[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: re:[pki-tc] NIST deprecates the Bridge CA Concept
I mentioned before in passing a psychological angle on the way historical PKI has been conceived. Peter then cited the problem of "subordination" to a root CA, and this reminds me of another really powerful psychological issue from the past. IMHO if we had originally conceived of root CAs as having a compliance accreditation role -- simply conferring to CAs an assertion that they were in compliance with relevant standards -- then the abhorant notion of "subordination" would never have even arose. Outside PKI land, I think most businesses are comfortable with being audited; they don't see themselves as being "subordinate" to their auditors, much less to the auditor accreditation boards. This is a much better model/metaphor for Root CAs. See also http://www.lockstep.com.au/library/pki/audit_based_public_key_infras Cheers, Stephen Wilson. > Sent on behalf of Peter Alterman. > > -----Original Message----- > From: Alterman, Peter (NIH/CIT) [E] [mailto:altermap@mail.nih.gov] > Sent: Thursday, April 27, 2006 8:51 AM > To: dee.schur@oasis-open.org > Subject: Re: [pki-tc] re:[pki-tc] NIST deprecates the Bridge CA Concept > > Will be soon. > And Bill didn't slam the Bridge, he did say that in retrospect we should > have built a fed root first, then built the bridge. > What needs to be remembered is that at the time there was no leadership for > such a root and the agencies in PKI refused to subordinate to anyone else's > root. > -------------------------- > Sent from my BlackBerry Wireless Handheld > > > -----Original Message----- > From: swilson@galexia.com.au [mailto:swilson@galexia.com.au] On Behalf Of > Stephen Wilson > Sent: Thursday, April 27, 2006 7:57 AM > To: Anders Rundgren > Cc: PKI TC > Subject: [pki-tc] re:[pki-tc] NIST deprecates the Bridge CA Concept > > Anders > > Respectfully I submit that you are mixing together two quite separate > issues: the questionable usefulness of Bridge CAs, and your abiding > promotion of gateway PKI. > > Just to look at the Bridge CA question (and I must say I have not read Bill > Burr's comments in detail, so I may or may not be at cross purposes with > him) ... > > I have found recently in Asia that Bridge CA models are being put on hold. > Influential private sector PKI providers in China told the APKIF in > November that they do not think a China BCA will be useful in the > forseeable future; in September the Taiwanese government announced it was > dropping its BCA proposal in favour of a Trust List approach. > > In my view there are fundamental reasons to question the utility of BCAs. > I think the really basic premise of BCAs is that most individuals will only > belong to one PKI and so have just the one certificate to be used in > multiple domains. Then the business question of a subject in one domain > presenting their certificate to another domain has to do with whether or > not that certificate is equivalent (mappable). Personally, I hypotehise > that there is some psychology involved in this model as well, based on the > notion of security clearances in government hierarchies, and the (real) > challenge of govt employees in one jurisdiction being at the same or higher > or lower level of employees in other jurisdictions. > > The attached annotated cartoons try to compare that scenario with an > alternative PKI model, one which is coming to dominate in Australia and I > think in Asia -- "scheme based PKI", where there are many more or less > closed PKIs. People will have different certificates for different > application domains. This is fast becoming reality in the embedded PKIs of > e-passports, national ID smartcards, PIV, EMV cards and so on. > > In this environment, equivalence (or questions of 'rank') of certificates > in different domains is moot. The real issue here is whether or not a > given certificate is fit for purpose; i.e., is it "recognised" for the > purpose to which it is being put? I don't see how a Bridge CA helps here. > Instead, the Trust List model is natural; relying parties simply need a > list of the Root CAs that underpin the domains they are transacting in. > > I hope my cartoons are understandable in this context! I have been meaning > to develop a more comprehensive white paper on this topic but haven't had > time. However, an overview of the scheme based PKI approach is contained > in http://www.lockstep.com.au/library/pki/relationship_certificates. > > Having said all this, we should monitor developments in the various > industry BCAs cosely, especially SAFE in pharma. > > Comments welcome!!! > > Cheers, > > Stephen. > > > Stephen Wilson > Lockstep Consulting Pty Ltd > www.lockstep.com.au > ABN 59 593 754 482 > > 11 Minnesota Ave > Five Dock NSW 2046 > Australia > > P +61 (0)414 488 851 > > -------------------- > > About Lockstep > Lockstep was established in early 2004 by noted authentication expert > Stephen Wilson, to provide independent specialist advice and analysis on > identity management, PKI and smartcards. Lockstep is also developing > unique new smartcard solutions to address privacy and identity theft. > > > > > > > List, > > > > http://www.gcn.com/print/25_9/40506-1.html > > > > <GCN.Quote> > > > > "It's much harder than we thought it would be," Burr said. "We've backed > the wrong horseany number of times." He said one of these wrong horses was > the decision to use a bridgecertificate authority rather than a single > central certificate authority to issue andmanage digital certificates > > > > </GCN.Quote> > > > > > > Although Mr. Burr indeed later endorsed the Bridge concept as a long-term > goal, theimmediate effect (if the US government proceeds as the article > described), is thatvendors, allies, and consultants will back away from > this solution. > > > > In the mean-time, simpler and cheaper approaches like "gateways", will > effectively removethe need to ever resurrect the Bridge. A client-centric > Bridge CA concept also does notsupport the design of integrated > organization-to-organization workflow applications,something which ought to > be the long term goal for the US government IT. What securityprinciples > they use (as long as they work), should be of secondary importance. > > > > Regarding analysis of processes, there is actually quite a collection of > papers to read,and very few of them show a need for a trust model where an > employee/associate of oneorganization needs to be fully trusted/qualified > by another organization. A model wherethe "organization" becomes the > primary entity (like in Shibboleth/SAML), scales better,allows arbitrary > employee privacy protection, and probably works entirely satisfactory in99 > cases of 100. Using a 2-layer credential and signature structure (gateway > PKI + localPKI), you can easily take the last percent as well. > > > > > > It should be like VeriSign's Phillip Hallam-Baker said on the PKI > Workshop 2006: > > > > "If I send a message from my company, I expect my company to secure it". > > > > If it had not been for the Bridge, we could actually have had secure > e-mail today. Notonly within isolated islands, but for every Netizen. > > > > > > Sincerely > > Anders Rundgren > > Principal Engineer > > RSA Security > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]