TeleTrusT European Bridge CA Status and Outlook



Similar documents
encryption with business partners

Siemens PKI Certificate Authority (CA) Hierarchy

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

RSA Digital Certificate Solution

- X.509 PKI SECURITY GATEWAY. Certificate Policy (CP) & Certification Practice Statement (CPS) Edition 1.1

-Encryption with business partners

Conclusion and Future Directions

Certification Practice Statement

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

Exostar LDAP Proxy / Secure Setup Guide. This document provides information on the following topics:

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

Djigzo encryption. Djigzo white paper

PrivaSphere Gateway Certificate Authority (GW CA)

Technical Description

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Symantec Managed PKI Service Deployment Options

DJIGZO ENCRYPTION. Djigzo white paper

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Deploying and Managing a Public Key Infrastructure

How To Understand And Understand The Security Of A Key Infrastructure

CIPHERMAIL ENCRYPTION. CipherMail white paper

Visa Public Key Infrastructure Certificate Policy (CP)

Carillon eshop User s Guide

PKI Contacts PKI for Fraunhofer Contacts

Certificate Policies and Certification Practice Statements

StartCom Certification Authority

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

Smart Meter PKI - Make or Buy?

Version 2.4 of April 25, 2008

NIST Test Personal Identity Verification (PIV) Cards

epki Root Certification Authority Certification Practice Statement Version 1.2

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

TELSTRA RSS CA Subscriber Agreement (SA)

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

Public Key Infrastructure for a Higher Education Environment

Security certificate management

phicert Direct Certificate Policy and Certification Practices Statement

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Department of Defense External Interoperability Plan Version 1.0

Ciphermail S/MIME Setup Guide

Equens Certificate Policy

Certificates for computers, Web servers, and Web browser users

An Introduction to Entrust PKI. Last updated: September 14, 2004

RSA Security RSA Keon Certificate Authority PKI Product

Making Digital Signatures Work across National Borders

Designing a Windows Server 2008 Active Directory Infrastructure and Services

Microsoft vs. Red Hat. A Comparison of PKI Vendors

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Cyclope Internet Filtering Proxy. - Installation Guide -

The Security Framework 4.1 Programming and Design

DoD Root Certificate Chaining Problem

Key Management and Distribution

Technical notes for HIGHSEC eid App Middleware

Entrust Managed Services PKI

Deploying Microsoft Windows Rights Management Services

Public Key Infrastructure

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Guidance for the verification of qualified digital signatures following Swiss signature law

How to Configure Certificate Based Authentication for WorxMail and XenMobile 10

Configuring Advanced Windows Server 2012 Services

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

Certificate Authority Product Overview Technology White Paper

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

GlobalSign Enterprise Solutions

MOC ACTIVE DIRECTORY SERVICES WITH WINDOWS SERVER

Swiss Government Root CA II. Document OID:

CMS Illinois Department of Central Management Services

Course Active Directory Services with Windows Server

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server

Introduction to Network Security Key Management and Distribution

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. July 2011 Version 2.0. Copyright , The Walt Disney Company

Marriott Enrollment Server for Web User Guide V1.4

Key Management and Distribution

Secure Messaging Challenge Technical Demonstration

Comodo Certification Practice Statement

Access to Front Office services

SAP Web Application Server Security

Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory Course 6426C: Three days

Security Digital Certificate Manager

Security Digital Certificate Manager

Role Based Identity and Access Management Basic Infrastructure for New Citizen Services and Lean Internal Administration

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Title: How to set up SSL between CA SiteMinder Web Access Manager - SiteMinder Policy Server and Active Directory (AD)

PKI : state of the art and future trends

Multipurpsoe Business Partner Certificates Guideline for the Business Partner

Trusting the ECA Certificate Authority in Microsoft Internet Explorer

Transcription:

TeleTrusT European Bridge CA Status and Outlook TeleTrusT Workshop, Saarbrücken, 2010-06-11 Dr. Guido von der Heidt, Siemens AG Copyright Siemens AG 2010. All rights reserved.

Secure (E-Mail) Communication across Organizations The Obstacles Existence and Use of Public Key Infrastructures (PKI) Disposability and/or provision of digital certificates Interoperability Interoperability of secure communication systems and PKI solutions Trust Acceptance of security policies and operational practices Infrastructure Access to and validation of digital certificates Know-How Know-how and support to establish secure communications between partners Page 2

Secure (E-Mail) Communication across Organizations Where the European Bridge CA comes in Existence and Use of Public Key Infrastructures (PKI) Private PKIs of large enterprises and organizations, public PKIs and certificate services of Trust Centers Interoperability Secure e-mail (S/MIME) and PKI standards (PKIX) Trust Often no trust between organizations established; still no simple standard processes available Infrastructure Public infrastructures for accessing and validating digital certificates still not developed Know-How (Small and medium) Organizations often lack know-how in setting up secure communication with partners!!! Page 3

Members of the European Bridge CA (EBCA) Member PKIs Deutsche Bank German PKI-1 der Verwaltung represented by BSI Microsoft Deutschland Siemens Deutsche Bundesbank Landesbetrieb für Statistik und Kommunikationstechnologie Niedersachsen Signaturbündnis Niedersachsen Regulierungsbehörde Österreich (RTR) Trust Centers TC Trust Center D-Trust Associated Partners Deutsche Telekom Daimler SAP Page 4

