OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: re:[pki-tc] NIST deprecates the Bridge CA Concept

The following should be read with the *enterprise* in mind:

A minor "snag" in some of these descriptions is that commercial root signing
costs a minor fortune [*].  S.c. "managed PKI" (semi-outsourced) is a step in
between, but I think even this one is out of question for many companies.

It is also good to keep in mind that a Windows 2K3 Server already
contains a *free" full-blown CA that integrates with the desktop systems
and Active Directory.  Naturally such things affect enterprises' "lust"
for additional expenses.  One might say that such companies are short-
sighted and narrow-minded but what's the point?  It is their money.

Since root-signing (PKI root canal?), of an enterprise PKI does not make
internal operations more secure (which was the primary reason for getting the
PKI in the first place), there are quite a lot of obstacles outside of a strictly
managed government environment.  Not only of a psychological nature.


*] Unlike GW-PKI which only costs some $500/Y and does not make enterprise
PKI deployment a prerequisite for carrying out sophisticated org-to-org tasks
like fully integrated e-purchasing (something the enterprise PKI does not support).

----- Original Message ----- 
From: "Stephen Wilson" <swilson@lockstep.com.au>
To: "Dee Schur" <dee.schur@oasis-open.org>
Cc: <pki-tc@lists.oasis-open.org>
Sent: Thursday, April 27, 2006 16:31
Subject: [pki-tc] re:[pki-tc] NIST deprecates the Bridge CA Concept

I mentioned before in passing a psychological angle on the way historical
PKI has been conceived.  Peter then cited the problem of "subordination" to
a root CA, and this reminds me of another really powerful psychological
issue from the past.  

IMHO if we had originally conceived of root CAs as having a compliance
accreditation role -- simply conferring to CAs an assertion that they were
in compliance with relevant standards -- then the abhorant notion of
"subordination" would never have even arose.  

Outside PKI land, I think most businesses are comfortable with being
audited; they don't see themselves as being "subordinate" to their
auditors, much less to the auditor accreditation boards.  This is a much
better model/metaphor for Root CAs. 

See also http://www.lockstep.com.au/library/pki/audit_based_public_key_infras


Stephen Wilson.

