PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

Similar documents
CERTIFICATE POLICY CIGNA PKI Certificates

Issues in Assessing Commercial Certification Service Trust

SSL Certificates Certificate Policy (CP)

Digi-Sign Certification Services Limited Certification Practice Statement (OID: )

ASEAN e-authentication Workshop Balwinder Sahota

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

ING Corporate PKI G3 Internal Certificate Policy

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Apple Inc. Certification Authority Certification Practice Statement

ING Public Key Infrastructure Technical Certificate Policy

Apple Inc. Certification Authority Certification Practice Statement

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

GovernmentOnline Gatekeeper The Government s Public Key Infrastructure

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

Organic Standards & Certification

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

X.509 Certificate Policy for the New Zealand Government PKI RSA Individual - Software Certificates (Medium Assurance)

Electronic Signature Policy

Digi-CPS. Certificate Practice Statement v3.6. Certificate Practice Statement from Digi-Sign Limited.

Development of smart authentication and identification in Asia

CERTIFICATION PRACTICE STATEMENT OF KIR for TRUSTED NON-QUALIFIED CERTIFICATES

QUICKSIGN Registration Policy

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

DECISION OF THE EUROPEAN CENTRAL BANK

Technical Trust Policy

EU Policy Management Authority for Grid Authentication in e-science Charter Version 1.1. EU Grid PMA Charter

Taiwan-CA Inc Global Certification Authority Certification Practices Statement (CPS) (Version1.3) Effective Date:2017/09/26

Certification Practice Statement

eid Applications Cross Border Authentication

Mutual Recognition Agreement/Arrangement: General Introduction, Framework and Benefits

Operational Research Consultants, Inc. (ORC) Access Certificates For Electronic Services (ACES) Certificate Practice Statement Summary. Version 3.3.

SAFE-BioPharma RAS Privacy Policy

OpenADR Alliance Certificate Policy. OpenADR-CP-I

LAWtrust AeSign CA Certification Practice Statement (LAWtrust AeSign CA CPS)

SSL/TSL EV Certificates

ISO/IEC TR Information technology Security techniques Guidelines for the use and management of Trusted Third Party services

Mutual Recognition Agreement/Arrangement: General Introduction, Framework and Benefits

WISeKey SA ADVANCED SERVICES ISSUING CERTIFICATION AUTHORITY CERTIFICATION PRACTICE STATEMENT

MODEL CERTIFICATE FOR FISH AND FISHERY PRODUCTS CAC/GL

Smart Meters Programme Schedule 2.1

TeliaSonera Gateway Certificate Policy and Certification Practice Statement

APPROVAL PROCESS TO BE FOLLOWED FOR PROVISIONAL ACCREDITATION OF CBs UNDER FM CERTIFICATION SCHEME

United States Department of Defense External Certification Authority X.509 Certificate Policy

FPKIPA CPWG Antecedent, In-Person Task Group

TELIA MOBILE ID CERTIFICATE

PRODUCT CERTIFICATION SCHEME FOR ENERGY DRINKS

Certification Practice Statement certsign SSL EV CA Class 3. for SSL EV Certificates. Version 1.0. Date: 31 January 2018

Singapore s National Digital Identity (NDI):

Certification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive

ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK. Presented by Nick Pope, ETSI STF 427 Leader

Certification Authority

PRODUCT CERTIFICATION SCHEME FOR MECHANICAL-CUSTOMIZED VEHICLES

PRODUCT CERTIFICATION SCHEME FOR ORGANIC PRODUCTS

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

CORPME TRUST SERVICE PROVIDER

South African Forestry Assurance Scheme SAFAS 6:2018. Certification and Accreditation Procedures. Issue SAFAS Council SAFAS