Trust Trust Models Trust Acceptance of Certificate Policies (CPs) and Certificate Practice Statements (CPS) of PKIs Ensuring root certificate validation across different IT infrastructures Bilateral Trust Mutual agreements; manual exchange of root certificates Becomes quickly unwieldy with the number of partners Bridge CA Models Trust community with Bridge CA as trust hub which establishes indirect trust between member PKIs Bridge CA defines policy requirements for member PKIs Managing Certificate Trust Lists of member root certificates Cross-certification of member PKIs with Bridge-CA Hierarchical PKIs Members PKIs sub-ordinated to a common Root CA or Members have to comply with CP of the Root Simple certificate validation through distribution of only one Root CA Page 5

Trust Trust Model of the European Bridge CA (1) Policy Conformance Seal of Quality Member PKIs must comply with the EBCA Certificate Policy Based on the standard RFC 3647 Defines a minimum security standard which must be met by the PKIs of the EBCA members, i.e. for PKI operations, PKI processes and the security of the underlying system infrastructure. Thus, members and other organizations can trust EBCA members and rely on the security of their PKI systems. Root Certificate Validation a) Certificate Trust List Distribution of a Certificate Trust List (CTL) containing the root certificates of the member PKIs Digitally signed PKCS#7 file Members and/or partner organizations need to validate the CTL and to distribute the root certificates within their IT infrastructure. Solution is not suitable for end-users Page 6 EBCA Certificate Trust List in PKCS#7 format

Trust Trust Model of the European Bridge CA (2) b) Certificate Download Service (CDS) Currently being released Provision of the EBCA CTL integrated with client SW tools which manage the validation of the CTL and the import of the root certificates in the respective client systems. Addon for Mozilla Firefox / Thunderbird Plugin for Microsoft Outlook Joint development of BSI, EBCA and FH Gelsenkirchen Simple solution for end-users as update service Not suitable for large organizations since automated updates from Internet are usually not allowed c) Cross-Certification For future discussion The EBCA does not provide cross-certification services as other Bridge-CAs (e.g. US 4 Bridges Forum) In bilateral scenarios all end-entity chain up to each member root. This causes chain validation problems due to multiple validation paths and path lengths. EBCA investigated a root-signing model in which member CAs are unilaterally crosssigned by common EBCA root integrated in current browsers and operating systems. However, this model was currently not realizable due to cost and legal reasons. Page 7 Certificate Download Service Addon for Mozilla

Infrastructure A public Infrastructure for Access and Validation of Certificates provided by the EBCA Internet Member X Clients / Servers LDAP Proxy Automated download via LDAP *) or manual download via HTTP LDAP Proxy Member Y Clients / Servers PKI System Certificate Repository PKI System EBCA Certificate Repository EBCA members can store end-entity certificate directly on the EBCA Repository (instead managing an own repository service PKI System Member Z Certificate Repository E-Mail Gateway Automated download via LDAP (or HTTP) Manual download via HTTP or automated download via LDAP / HTTP LDAP Proxy Partners (other organizations, individual end-users, ) Clients / E-Mail Gateways Page 8 Certificate download from EBCA Repository Certificate provisioning via EBCA Repository *) Lightweight Directory Access Protocol.

Infrastructure Offerings of the EBCA and Issues EBCA Offerings Public Certificate Directory service providing access to end-entity certificates of member PKIs via LDAP or HTTP. Partners need only to configure the EBCA Certificate Directory as single certificate source. EBCA members can connect own external Certificate Repositories to the EBCA Repository or store their end-entity certificates directly on the EBCA Certificate Repository. The Certificate Store function of the EBCA Certificates Repository provides a simple and affordable solution for organizations not having an own external directory service. (Technical) Issues In many cases organizations do not allow LDAP access to the Internet form their Intranets. Thus, LDAP proxy solutions are to be set-up in order to allow automated certificate download from client or server systems. Validation of external Certificate Revocation Lists (CRLs) from partners might also require proxy solutions. Not all EBCA members publish their end-entity certificates externally (by policy reasons). Page 9

Infrastructure The EBCA Certificate Repository Web-Interface for manual Certificate Download Page 10

Know-How Offerings of the EBCA Organizations often lack of know-how in setting up secure communication with partners Meaning and establishing of trust Management of root certificates Provision of own certificates and access to the partner s certificates Set-up and configuration of the IT infrastructure to support secure communication with partners Insufficient know-how on solutions provided by he European Bridge CA (and other Trust Communities) The EBCA Board and the EBCA Technical Work Group provide platforms for information exchange and best practice sharing The Board consists of the full members of the EBCA The Technical Work Group is open for all Teletrust members and guests EBCA documentation currently being updated Web-site Flyer Process documentation Page 11

Outlook and Objectives Start operation of Certificate Download Service Update of EBCA documentation Update of web-site and flyer Development of user guide(s) Increase usage of EBCA offerings Motivate members to publish their end-entity certificates (in EBCA Certificate Repository) Increase of marketing activities Gain new members for the EBCA Prerequisite for widening of activities Identify further needs and fields of activity (e.g. authentication, digital signature schemes, Trust in federation scenarios, ) Continue discussion on cross-signing services Page 12

Outlook New/Potential Members New Member in 2010: E.ON IS GmbH Potential Members: Siemens Enterprise Communications GmbH & Co. KG Page 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information