[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: re:[pki-tc] NIST deprecates the Bridge CA Concept
Anders Respectfully I submit that you are mixing together two quite separate issues: the questionable usefulness of Bridge CAs, and your abiding promotion of gateway PKI. Just to look at the Bridge CA question (and I must say I have not read Bill Burr's comments in detail, so I may or may not be at cross purposes with him) ... I have found recently in Asia that Bridge CA models are being put on hold. Influential private sector PKI providers in China told the APKIF in November that they do not think a China BCA will be useful in the forseeable future; in September the Taiwanese government announced it was dropping its BCA proposal in favour of a Trust List approach. In my view there are fundamental reasons to question the utility of BCAs. I think the really basic premise of BCAs is that most individuals will only belong to one PKI and so have just the one certificate to be used in multiple domains. Then the business question of a subject in one domain presenting their certificate to another domain has to do with whether or not that certificate is equivalent (mappable). Personally, I hypotehise that there is some psychology involved in this model as well, based on the notion of security clearances in government hierarchies, and the (real) challenge of govt employees in one jurisdiction being at the same or higher or lower level of employees in other jurisdictions. The attached annotated cartoons try to compare that scenario with an alternative PKI model, one which is coming to dominate in Australia and I think in Asia -- "scheme based PKI", where there are many more or less closed PKIs. People will have different certificates for different application domains. This is fast becoming reality in the embedded PKIs of e-passports, national ID smartcards, PIV, EMV cards and so on. In this environment, equivalence (or questions of 'rank') of certificates in different domains is moot. The real issue here is whether or not a given certificate is fit for purpose; i.e., is it "recognised" for the purpose to which it is being put? I don't see how a Bridge CA helps here. Instead, the Trust List model is natural; relying parties simply need a list of the Root CAs that underpin the domains they are transacting in. I hope my cartoons are understandable in this context! I have been meaning to develop a more comprehensive white paper on this topic but haven't had time. However, an overview of the scheme based PKI approach is contained in http://www.lockstep.com.au/library/pki/relationship_certificates. Having said all this, we should monitor developments in the various industry BCAs cosely, especially SAFE in pharma. Comments welcome!!! Cheers, Stephen. Stephen Wilson Lockstep Consulting Pty Ltd www.lockstep.com.au ABN 59 593 754 482 11 Minnesota Ave Five Dock NSW 2046 Australia P +61 (0)414 488 851 -------------------- About Lockstep Lockstep was established in early 2004 by noted authentication expert Stephen Wilson, to provide independent specialist advice and analysis on identity management, PKI and smartcards. Lockstep is also developing unique new smartcard solutions to address privacy and identity theft. > List, > > http://www.gcn.com/print/25_9/40506-1.html > > <GCN.Quote> > > "It's much harder than we thought it would be," Burr said. "We've backed the wrong horseany number of times." He said one of these wrong horses was the decision to use a bridgecertificate authority rather than a single central certificate authority to issue andmanage digital certificates > > </GCN.Quote> > > > Although Mr. Burr indeed later endorsed the Bridge concept as a long-term goal, theimmediate effect (if the US government proceeds as the article described), is thatvendors, allies, and consultants will back away from this solution. > > In the mean-time, simpler and cheaper approaches like "gateways", will effectively removethe need to ever resurrect the Bridge. A client-centric Bridge CA concept also does notsupport the design of integrated organization-to-organization workflow applications,something which ought to be the long term goal for the US government IT. What securityprinciples they use (as long as they work), should be of secondary importance. > > Regarding analysis of processes, there is actually quite a collection of papers to read,and very few of them show a need for a trust model where an employee/associate of oneorganization needs to be fully trusted/qualified by another organization. A model wherethe "organization" becomes the primary entity (like in Shibboleth/SAML), scales better,allows arbitrary employee privacy protection, and probably works entirely satisfactory in99 cases of 100. Using a 2-layer credential and signature structure (gateway PKI + localPKI), you can easily take the last percent as well. > > > It should be like VeriSign's Phillip Hallam-Baker said on the PKI Workshop 2006: > > "If I send a message from my company, I expect my company to secure it". > > If it had not been for the Bridge, we could actually have had secure e-mail today. Notonly within isolated islands, but for every Netizen. > > > Sincerely > Anders Rundgren > Principal Engineer > RSA Security -- <Put email footer here>
bridge CA comparison SGW (0.2a).ppt
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]