Working Group Reports Munich June 19-21, 2001 Meeting Wrap-up.

Working Group Reports

Munich June 19-21, 2001Meeting Wrap-up

Applications Applications SummarySummary

Lisa Pretty (on behalf of Sandra Salvatori)

Recap

• Confirmed members desire to have case studies/success stories delivered by the Forum

• Reviewed/revised “applications reference form”• Developed “information capture list” for case

studies/success stories• Notary application presented by ACARNVS and

discussed by the group• Reviewed “information capture list” with group

and received volunteers to provide success stories input

Actions

• Send “applications reference form” and “information capture list” to BWG and Applications mailing lists for additional comments/revisions

• Follow-up with individuals indicating they would provide data for success stories

• Goal: draft 5 success stories prior to September• Re-initiate “industry overview” PKI Note series

working with Liaison partners and interested members

Best Practices Best Practices SummarySummary

Blair Canavan: Working Group Chair

Recap

• AICPA & Webtrust completed pending board approval

• Mission statement reviewed and revised pending board approval

“To define and promote a practical framework of internationally recognized standards, policies and procedures for the successful implementation and operation of PKI enabled solutions.”

• Advanced “whitebook” content

Context: Why Best Practices

• So as not to reinvent or repeat miss-steps as it pertains to PKI implementation– So you’ve been told you need PKI?– So you’ve decided to “pilot” and/or deploy

PKI?– Are you really ready for PKI?

• BPBWG may pre-empt or run contrary-to …

• Is the PKI community mature enough to advocate best practices?

Actions

• Topics (by email) to be submitted to BPBWG by July 30th

• Checklist/framework (what are existing rules of readiness)– Personnel, legal issues, environmental,

operational,

• Recommended and best practices• Liaison with Applications group for case

studies

Marketing & EducationMarketing & EducationSummarySummary

Bryta Schulz: Working Group Chair

Logistics

• BWG alias for Ed & Mktg established– Please subscribe

• ConCalls every second Wed of each month at 8:00 am Pacific Time (works for AP, Europe, North America) agenda will be emailed 1 week prior

USA Toll Number: +1-712-271-0329PASSCODE: ED AND MKTGLEADER: Bryta Schulz

– JUL-11-2001, 08:00 AM (PT),– AUG-08-2001, 08:00 AM (PT),– SEP-12-2001, 08:00 AM (PT),

Project Update: PKI Tutorial

• “How PKI Addresses e-Business Risks” white paper– Reviewed and signed off by BWG– Pending Board Approval

• Next Step: Production by Virtual Mgmt– To be distributed at Sept 2001 Meeting– Companion PPT to be revised to synch with

white paper

Project Update : PKI Technical Tutorial

• Project Lead: Walter Fumy • Coauthors: Bill Franklin & Nancy Bianco,

Michele Rubenstein• Outline draft circulated to group• Draft to BWG July 10, 2001• Draft to TWG August 8, 2001• Goal publish for Sept 2001 Meeting

Project Update: How PKI fits in E-Business

Purpose of the paper is to show where PKI fits in the overall security schema for e-business.

• New Project Leader: Dan Morrison, • Coauthors : Mike Jeffries, Bill Franklin, Andy Churley• Target audience: Business Managers• Out line Draft for comment by :August 6, 2001• Comments due by: August 14, 2001• 1st Doc Draft: Sept 10, 2001• 2nd Draft for BWG comment Oct 1st, 2001• Goal to publish at Dec 2001 meeting

Project Update : PKI note on Biometrics

• Project Leader: - Jeff Stapleton– 2nd draft date: March 15th, 2001– Published !!– Press Release – Distributed at CardTechSecureTech in Las

Vegas in May 2001!

New Project: Digital Signatures

• Project Lead: Bryta Schulz• Coauthors: Daniel Murton, Patrick Kanaishi,

Dan Morrison, Andy Churley• 1st Draft Outline July 9th, 2001• 1st Doc Draft for Ed & Mktg review Sept 10,

2001• Goal Publish Dec 2001.

