OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [pki-tc] re:[pki-tc] NIST deprecates the Bridge CA Concept


Stephen,

I find it absolutely fascinating that we were both thinking along
the same lines last year (take a look at the attached paper I wrote
- called Identity Firewalls - in late 2004, but formalized in late
2005).

I think it is reflective of the maturing of the PKI industry and an
acknowledgement that we need to make structural changes to identity
management.  The "ROI Myopia" that many companies are beset with,
are creating too many cracks in the foundation.

All,

Given that Stephen is seeing this trend in Asia and "sector-related"
credentials are starting to show up in the US (SAFE-Biopharma and
Notary certificates, for example), perhaps it is time for the PKI-TC
to start rallying around a structural remedy to the security ills
that plague us, and to promote the concept.

Could I request that people read these two papers and we engage in
a debate over whether the industry needs to mature towards such
concepts?  There are many of us that are saying the same things,
but I think we need to make it into a single cohesive message that
is debated, and eventually agreed upon, so that we can convince
the industry that, despite the failures of the past, there is still
promise in this technology worth revisiting

Thank you.

Arshad Noor
StrongAuth, Inc.

Stephen Wilson wrote:
> Anders
> 
> Respectfully I submit that you are mixing together two quite separate
> issues: the questionable usefulness of Bridge CAs, and your abiding
> promotion of gateway PKI.  
> 
> Just to look at the Bridge CA question (and I must say I have not read Bill
> Burr's comments in detail, so I may or may not be at cross purposes with
> him) ... 
> 
> I have found recently in Asia that Bridge CA models are being put on hold.
>  Influential private sector PKI providers in China told the APKIF in
> November that they do not think a China BCA will be useful in the
> forseeable future; in September the Taiwanese government announced it was
> dropping its BCA proposal in favour of a Trust List approach.  
> 
> In my view there are fundamental reasons to question the utility of BCAs. 
> I think the really basic premise of BCAs is that most individuals will only
>  belong to one PKI and so have just the one certificate to be used in
> multiple domains.  Then the business question of a subject in one domain
> presenting their certificate to another domain has to do with whether or
> not that certificate is equivalent (mappable).  Personally, I hypotehise
> that there is some psychology involved in this model as well, based on the
> notion of security clearances in government hierarchies, and the (real)
> challenge of govt employees in one jurisdiction being at the same or higher
> or lower level of employees in other jurisdictions. 
> 
> The attached annotated cartoons try to compare that scenario with an
> alternative PKI model, one which is coming to dominate in Australia and I
> think in Asia -- "scheme based PKI", where there are many more or less
> closed PKIs.  People will have different certificates for different
> application domains.  This is fast becoming reality in the embedded PKIs of
> e-passports, national ID smartcards, PIV, EMV cards and so on.  
> 
> In this environment, equivalence (or questions of 'rank') of certificates
> in different domains is moot.  The real issue here is whether or not a
> given certificate is fit for purpose; i.e., is it "recognised" for the
> purpose to which it is being put?  I don't see how a Bridge CA helps here.
>  Instead, the Trust List model is natural; relying parties simply need a
> list of the Root CAs that underpin the domains they are transacting in. 
> 
> I hope my cartoons are understandable in this context!  I have been meaning
> to develop a more comprehensive white paper on this topic but haven't had
> time.  However, an overview of the scheme based PKI approach is contained
> in http://www.lockstep.com.au/library/pki/relationship_certificates. 
> 
> Having said all this, we should monitor developments in the various
> industry BCAs cosely, especially SAFE in pharma. 
> 
> Comments welcome!!! 
> 
> Cheers, 
> 
> Stephen.
> 
> 
> Stephen Wilson
> Lockstep Consulting Pty Ltd
> www.lockstep.com.au
> ABN 59 593 754 482
> 
> 11 Minnesota Ave
> Five Dock NSW 2046
> Australia
> 
> P +61 (0)414 488 851
> 
> --------------------
> 
> About Lockstep 
> Lockstep was established in early 2004 by noted authentication expert
> Stephen Wilson, to provide independent specialist advice and analysis on
> identity management, PKI and smartcards.  Lockstep is also developing
> unique new smartcard solutions to address privacy and identity theft. 
> 
> 
> 
> 
> 
> 
>>List,
>>
>>http://www.gcn.com/print/25_9/40506-1.html
>>
>><GCN.Quote>
>>
>>"It's much harder than we thought it would be," Burr said. "We've backed
> 
> the wrong horseany number of times." He said one of these wrong horses was
> the decision to use a bridgecertificate authority rather than a single
> central certificate authority to issue andmanage digital certificates
> 
>></GCN.Quote>
>>
>>
>>Although Mr. Burr indeed later endorsed the Bridge concept as a long-term
> 
> goal, theimmediate effect (if the US government proceeds as the article
> described), is thatvendors, allies, and consultants will back away from
> this solution.
> 
>>In the mean-time, simpler and cheaper approaches like "gateways", will
> 
> effectively removethe need to ever resurrect the Bridge.   A client-centric
> Bridge CA concept also does notsupport the design of integrated
> organization-to-organization workflow applications,something which ought to
> be the long term goal for the US government IT.  What securityprinciples
> they use (as long as they work), should be of secondary importance.
> 
>>Regarding analysis of processes, there is actually quite a collection of
> 
> papers to read,and very few of them show a need for a trust model where an
> employee/associate of oneorganization needs to be fully trusted/qualified
> by another organization.  A model wherethe "organization" becomes the
> primary entity (like in Shibboleth/SAML), scales better,allows arbitrary
> employee privacy protection, and probably works entirely satisfactory in99
> cases of 100.  Using a 2-layer credential and signature structure (gateway
> PKI + localPKI), you can easily take the last percent as well.
> 
>>
>>It should be like VeriSign's Phillip Hallam-Baker said on the PKI
> 
> Workshop 2006:
> 
>>"If I send a message from my company, I expect my company to secure it".
>>
>>If it had not been for the Bridge, we could actually have had secure
> 
> e-mail today.  Notonly within isolated islands, but for every Netizen.
> 
>>
>>Sincerely
>>Anders Rundgren
>>Principal Engineer
>>RSA Security
> 
> 
> --
> <Put email footer here>
> 
> 
> ------------------------------------------------------------------------
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

identityFirewalls1.1.pdf



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]