Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo.

Direct Project

Direct + Policy Enablement

12/06/10

Overview

• Policy Role In Direct• Policy Enablement• Security and Trust Support• Architecture• Tool Demo

12/06/10

Policy Role In Direct

• Scalable Trust• Philosophy for enabling Direct exchange between a large number

of endpoints• Policy first class citizen in scalable trust

• Mitigates policy variance• Proposed Policy Requirements

• Federal Community Requirements• Governance

• Trust Bundles• Technical solution to scalable trust• Bundle profiles define policy requirements

• Only define and attest policy compliance• Can not assert and enforce policy• Bundles alone are not enough

12/06/10

Policy Enablement

• Facilitate Policy Decisions at Runtime• Systemic assertion of policy profile compliance

• Direct 2.0 vs Policy Enablement• 2.0 may imply specification changes

• Potential compatibility issues• Policy enablement requires no specification changes

• Optional module• Backward compatible at transport

12/06/10

Security and Trust Support

• Modular Components• Encryption• Signature• Cert Discovery• Trust Chaining

• Current Policy Ability • Simple binary trust decision based on certificate chain validation

12/06/10

Security and Trust Support

Current State – Outgoing Message

• Certificate Store• Dual Use Certificates

• Private Resolver• All non-expired• All non-revoked

• Public Resolver• All non-expired• All non-revoked

• Trust• Chain to trust anchor

12/06/10

Security and Trust Support

Current State – Incoming Message

• Certificate Store• Dual Use Certificates

• Private Resolver• All non-expired• All non-revoked

• Verification• Message integrity

• Trust• Chain to trust anchor

12/06/10

Security and Trust Support

• Optional Policy Enablement Module• Policy implemented as filters• Injected into security and trust process

• Private Certificate Resolution• Public Certificate Resolution• Trust Chain Validation

• Configurable Granularity• Message Direction• Message Source• Message Destination• Circles of Trust

• Can be applied to DNS or LDAP hosting• Defined Policy Best Practices

12/06/10

Security and Trust Support

Policy Enabled State – Outgoing Message

• Certificate Store• Dual Use or Single Use

Certificates• Private Resolver

• All non-expired• All non-revoked

• Public Resolver• All non-expired• All non-revoked

• Trust• Chain to trust anchor

• Policy Filter• Filter certs that meet

configured criteria

12/06/10

Security and Trust Support

Policy Enabled State – Incoming Message

• Certificate Store• Dual Use or Single Use

Certificates• Private Resolver

• All non-expired• All non-revoked

• Public Resolver• All non-expired• All non-revoked

• Verification• Message integrity

• Policy Filter• Filter certs that meet

configured criteria

Policy Engine

• Policy Engine (direct-policy.jar)• Policy defined in lexicon specific

language• Definition + X509 Certificate

processed by engine• Engine evaluates boolean value to

indicate certificate compliance with policy

• Policy filter equates to policy engine process in security and trust agent

12/06/10

Architecture

Intermediate State

Policy Definition

Lexicon Parser

Compiler

Opcodes

Executor

Boolean Decision

X509 Cert

12/06/10

Policy Engine Use Cases

• Build Policy Definitions• Tooling to build definition file

• Policy filters in security and trust agent• Out of band policy validation

• Trust bundle profile validation for anchors• End entity certificate validation to CP or CPS

12/06/10

Release Schedule

• Q2 2013• Policy Engine• Security and Trust Agent• Configuration Service• Command Line Import and Configuration of Definitions• Gateway• Policy Validator

• Summer/Early Fall 2013• Visual Policy Builders• Config-UI integration

• Java RI 3.0 to include Q2 2013 release components

12/06/10

For More Information

• Direct + Policy Proposal: http://wiki.directproject.org/file/detail/Direct+%2B+Policy+Enablement.docx

• Scalable Trust Forum: http://wiki.directproject.org/Direct+Scalable+Trust+Forum

• Scalable Trust Summary: http://www.healthit.gov/sites/default/files/direct-scalable-trust-forum-summary-of-findings-report.pdf

• Direct Trust Bundle Workgroup: http://wiki.directproject.org/Trust+Bundle+Sub+Work+Group

• Scalable Trust Story: https://secure.bluebuttontrust.org

12/06/10

Policy Validation Tool Demo

DEMO!!