The OASIS PKI Adoption TC Objectives and Case Studies

Burton Group Catalyst Meeting Burton Group Catalyst Meeting Barcelona, Spain 22 October 2007Barcelona, Spain 22 October 2007

June Leung June Leung OASIS PKI Adoption TCOASIS PKI Adoption TC

www.oasis-open.org

The PKI environment c. 2006 PKI is resurgent Embedded PKI is commonplace We’re all in the midst of a paradigm shift to

identity plurality Digital Certificates can be about relationships as

well as (or instead of) personal identity Successful PKI has always been application

specific, not general purpose

Resurgent, embedded PKI Closed (vertical) schemes

US PIV, Identrus, ICAO e-passports, CableLabs, Skype, BankID (Sweden)

Health smartcards France, Germany, Taiwan, Italy, Austria,

Australia … Digital Credentials

US Patent Office, France, Taiwan, Australia …

Identity plurality “Identity 2.0” (archetype: Cardspace)

Too soon to tell precise outcomes But it’s a progressive re-think of identity, context,

privacy, control etc. Fundamental concept is plurality of identities.

Stephen Kent’s critique:“For big CAs, there is an implicit assumption that a single

certificate is all that a user should need. This assumes that one identity is sufficient for all applications, which

contradicts experience”

The top five obstacles

According to OASIS Surveys 1 & 2:

1. Software applications don’t support PKI

2. Costs too high

3. PKI poorly understood

4. Too much focus on technology (not need)

5. Poor interoperability

PKIA TC: Fresh objectives Continue to overcome obstacles with targeted practical

initiatives that improve understanding of PKI Disseminate case studies Develop position papers that de-mystify legal,

governance and interoperability issues and modernise the PKI message so it reflects real needs

Liaise more closely with other OASIS efforts, esp. under the umbrella of the new IDtrust Member Section

Case studies & TC deliverables

Embedded PKI application: Device authentication schemesSome of the oldest, most successful PKIs are for

device authentication: GSM cell phone SIM cards SSL server certificates IPsec VPN devices CableLabs PKI for Cable TV set-top boxes

www.cablelabs.com/certqual/security

Embedded PKI application: Skype

Each Skype subscriber receives a digital certificate embedded in Skype install

“Zero User Interface” (ZUI) principle; i.e. Subscriber unaware of their certificate!

http://share.skype.com/sites/security

Embedded PKI application: Medicos’ smartcards France (500,000 doctors)

Rolling out 40 million PKI smartcardsfor patients, for secure e-health

Taiwan (300,000 doctors) Australia (10,000 doctors)

wide range of PKI enabled govt lodgments electronic prescribing in development certificates represent doctor’s qualifications planning “wholesale” supply of certs to hospitals etc. see www.hesa.gov.au

Vertical PKI application: University sector national PKI “Australian Access Federation”

an infrastructure to facilitate trusted communications and collaboration within and between higher education and research institutions both locally and internationally … in line with the objective of providing researchers with access to an environment necessary to support world-class research

Working with Shibboleth (single sign on) and inter-national grid computing

See www.hesa.gov.au

PKIA TC Policy Initiative: New legal view points in PKI Objective to de-mystify traditionally complex or

confusing aspects of PKI e.g. “Security Printer Model”

Conceptualizes backend CA as ‘minting’ certificates on order from RA, like printing cheques

Decouples CA from policy and from user liability When someone writes a bad cheque, nobody sues

the cheque printer! See http://tinyurl.com/2g4q4d

Aim to complete one or more papers late CY07

www.oasis-open.org

OASIS PKI Technical CommitteeOASIS PKI Technical Committeewww.oasis-open.org/committees/pkiwww.oasis-open.org/committees/pki

Stephen Wilson Stephen Wilson swilson@lockstep.com.auswilson@lockstep.com.au0414 4888510414 488851