Policy & PrivacyPolicy & PrivacySummarySummary

Jan Lovorn, Working Group Chair

Project – White Paper

Write a white paper describing how PKI, currently and in the future, can enable e-business beyond providing authentication and data integrity security services. The white paper will focus on three business areas: law enforcement, health care, and financial services. It will address privacy and data protection mandates in these sectors, as well as issues such as archive, business continuity, and off-line retention and management of business information. This will also serve as input to the Technical Working Groups on what business requires in order to make the emerging PKI confusion into a (hopefully) seamless and transparent experience for the end user.

Action: Business areas assigned and draft due for September meeting

Project – White Paper

Write a white paper to understand, compare and differentiate audit requirements used by bodies such as AICPA, APEC, Australia's Gatekeeper, Italy's AIPA, Identrus, etc. Working with these bodies, the paper will identify where requirements are identical and where they differ and address the interoperability of audit requirements.

Action: Assigned, Arthur Andersen lead project

Research Information Project

Develop a guide (toolkit?) for planning policy and procedure development in support of PKI implementation. It is a tool to define process of implementing PKI and provide scoping to help PKI implementers in the development of their organization’s policy. This will also help organizations through the maze of documentation required for PKI. Possible components include:

 • PKI Policy Questionnaire• Selected PKI Policy Elements and Documents• Templates, Guidelines and Support Resources• Entities which must be engaged.  Action: Two interim meetings, worked on in meetings

Implementing PKI Policy Guide

Input from PKI

Decision Process

•Application(s)

•Workflows

•Players

Implementing PKI Policy Guide

Implementing Policy Guide

Implementing Policy Guide

IssuerRelaying

Party

Issuer

Issuer

Internal

(for internal use)External

(Hosting)

Technical Working GroupTechnical Working GroupSummarySummary

Andrew Nash: Co-chair (missing Mark Davis)

TWG Success – Again!

Participants DecemberSydney

MarchSan Jose

JuneMunich

Vendor 13 45%

14 35% 21 75%

ISV/Exploiter 12 41%

19 48% 2 7%

Customer** 4 9% 7 17% 5 18%

29 40 28** Customers include consultants

In Progress:

3 Major Interoperability Projects

4 White Papers

3 Implementation Guidelines

Complete:

3 Major Interoperability Projects

2 White Papers

But no Mark Davis – sniff!

Fine Tuning

• Implementation guidelines– Represent agreements amongst vendors at PKI Forum– Need definition of purpose & form

• Meetings are well run, but participation between meetings is lacking– Not enough comment on drafts distributed on mailing

lists– Intervening virtual meetings could be held

• Record meetings for later webcast• Customer BOF to air issues

Path Construction White PaperSteve Lloyd

• Stephen Farrell of Baltimore & Steve Lloyd of Entrust are project leaders

• Steve Lloyd focusing on LDAP/repository• David Cross (Microsoft) focusing on web based access• Some problem areas now resolved by standards bodies:

– LDAP– Forward/backward link terminology

• Discussed abstract• Paper will not dictate path construction algorithm to

vendors • White paper followed by implementation guideline• LDAP requirements to be communicated to LDAP white

paper authors

CESGRichard Lampard

• 10 vendors demonstrated S/MIMEv3 signed email communication in Feb 2001

• Multilateral demo with heterogeneous CA hierarchy

• PKI Issues– Directory schema usage– Revocation based on CRLs – 50% of email

clients did not handle revocation checking– OID usage

CESG Phase II

• Kickoff meeting held on 14 Jun 2001• Balancing UK Govt standards & market realities

– S/MIMEv3, as per UK Govt standard– Both DSA & RSA algorithms– Open source reference implementation being sought

• More focus on cert profiles in this phase• Plan to showcase demo at Information Security show

in Apr 2002• Plan to integrate with the EEMA PKI Challenge• New participants still welcome

Application Certificate UsageDavid Crowe

• Results submission procedure proposal was approved• Open issues:

– Should results be published publicly or for members only?– Should results be printed (or published on web site only)?

