Issues in Assessing Commercial Certification Service Trust

Transcription

1 The Open Group Security Program Group Building Trust on the Net ---- San Diego -- April 30, 1998 Issues in Assessing Commercial Certification Service Trust Michael S. Baum, J.D., M.B.A. VP, Practices & External Affairs

2 Authentication Individuals Organizations Content Identity Privileges Identity Viability Origin Integrity

3 Securing E-Commerce 4 VeriSign 4 erisign 4 erisign 4 erisign Browsers SSL Firewall Firewall Web Servers SSL 4 erisign & EDI S/MIME Credit Card SET 4 erisign Router IPSEC Internet 4 erisign Router The Ubiquitous Trust Technology 4 erisign IPSEC 4 erisign 4 erisign 4eriSign Software Publishers 4 erisign Merchant SET 4 erisign 4 erisign

4 Some types of CAs Roll your own vs. TTP Private space vs. public space Lower vs. higher assurance Non-transactional vs. transactional

5 New Architectures Blur Traditional Classifications Back-end service provider Certification Authority 1. Certificate request 4. Certificate issued 3. Approval Customer premises 2. Subscriber Authentication Certificate subscriber Approving authority

6 Recognized Assurance Levels Class 1 Class 2 2 Class 3 Unambiguous name, address Verified in local repository Real name, address, locale, Verified with 3rd party proofing source Real name, address, locale, Verified with 3rd party proofing Personal presence requirement

7 CA Exposure in Commencing Operations Failure to secure the CA private key Failure to implement an appropriate key size Misuse of a private key Failure to train and oversee CA employees Failure to create and maintain proper records Failure to gate IA membership within a PKI Failure to maintain insurance Failure to comply with certification practices

8 CA Exposure in Issuing Certificates to Subscribers Failure to validate subscribers accurately Failure to ensure proper, unambiguous naming Misidentification; erroneous validation Failure to keep subscriber data confidential Issuing certificates for inherently dangerous activities (and causing personal injury) or illegal purposes

9 CA Exposure Following Issuance Failure to make available and maintain accurate revocation data Mistake / inaccurate information resulting in revocation Failure to properly promulgate CRLs and other cert. status data Failure to archive CA operations data

10 Duty to Use a Trustworthy System A certification authority must utilize trustworthy systems in performing its services. ABA Digital Signature Guidelines, Section 3.1

11 Mechanisms to Manage Liability Certification practice statements Policy statements Ancillary agreements Security policies and procedures Guidelines Accreditation / licensure Legislation and regulations

12 Certification Practice Statement A statement of the practices that a certification authority employs in issuing certificates.

13 Certificate Policy One or more discrete terms (e.g., of a CPS) in abbreviated form applied to a particular community and/or class of application(s) with common security requirements Incorporated by reference into a certificate via a unique Object Identifier Facilitates end-user comparison of policies Enables interdomain certification Disclosure enables an informed trust decision

14 Licensed vs. Accredited/Certified Certification Authorities Licensing Barrier to international trade Balkanization Accreditation/certification Advance a voluntary, industry-based process Reflect both PKI legal and technical standards in criteria

15 Accreditation and Certification Accreditation- Certification / Endorsement- Accreditation Body Testing/Calibration Laboratory Product Personnel Certification Body Service Public Key Infrastructure

16 Information Security Committee Section of Science and Technology, ABA ABA Digital Signature Guidelines Important contribution to CA infrastructure: enforceability, practices, terminology Digital Signature Guidelines Info. Sec. Committee Science & Technology American Bar Assn. Accreditation and Certification of CAs Major initiative to provide industry-based criteria and legal infrastructure to facilitate determination of CA quality and trustworthiness

17 Document Plan for ISC Accreditation and Certificate Policies Activity Certificate Policy and Practices Framework Certificate Policy Definition(s) Guidelines for Certificate Policies and Accreditation Criteria Certification Services Agreements and Model Clauses The Process for Accreditation & Evaluation of CAs Vertical Market/Industry Group (and other) Accreditation Profiles

18 A Global Structure is Needed To assure a consistent quality and liability regime To accept PKI across jurisdictions To enhance confidence in PKI To promote secure electronic commerce

19 Growth of Legislative Initiatives Jan-95 Mar-95 May-95 Jul-95 Sep-95 Nov-95 Jan-96 Mar-96 May-96 Jul-96 Sep-96 Nov-96 Jan-97 Mar-97 May-97 Jul-97 Sep-97 Nov-97 Jan-98 digital electronic

20 Dual Approach Government concerns Law enforcement Consumer protection Data protection Private enterprise concerns Risk allocation and limits Party autonomy (freedom of contract) Discrimination Recognizing usage of trade Fostering entrepreneurship and flexibility

21 Legislative Coverage: Electronic or Digital Signatures? PRO Electronic Signature: General enablement is sufficient Technology neutral is preferable More likely to get enacted quickly PRO Digital Signature: Enhances benefits of PKI / Internet Recognizes special status of secure signatures Responds to need for agreed-upon standards

22 Nondiscrimination Examples? The same authentication procedures can be followed by another CA operating on the bases of a license or of an authorisation released by another country member of the EC or of the European Economic Area, on the bases of equivalent requirements... Italian Draft Reg., Art. 8

23 UNCITRAL Model Law on Electronic Commerce Adopted in 1996 Facilitates the use of modern means of communications and information storage Based on establishing functional equivalents for paper-based concepts such as writing and signature Guide to Enactment of the UNCITRAL Model Law on Electronic Commerce.

24 UNCITRAL Working Party on Electronic Commerce Considering electronic (and digital) signatures and trusted third parties in international commerce Possible forms of work product include: A model statute (based on the Model Law on Electronic Commerce) A multilateral convention on E-commerce Guidelines

25 ETERMS Project A global E-commerce repository Leverages the ICC s role as the preeminent global business practices repository Terms can be reliably incorporated by reference Enhances disclosure and notice of certification practices and contract trade terms Support for diverse ICC E-commerce initiatives

26 Reference Sheet Baum, Federal Certification Authority Liability and Policy, Pub. No.: PB Tel (National Technical Information Service, 1994) Baum & Perritt, Electronic Contracting, Publishing and EDI Law, ISBN: (Wiley Law Publications, 1991) Ford and Baum, Secure Electronic Commerce (Prentice-Hall 1997) Info. Sec. Committee, Sect. of Sci. and Tech., Am. Bar Assn., Digital Signature Guidelines (1996) VeriSign Certification Practice Statement, <