Web Services, ebxml and XML Security

Higher Education PKI Initiatives

VeriSign Trust Network European Directive Supplemental Policies

thawte Certification Practice Statement Version 3.4

CertDigital Certification Services Policy

CIVIL AVIATION REQUIREMENT SECTION 2 - AIRWORTHINESS SERIES E PART XII EFFECTIVE : FORTHWITH

7 The Protection of Certification Marks under the Trademark Act (*)

BT Managed Secure Messaging. Non-Repudiation Policy

SONERA MOBILE ID CERTIFICATE

Belgian Certificate Policy & Practice Statement for eid PKI infrastructure Foreigner CA

ECA Trusted Agent Handbook

Development Authority of the North Country Governance Policies

AlphaSSL Certification Practice Statement

THE TRUSTED NETWORK POWERING GLOBAL SUPPLY CHAINS AND THEIR COMMUNITIES APPROVED EDUCATION PROVIDER INFORMATION PACK

Certification Practice Statement

OISTE-WISeKey Global Trust Model

X.509 Certificate Policy. For The Federal Bridge Certification Authority (FBCA)

(1) Jisc (Company Registration Number ) whose registered office is at One Castlepark, Tower Hill, Bristol, BS2 0JA ( JISC ); and

ETSI ESI and Signature Validation Services

QuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen

September OID: Public Document

Accreditation of Product Certification Scheme for Construction Materials By Ir C K Cheung Hong Kong Accreditation Service

CHAPTER 13 ELECTRONIC COMMERCE

Certificate Policy for Deployment and Operation of European Cooperative Intelligent Transport Systems (C-ITS)

VeriSign External Certification Authority Certification Practice Statement

Trust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014)

Trusted Identities That Drive Global Commerce

IT Security Evaluation and Certification Scheme Document

WP doc5 - Test Programme

R. Sabett Cooley Godward LLP C. Merrill McCarter & English, LLP S. Wu Infoliance, Inc. November 2003

EXBO e-signing Automated for scanned invoices

PRODUCT CERTIFICATION SCHEME FOR WATER PRODUCTS

e-security Task Group Hong Kong Post e-cert: Enabling Secure Electronic Transactions

MUTUAL RECOGNITION MECHANISMS. Tahseen Ahmad Khan

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Signe Certification Authority. Certification Policy Degree Certificates

GlobalSign Certification Practice Statement

Dark Matter L.L.C. DarkMatter Certification Authority

ZETES TSP QUALIFIED CA

Certificate Policy for the Chunghwa Telecom ecommerce Public Key Infrastructure. Version 1.5

Transcription:

PAA PKI Mutual Recognition Framework Copyright PAA, 2009. All Rights Reserved 1

Agenda Overview of the Framework Components of the Framework How It Works Other Considerations Questions and Answers Copyright PAA, 2009. All Rights Reserved 2

Legal Structure Overview Region A Region B PKI Mutual Recognition Certificate Policy PAA Policy Authority Recognition Agreement CPS-A Certification Authority A Certification Authority B CPS-B CA Service Trader A Club Agreement Trader B Secure Cross Border Transaction Services Subscriber Agreement-A Service Provider A Interconnection Agreement Service Provider B Subscriber Agreement-B Copyright PAA, 2009. All Rights Reserved 3

PAA Legal Framework for Cross-border Transaction Service Signed Agreement Copyright PAA, 2009. All Rights Reserved 4

PAA Transaction Service Operation PAA Transaction Services Operation enquiries / responses Repository (document, audit trail) Trader A (Customer Software) Create doc Sign doc using A s private key Initiate dispatch of doc SP A s own system Service Provider A (Backend System) Verify doc, signature & certificate of A Reformat doc into PAA format Create ebxml envelope Sign & dispatch message Return delivery notification (from SP B) Keep audit trail, original & reformatted doc Central Subscriber Registry Registration / Termination of Subscribers ebxml Service Provider B (Backend System) Verify doc, signature & certificate of SP A Reformat doc into B s required format Sign doc with SP B private key Return delivery notification (to SP A) Keep audit trail, original & reformatted doc SP B s own system Repository (document, audit trail) enquiries / responses Trader B (Customer Software) Accept doc Optionally to verify signature of SP B Certification Authority A 15 minutes 15 minutes PAA Policy Authority Issue recognised certificate CA A Public Trusted to Trader A Key Directory Certificates Maintain public key directory Maintain trusted Copyright PAA, 2009. All Rights Reserved list of certificates 5

