulfilled by:- processes and procedures enforced to defined standards Assured equipment Certificate Authorities and Registration Authority(s). databases, trusted networks. Sets of client software. Otherwise it s a Certificate Pump 4

5 For Clarity a few words Subscriber Subject Relying Party Registration Validation Certification Authority Certificate Authority Certificate Policy Certification Practice Statement 5

6 PKI Standards There is no shortage CA/B Forum EU ETSI Qualified EU ETSI Normalised Federal Bridge SAFE Biofarma HIPPA BACSTel USA PIV ICAO EU ETSI Qualified India CCA Oz- Gatekeeper UK SMIP Mozilla Google Adobe Sun Java Microsoft ISO21188 ISO Apple The list goes on and on. 6

7 Specific Important Standards Trusted Roots EU Regulations 7

8 Enforcement Regimes An enforcement regime reflects prescribed controlling bodies defined audit regimes mechanisms and specific approved auditor. EU Directive - in the UK Controlled by BIS Audit regime tscheme Auditors controlled via UKAS EU Regulation - in the UK Controlled by Data Protection Commissioner Audit regime tscheme (TBC) Auditors - not known 8

9 Enforcement Regimes USA/ Global Controlled by CA/B Forum Audit regime Web trust for CA (ETSI) Auditors certified public accountants UK Government Controlled by local Risk Owner No specific regime for PKI managed via the normal mechanisms for accreditation & approval USA Government Controlled by FICAM (A federal program) Audit regime FICAM TFS (TFSAP) Auditors acceptable to FICAM TFS (flexible) 9

10 Building Robust PKIs 10

11 Its Not Rocket Science So why do people struggle? 11

12 Specific Requirements The variation of standards largely relates to:- Trust level Registration of users (vetting) Function, (keyusage in the certificate) Validation arrangements The exception that proves the rule Code Signing PKIs 12

13 Points for Consideration A common baseline ISO27001 Cryptography options Registration of users (central or local) Smart card/mobile integration Function, (keyusage in the certificate) Validation arrangements 13

14 OCSP Expensive Significant operational impact Profoundly misunderstood So why use it 14

15 Points for Consideration Hierarchy Assurance Documentation Certificate Policy Certification Practice Statement Directories and integration Demonstrable assurance 15

16 Make it easy for all concerned Use RFC 3647 Certificate Policy What has to be done Certification Practice Statement How it is done In general, the purpose of the certificate policy, referenced by a policy identifier in a certificate, states "what is to be adhered to", while a certification practice statement states "how it is adhered to", i.e. the processes it will use in creating and maintaining the certificate. 16

17 Policy Constraints Don t try to be clever Don t make it complex Use with caution if at all Consider compatibility Beware of unexpected consequences Consider the longevity of any decision 17

18 Contact us Alan Liddle Trustis Ltd Building 273 Greenham Business Park RG19 6HN Tel: web: 18