Direct Project Direct + Policy Enablement
Dec 29, 2015
Direct Project
Direct + Policy Enablement
12/06/10
Overview
• Policy Role In Direct• Policy Enablement• Security and Trust Support• Architecture• Tool Demo
12/06/10
Policy Role In Direct
• Scalable Trust• Philosophy for enabling Direct exchange between a large number
of endpoints• Policy first class citizen in scalable trust
• Mitigates policy variance• Proposed Policy Requirements
• Federal Community Requirements• Governance
• Trust Bundles• Technical solution to scalable trust• Bundle profiles define policy requirements
• Only define and attest policy compliance• Can not assert and enforce policy• Bundles alone are not enough
12/06/10
Policy Enablement
• Facilitate Policy Decisions at Runtime• Systemic assertion of policy profile compliance
• Direct 2.0 vs Policy Enablement• 2.0 may imply specification changes
• Potential compatibility issues• Policy enablement requires no specification changes
• Optional module• Backward compatible at transport
12/06/10
Security and Trust Support
• Modular Components• Encryption• Signature• Cert Discovery• Trust Chaining
• Current Policy Ability • Simple binary trust decision based on certificate chain validation
12/06/10
Security and Trust Support
Current State – Outgoing Message
• Certificate Store• Dual Use Certificates
• Private Resolver• All non-expired• All non-revoked
• Public Resolver• All non-expired• All non-revoked
• Trust• Chain to trust anchor
12/06/10
Security and Trust Support
Current State – Incoming Message
• Certificate Store• Dual Use Certificates
• Private Resolver• All non-expired• All non-revoked
• Verification• Message integrity
• Trust• Chain to trust anchor
12/06/10
Security and Trust Support
• Optional Policy Enablement Module• Policy implemented as filters• Injected into security and trust process
• Private Certificate Resolution• Public Certificate Resolution• Trust Chain Validation
• Configurable Granularity• Message Direction• Message Source• Message Destination• Circles of Trust
• Can be applied to DNS or LDAP hosting• Defined Policy Best Practices
12/06/10
Security and Trust Support
Policy Enabled State – Outgoing Message
• Certificate Store• Dual Use or Single Use
Certificates• Private Resolver
• All non-expired• All non-revoked
• Public Resolver• All non-expired• All non-revoked
• Trust• Chain to trust anchor
• Policy Filter• Filter certs that meet
configured criteria
12/06/10
Security and Trust Support
Policy Enabled State – Incoming Message
• Certificate Store• Dual Use or Single Use
Certificates• Private Resolver
• All non-expired• All non-revoked
• Public Resolver• All non-expired• All non-revoked
• Verification• Message integrity
• Policy Filter• Filter certs that meet
configured criteria
Policy Engine
• Policy Engine (direct-policy.jar)• Policy defined in lexicon specific
language• Definition + X509 Certificate
processed by engine• Engine evaluates boolean value to
indicate certificate compliance with policy
• Policy filter equates to policy engine process in security and trust agent
12/06/10
Architecture
Intermediate State
Policy Definition
Lexicon Parser
Compiler
Opcodes
Executor
Boolean Decision
X509 Cert
12/06/10
Policy Engine Use Cases
• Build Policy Definitions• Tooling to build definition file
• Policy filters in security and trust agent• Out of band policy validation
• Trust bundle profile validation for anchors• End entity certificate validation to CP or CPS
12/06/10
Release Schedule
• Q2 2013• Policy Engine• Security and Trust Agent• Configuration Service• Command Line Import and Configuration of Definitions• Gateway• Policy Validator
• Summer/Early Fall 2013• Visual Policy Builders• Config-UI integration
• Java RI 3.0 to include Q2 2013 release components
12/06/10
For More Information
• Direct + Policy Proposal: http://wiki.directproject.org/file/detail/Direct+%2B+Policy+Enablement.docx
• Scalable Trust Forum: http://wiki.directproject.org/Direct+Scalable+Trust+Forum
• Scalable Trust Summary: http://www.healthit.gov/sites/default/files/direct-scalable-trust-forum-summary-of-findings-report.pdf
• Direct Trust Bundle Workgroup: http://wiki.directproject.org/Trust+Bundle+Sub+Work+Group
• Scalable Trust Story: https://secure.bluebuttontrust.org
12/06/10
Policy Validation Tool Demo
DEMO!!