PAA Mutual PKI Recognition - Approach Pragmatic approach to drive cross border trade Establish comparative level of trustworthiness Establish Pan Asian Certificate Policy Authority to set criteria for PAA CA/CPS recognition Authentication of identity of individuals/ organizations so as to establishing nonrepudiation for cross border trade Adherence to good practice while being flexible to allow for local requirements/variations Copyright PAA, 2009. All Rights Reserved 6

Components of the Framework A. PAA Policy Authority Established in Jan 2001 The Authority s Terms Of Reference define the scope of responsibilities Define a common PAA Certificate Policy (CP) Define a procedure for the recognition of CPS of CA against this CP Define a procedure for the change management for the CP and the recognition procedure Administer the recognition and change management procedure Copyright PAA, 2009. All Rights Reserved 7

Components of the Framework B. PAA Certificate Policy Define a set of rules as minimum and common criteria for recognition For use within the PAA domain and trusted by the PAA members CPS of a CA seeking recognition is assessed against this CP Sit on top of a CPS that cover different aspects (policy, legal, operational, technical) Copyright PAA, 2009. All Rights Reserved 8

Components of the Framework C. Recognition Procedure 1. Initial recognition Submit supporting documents (e.g. sponsor letter from PAA member being the user/relying party of the certificate, CPS, external assessment report, test report, etc) to the Authority Review the documents by the Authority s PKI experts Produce recommendation report by the experts If recommendation is accepted, the Authority will sign recognition agreement with the CA publish the CA s information to the Authority s official web site add the CA to the Certificate Trust List (CTL) to be distributed to PAA members Copyright PAA, 2009. All Rights Reserved 9

Components of the Framework C. Recognition Procedure 2. Renewal of recognition Similar to initial recognition Every two years Some supporting documents are not required unless there are changes The Authority s official web site will be updated to indicate renewal Latest assessment report will also be published Copyright PAA, 2009. All Rights Reserved 10

Components of the Framework C. Recognition Procedure 3. Revocation of recognition The Authority s official web site will be updated to indicate revocation CTL will be updated to remove the revoked CA Copyright PAA, 2009. All Rights Reserved 11

How It Works Let s see how it works by examining the following: Establish the trustworthy framework by the PAA Certificate Authority Trust the framework by the members of PAA How the trust is established in PAA transactions Copyright PAA, 2009. All Rights Reserved 12

Process for Mutual PKI Recognition Certificate Policy Authority Pan Asian Certificate Policy Accredit CA s Evaluate CPS against Certificate Policy Confirm CA s Operation is in accordance with CPS Community CA Certification Practice Statement (CPS) Assess CA s operations complies with CPS List of Accredited CA s Copyright PAA, 2009. All Rights Reserved 13

PAA Mutual PKI Recognition - Current Status Established Policy Authority (Jan 2001) Established Pan Asian Certificate Policy (Nov 2001) Recognized CAs Digi-Sign (Hong Kong) (Jan 2002) TWCA (Taiwan) (Jan 2002) Netrust (Singapore) (May 2002) TradeSign (Korea) (Aug 2002) GFACA (China) (Feb 2003) JETS (Japan) (Feb 2003) Certificate Trust List distributed among PAA members Copyright PAA, 2009. All Rights Reserved 14