• David Crowe assumes a background role• Microsoft is planning to submit some results soon• Tony Rogers (of CA) is setting up cert repository

– Reside on PKI Forum web site

• Received certs from Microsoft & CA

SKID Implementation GuidelineSteve Lloyd

• First implementation guideline reviewed• AKIDs & SKIDs can be calculated in multiple

ways• Recommendation is that requesting CA

provide its SKID to the foreign CA in the cross-certificate request

• Unanimous agreement!!!• But, are we getting too close to setting

standards?

User & CA Cert Implementation Guidelines

Richard Lampard

• Draft papers issued on 30 May 2001• The guidelines focus mainly on cert profiles• Action plan:

– Issue revisions reflecting comments already received

– Vendors to get Engineering concurrence 6 weeks later

• CRL implementation guidelines planned

CMP Project UpdateSteve Lloyd

• Steve provided a synopsis on the project, for Bob Moskowitz’s, for the benefit of new attendees

• The project has completed its 1st phase, & is planning 2nd phase

• Lessons learned (from 1st phase) being written up

TeleTrust European Bridge CAHolger Reif

• Hub architecture defined• Trusted root CAs are maintained in a trust list• Three means of implementing inter-domain trust were

discussed• Publication & retrieval of revocation status were discussed

– Revocation information maintained by members rather than Bridge

• Used PKI Forum CA-CA Interoperability paper as basis for trust model

• Focused on e-mail apps initially• Multiple CA and 3rd party product vendors• Interoperability testing taking place

PKI Challenge (pkiC) UpdateFrank Jorissen

• MOU between EEMA & PKI Forum now in force– Liaison also exists between EEMA & CESG

• ECAF Model part 2 initiated, will focus on PKA (public key applications)

• pkiC is vendor led• Mission is to achieve “PKI as an open operating

system” for various PKAs• Focusing on stable & commercially stable standards• Two groups involved in project:

– Project Consortium: companies planning & running pkiC– Testing participants: companies involved in testing

pkiC WP2 Update

• Although directories will be involved, directory interoperability is not the focus of pkiC

• Testing against reference implementation (in development)

• PKA Interoperability– S/MIME signed & encrypted email (essential)– Secure documents, signed web objects, secure

time stamping, applications using qualified certificates (under consideration)

pkiC WP2 Update

• PKI interoperability– CA certification with 3-level hierarchy (essential)– Certification by file exchange (essential)– Remote enrollment (under consideration)– Smart cards (under consideration)– IETF/EESSI qualified certificates (under consideration)– CA/RA interoperability (under consideration)

• Directory & validation services– LDAP (essential)– Directory schema & naming conventions (essential)– (others under consideration)

Token Interoperability/Portability

Andrew Nash• Draft white paper distributed• TWG review • Structural suggestions and review comments

provided • WP approval targeted at September meeting

Wireless CertificatesOliver Pfaff

• 2 approaches to delivery of Internet to wireless devices:– NTT DoCoMo (HTML proxy-based)– WAP (WAP gateway-based)

• Wireless PKI (WPKI) developed through WAP Security Group (WSG), has specs:– WTLS cert– WAPCert– WPKI definition

• Very large consumer PKI domains anticipated for wireless devices

• Deployment could be held back if multiple infrastructures• WAP on current generation GSM devices unpopular, due to

high cost & low bandwidth

Technical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working GroupTechnical Working Group

Technically Innovative Leadership

Meeting Wrap-up

• 83 people attended meeting over 3 day period– 5 non-members– 11 countries represented– 6 customers/end users of PKI

• Series of European presentation re:PKI Deployment• Strengthened liaison relationship with TeleTrusT• Advanced/re-initiated activities in all working groups• Lots of networking -- fun evening out with Siemens

Informal Survey

• How many people committed to contribute to at least one project prior to the next meeting?

• How many people plan to attend the Q3 meeting September 18-20 at the Eaton Centre Marriott in Toronto?

• How many people will attend Q4 meeting December 4-6 in Singapore?– APAC meeting travel issue?– Would other location result in higher attendance?– Is four meetings a year too many?

PKI Forum’s Unique Role

ADVOCATINGindustry cooperation

ADVANCINGmarket awareness

ACCELERATINGPKI adoption