Re: [pki-tc] Bridge CA update?

["David L. Wasley" <david.wasley@ucop.edu>]

Actually, there are quite a few "sector specific" bridge activities. 
I suspect it's driven out of community need and the fact that there 
isn't a general use service out there.

There is a web site for the UC FBCA at http://www.cio.gov/fbca/
They might have stats on usage.

The Feds also decided to run a traditional hierarchical PKI for 
agencies that don't want to deal with the bridge or run their own 
PKI.  The FPKI is cross certified with the FBCA, of course.

The US Higher Education BCA (HEBCA) is patterned after the FBCA and 
will be cross certified with it.  Fortunately there are (currently) 4 
levels of cross certification represented by different mapping OIDs 
so higher ed can come in at whatever level is appropriate.  "High" 
requires things that most universities don't really care about (yet).

One other factor is emerging "federated identity" models which 
complement PKI.  In this model the PKI cert need be recognized only 
within the domain that issued it.  Identity is then asserted to the 
relying party by a trusted authority within the subject's domain. 
Therefore a "bridge" per se isn't needed for this use of the cert. 
However, a bridge is still needed for S/MIME and the like but that is 
generally a lower assurance requirement.
-----
At 11:35 AM +1100 on 1/25/05, Stephen Wilson wrote:

>Dear All
>
>Does any one have an independent and up-to-date view of how the US Federal
>Bridge CA is travelling?  I have been told that some agencies are choosing
>to not be involved with the FBCA, for reasons I think to do with
>complexity (although I may be wrong about that). 
>
>Is the take-up rate of the Bridge meeting expectations?  Or is there
>perhaps some caution still (as there is with PKI in general)?
>
>And is there a view of what the appearance of other sector-specific
>Bridges means, in pharma, aerospace etc?  Personally, I interpret sector
>specific Bridges as a sign that PKI itself is naturally sector specific.
>
>I am drafting a paper, separate from Oasis activities at this stage, on
>PKI interoperability models, and am trying to reach a critical,
>constructive view of the Bridge. 
>
>I note that a newer European Bridge CA Model appears to be less
>prescriptive with regards to CP/CPS than the US FBCA.  I don't know a lot
>about the European model yet, but I might hazard a guess that the US FBCA
>in effect implements cross-certification (with precise policy mapping of
>all member CAs) whereas the European Bridge might be attempting "cross
>recognition" where the certificates of members are not taken as mutually
>equivalent, but rather are recognised for more particular purposes.
>
>All feedback most welcome!
>
>Cheers,
>
>Stephen.
>
>
>
>Stephen Wilson
>Lockstep Consulting Pty Ltd
>ABN 59 593 754 482
>
>11 Minnesota Ave
>Five Dock NSW 2046
>Australia
>
>P +61 (0)414 488 851
>
>--------------------
>
>About Lockstep
>Lockstep was established in early 2004 by noted authentication expert
>Stephen Wilson, to provide independent advice and analysis on cyber
>security policy, strategy, risk management, and identity management. 
>Lockstep is also developing unique new smartcard solutions to address
>privacy and identity theft.
>Contact swilson@lockstep.com.au.
>
>
>To unsubscribe from this mailing list (and be removed from the 
>roster of the OASIS TC), go to 
>http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgroup.php.