> Sent on behalf of Peter Alterman.
> -----Original Message-----
> From: Alterman, Peter (NIH/CIT) [E] [mailto:altermap@mail.nih.gov] 
> Sent: Thursday, April 27, 2006 8:51 AM
> To: dee.schur@oasis-open.org
> Subject: Re: [pki-tc] re:[pki-tc] NIST deprecates the Bridge CA Concept
> Will be soon. 
> And Bill didn't slam the Bridge, he did say that in retrospect we should
> have built a fed root first, then built the bridge. 
> What needs to be remembered is that at the time there was no leadership for
> such a root and the agencies in PKI refused to subordinate to anyone else's
> root. 
> --------------------------
> Sent from my BlackBerry Wireless Handheld
> -----Original Message-----
> From: swilson@galexia.com.au [mailto:swilson@galexia.com.au] On Behalf Of
> Stephen Wilson
> Sent: Thursday, April 27, 2006 7:57 AM
> To: Anders Rundgren
> Cc: PKI TC
> Subject: [pki-tc] re:[pki-tc] NIST deprecates the Bridge CA Concept
> Anders
> Respectfully I submit that you are mixing together two quite separate
> issues: the questionable usefulness of Bridge CAs, and your abiding
> promotion of gateway PKI.  
> Just to look at the Bridge CA question (and I must say I have not read Bill
> Burr's comments in detail, so I may or may not be at cross purposes with
> him) ... 
> I have found recently in Asia that Bridge CA models are being put on hold.
>  Influential private sector PKI providers in China told the APKIF in
> November that they do not think a China BCA will be useful in the
> forseeable future; in September the Taiwanese government announced it was
> dropping its BCA proposal in favour of a Trust List approach.  
> In my view there are fundamental reasons to question the utility of BCAs. 
> I think the really basic premise of BCAs is that most individuals will only
>  belong to one PKI and so have just the one certificate to be used in
> multiple domains.  Then the business question of a subject in one domain
> presenting their certificate to another domain has to do with whether or
> not that certificate is equivalent (mappable).  Personally, I hypotehise
> that there is some psychology involved in this model as well, based on the
> notion of security clearances in government hierarchies, and the (real)
> challenge of govt employees in one jurisdiction being at the same or higher
> or lower level of employees in other jurisdictions. 
> The attached annotated cartoons try to compare that scenario with an
> alternative PKI model, one which is coming to dominate in Australia and I
> think in Asia -- "scheme based PKI", where there are many more or less
> closed PKIs.  People will have different certificates for different
> application domains.  This is fast becoming reality in the embedded PKIs of
> e-passports, national ID smartcards, PIV, EMV cards and so on.  
> In this environment, equivalence (or questions of 'rank') of certificates
> in different domains is moot.  The real issue here is whether or not a
> given certificate is fit for purpose; i.e., is it "recognised" for the
> purpose to which it is being put?  I don't see how a Bridge CA helps here.
>  Instead, the Trust List model is natural; relying parties simply need a
> list of the Root CAs that underpin the domains they are transacting in. 
> I hope my cartoons are understandable in this context!  I have been meaning
> to develop a more comprehensive white paper on this topic but haven't had
> time.  However, an overview of the scheme based PKI approach is contained
> in http://www.lockstep.com.au/library/pki/relationship_certificates. 
> Having said all this, we should monitor developments in the various
> industry BCAs cosely, especially SAFE in pharma. 
> Comments welcome!!! 
> Cheers, 
> Stephen.
> Stephen Wilson
> Lockstep Consulting Pty Ltd
> www.lockstep.com.au
> ABN 59 593 754 482
> 11 Minnesota Ave
> Five Dock NSW 2046
> Australia
> P +61 (0)414 488 851
> --------------------
> About Lockstep 
> Lockstep was established in early 2004 by noted authentication expert
> Stephen Wilson, to provide independent specialist advice and analysis on
> identity management, PKI and smartcards.  Lockstep is also developing
> unique new smartcard solutions to address privacy and identity theft. 
> > List,
> > 
> > http://www.gcn.com/print/25_9/40506-1.html
> > 
> > <GCN.Quote>
> > 
> > "It's much harder than we thought it would be," Burr said. "We've backed
> the wrong horseany number of times." He said one of these wrong horses was
> the decision to use a bridgecertificate authority rather than a single
> central certificate authority to issue andmanage digital certificates
> > 
> > </GCN.Quote>
> > 
> > 
> > Although Mr. Burr indeed later endorsed the Bridge concept as a long-term
> goal, theimmediate effect (if the US government proceeds as the article
> described), is thatvendors, allies, and consultants will back away from
> this solution.
> > 
> > In the mean-time, simpler and cheaper approaches like "gateways", will
> effectively removethe need to ever resurrect the Bridge.   A client-centric
> Bridge CA concept also does notsupport the design of integrated
> organization-to-organization workflow applications,something which ought to
> be the long term goal for the US government IT.  What securityprinciples
> they use (as long as they work), should be of secondary importance.
> > 
> > Regarding analysis of processes, there is actually quite a collection of
> papers to read,and very few of them show a need for a trust model where an
> employee/associate of oneorganization needs to be fully trusted/qualified
> by another organization.  A model wherethe "organization" becomes the
> primary entity (like in Shibboleth/SAML), scales better,allows arbitrary
> employee privacy protection, and probably works entirely satisfactory in99
> cases of 100.  Using a 2-layer credential and signature structure (gateway
> PKI + localPKI), you can easily take the last percent as well.
> > 
> > 
> > It should be like VeriSign's Phillip Hallam-Baker said on the PKI
> Workshop 2006:
> > 
> > "If I send a message from my company, I expect my company to secure it".
> > 
> > If it had not been for the Bridge, we could actually have had secure
> e-mail today.  Notonly within isolated islands, but for every Netizen.
> > 
> > 
> > Sincerely
> > Anders Rundgren
> > Principal Engineer
> > RSA Security

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]