Building trust on the internet
-
Upload
kelly-english -
Category
Documents
-
view
36 -
download
6
description
Transcript of Building trust on the internet
Building trust on the internet
Extending Attribute Protocols for Status Management and “Other
Things”Patrick Richard, Xcert International
Extending Attribute Protocols for Status Management and “Other Things”
Company BackgroundCompany Background
• Size: 80+ employees
• Incorporated: 1996 (Vancouver, BC)
• HQ: Walnut Creek, CA
• Funding: Private, backed by founder of
RSA & Verisign)
• Key partners & customers:
Extending Attribute Protocols for Status Management and “Other Things”
Extending Attribute Extending Attribute Protocols for Status Protocols for Status
Management and “Other Management and “Other Things”Things”
• Agenda (40 minutes)
– Conceptual History
– Products in Action
– Application Potential
Extending Attribute Protocols for Status Management and “Other Things”
PKI Enables Risk PKI Enables Risk ManagementManagement
• PKI provides a means to reduce the risk of business-to-business and business-to-consumer internet transactions
• PKI enables institutions to define trust relationships that can be:
– Published
– Audited
– Insured
Extending Attribute Protocols for Status Management and “Other Things”
Digital Certificates Role in Digital Certificates Role in Risk ManagementRisk Management
Digital certificates are the ONLY technology
to satisfy the requirements for secure
transactions among trusted parties.
Extending Attribute Protocols for Status Management and “Other Things”
Certificate Formats and Certificate Formats and Risk ManagementRisk Management
• Digital Certificates, as they are commonly used:– contain generalized end-entity information– this is used as part of the risk mitigation
process– Examples: name, email address, where you
work, etc..
Extending Attribute Protocols for Status Management and “Other Things”
Certificate Attributes Certificate Attributes and Risk Managementand Risk Management
• The collection of information carried in a Certificate is the lowest common denominator for risk-managing transactions– Sometimes too little information– Sometimes too much
• Normally no one cares who you are… they care about your ability to transact.
Extending Attribute Protocols for Status Management and “Other Things”
What is importantWhat is important
• Are the transaction-specific bindings between the participants and their relevant attributes
• Example: – Joe Customer is the owner of the card– The card is still valid– The card has enough credit space for a
transaction
Extending Attribute Protocols for Status Management and “Other Things”
The key conceptThe key concept
• PKI is really the practice of end-entity attribute assertion and management
• I.e.:– CA asserts and distributes your name attribute– VA asserts and distributes your status attribute– AA asserts and distributes your credit attribute
Extending Attribute Protocols for Status Management and “Other Things”
Attribute Management Attribute Management ProtocolsProtocols
• A good, generalized and scaleable attribute management protocol can be the basis for a highly efficient and effective PKI
• Eliminates re-inventing the wheel, solves scaleability problems
• Relevant elements of the transaction are transmitted, nothing else
Extending Attribute Protocols for Status Management and “Other Things”
Effective Attribute Effective Attribute Management Protocol Management Protocol
CharacteristicsCharacteristics
• Ability to serve signed attributes• Ability to generate static collections of
signed attributes• Ability to serve dynamic collections of
signed attributes• Ability to deal with cacheing and
freshness
Extending Attribute Protocols for Status Management and “Other Things”
Real World Example: Real World Example: Certificate Status Certificate Status
ManagementManagement
• Most OCSP implementations rely upon CRLs (I.e. they proxy CRLs)
• Certificate Status is really just an attribute of the certificate being queried
Extending Attribute Protocols for Status Management and “Other Things”
Status Management in Status Management in an Attribute-driven an Attribute-driven
modelmodel• Relating the current semantics against
the model:– CRL : static collection of status attributes– Online query : signed response of status
attribute– OCSP : standard protocol front-end on
CRL/online query
Extending Attribute Protocols for Status Management and “Other Things”
Technical BenefitsTechnical Benefits
• A singular protocol and method for resolving identity and attribute bindings
• Works online and off-line• Can be applied to multiple attributes, not
just status• Is 100% backwards compatible• Provides infinite design flexibility
Extending Attribute Protocols for Status Management and “Other Things”
Business BenefitsBusiness Benefits
• Most implementations hit a “Chinese Wall” when they attempt to scale
• Only cost effective way to scale• Customers with 100,000 + users on 1.x
products (circa 1997), also Powers Public CAs
• Provides business opportunities for Attribute Assertion Providers
Extending Attribute Protocols for Status Management and “Other Things”
Current Real World Current Real World ApplicationsApplications
• Pseudo-anonymous certificates• High-assurance web transactions• Value-based dynamic assertions• Rollover and Revocation simplified• Single certificate, many models (I.e. GUC)
Extending Attribute Protocols for Status Management and “Other Things”
Future ImplicationsFuture Implications
• Natural evolution is to Index attribute databases from certificates
• Truly Internet-wide certificates should ideally have minimized content
• Businesses are arising that focus exclusively on attribute management
Extending Attribute Protocols for Status Management and “Other Things”
ConclusionConclusion
• A comprehensive attribute management system can provide the backbone for a global deployment of PKI
• Common PKI problems can be easily resolved through the use of attribute management
• Primary obstacles today are not technical, but rather philosophical