Certificate Authority (CA) related documents PAA has Certificate Policy Authority Ltd. to authorize CA of each economy as Conforming CA that complies the common standard required as CA of PAA, leveling their Certification Practice Statement (CPS) etc. (1) Certificate Policy - Common Certificate Policy prepared by the Certificate Policy Authority that contains the set of rules that govern the issuance and use of digital certificates, and indicate the applicability of the certificates to the communities within PAA. - It specifies Audit procedure, Revocation, Records archival and Certificate & CRL (Certificate Revocation List) Profiles, etc. - This is the basis of the Mutual Recognition of Public Key Infrastructure that form a part of conditions for periodical assessment of CA, and each CA will need to ensure that their CPS complies with this Certificate Policy. (2) Certificate Policy Authority Terms of Reference This document is to facilitate the process of mutual recognition of the Public Key Infrastructures adopted by each PAA Service Provider under Certificate Policy. (3) CA Recognition Agreement - Agreement between Certificate Policy Authority Ltd. and each Certificate Authority contracted by PAA Service Provider in each economy. - Under this agreement Certificate Policy Authority recognize that the applicant CA is a conforming or accredited CA of PAA. - Frequency of assessment to have, fees and other details are defined in this Agreement. (4) CA / CPS (Certification Practice Statement) Recognition Procedure This document defines the procedure to be used by the Certificate Policy Authority to give recognition to the individual Certification Practice Statement (CPS) and Certificate. Copyright PAA, 2009. All Rights Reserved 15

Establish the trustworthy framework A. Defining the PAA Certificate Policy 1. Studies were carried out on the following: PAA members security requirements (authentication, non-repudiation, message integrity, confidentiality) The legal framework of different countries regulating CA practices (other ref: Report On Legal Issues in Cross Border E-Commerce Transactions by Asia PKI Forum Appendix 3A) Copyright PAA, 2009. All Rights Reserved 16

Establish the trustworthy framework A. Defining the PAA Certificate Policy 1. Studies were carried out on the following: The practices of CA of different countries Copyright PAA, 2009. All Rights Reserved 17

Establish the trustworthy framework A. Defining the PAA Certificate Policy 1. Studies were carried out on the following: International standards / guidelines on PKI (e.g. Guidelines for Schemes to Issue Certificates Capable of Being Used in Cross Jurisdiction ecommerce published by esecurity Task Group of APEC TEL Working Group) Copyright PAA, 2009. All Rights Reserved 18

Establish the trustworthy framework A. Defining the PAA Certificate Policy 2. The following aspects were explored and considered: CA has to be licensed / governed / recognized under its local jurisdiction Keys should only be used for digital signature but not for encryption (i.e. keys for encryption are out of scope, separate keys for signing and encryption is needed) Maintain a Certificate Trust List for approved CA (why? how?) Copyright PAA, 2009. All Rights Reserved 19

Establish the trustworthy framework A. Defining the PAA Certificate Policy 2. The following aspects were explored and considered: Face-to-face identity authentication of subscriber needed? Explore OCSP to provide certificate status information (timeliness, single point, simplify the retrieval) Limitation of liability and the reliance limit of certificates (trading vs financial) Copyright PAA, 2009. All Rights Reserved 20

Establish the trustworthy framework A. Defining the PAA Certificate Policy 2. The following aspects were explored and considered: The governing law to be agreed upon for interpretation and enforcement The compliance audit process (part of the requirement for recognition) Privacy and confidentiality policy (e.g. ID card numbers stored in the certificate should be encrypted) Copyright PAA, 2009. All Rights Reserved 21

Establish the trustworthy framework A. Defining the PAA Certificate Policy 2. The following aspects were explored and considered: Subject name (DN) on a certificate must not be blank Central key generation and end user key generation (secure delivery vs proof of possesion of private key) Maximum validity period of certificate (e.g. 3 years) Copyright PAA, 2009. All Rights Reserved 22

Trust the framework What next if we have the trustworthy framework in place? CA of different regions seek recognition from this framework The Authority publishes its list of recognized CAs in the CTL PAA members obtain and trust the CTL By the chain of trust, the digital signature generated by certificates issued by CAs under the CTL are trusted by the PAA members (both local and foreign to the CA) Copyright PAA, 2009. All Rights Reserved 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback