aba pki evaluation guidelines - the open group · pki evaluation guidelines (peg) 4project begun in...
TRANSCRIPT
ABA PKI EvaluationGuidelines:
The Law and Digital Signatures
Information Security Committee
American Bar Association (ABA)
Section of Science and Technology
Presentation to The Open Group Conference
Copenhagen, Denmark
27 April 1999
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 2
Introduction
4Information Security Committee, Section ofScience and Technology, ElectronicCommerce Division
4Over 300 Technologists and Lawyers frommore than 15 countries
4Digital Signature Guidelines, 1996 (seehttp://www.abanet.org/scitech/ec/isc/dsgfree.html)
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 3
Introduction (cont’d)
4 Michael Baum - VeriSign (U.S.)
4 Joe Alhadeff - Oracle (U.S.)
4 Janjaap Bos - DSEMCO B.V. (Netherlands)
4 Emily Frye - VeriCorp (U.S.)
4 Bill Kennair - CyberNotary Association UK (U.K.)
4 Charlie Merrill - McCarter & English (U.S.)
4 Randy V. Sabett - SPYRUS, Inc. (U.S.)
4 J. F. Sauriol - Labcal Technologies (Canada)
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 4
Goals today
4Introduce PKI Evaluation Guidelines (PEG)
4Interactive dialog regarding diverserequirements and initiatives
4Collaboration/harmonization/assimilation
4Discuss need for recognized global standard
4Formalized baseline for globalinteroperability of PKI
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 5
Challenges in PKI
4Trust, confidence, certainty
4Risk management
4Interoperation
4Self-regulation
4Quality assurance
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 6
PKI Evaluation Guidelines (PEG)
4Project begun in late 1996
4Extends beyond digital signatures to supportdiverse applications and entities in a PKI
4Intended to bridge legal, business, andtechnical aspects
4Guidelines, not criteria
4Work-in-progress
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 7
The PEG Audience
4Anyone involved in PKI deployment,including:– Criteria (policy) adopting or defining bodies
– Accrediting body
– Evaluators
– Authors of CPs
– Adopters of CPs
– Those involved in dispute resolution
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 8
PEG Terminology
4“Accreditation” of evaluators of PKI
4“Evaluation”: broad term, encompassing– “Assessment” of PKI for purposes of building
legal and technical interoperability
– “Auditing” of PKI components afterdeployment to determine whether the PKIconforms to the applicable CP
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 9
One example of process…
Accreditation Process
RecognitionAuthority (7)
Policy Authority(4)
AccreditationBody (6)
Evaluator/Lab (5)Certificate
Policy
CertificationAuthority (3)
Subscriber (1) Relying Party (2)
CPS
influences
influences
influences
influences
recognizes thevalidity of
evaluates
accredits
Key
Subject
Object
Scope of DigitalSignatureGuidelines(ABA ISC1996)
adopts
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 10
PEG Structure
4Main topics:– Understanding PKI
– Process for PKI Evaluation/Accreditation
– Elements of PKI Evaluation/Accreditation
– Legal Preface
– PEG Methodology for Evaluation/Accreditation
– PKI Evaluation Guidelines
– Appendices
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 11
PEG Structure (cont’d)
4Address diverse PKI models– “One size does not fit all”
4Matrix concept– RFC2527 (also known as PKIX Part 4)
provides the rows
– Different vertical markets comprise thecolumns (e.g. the financial services industry)
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 12
PEG Structure (cont’d)
4 Introduction
4 General Provisions Covering Legal/Business Issues
4 Initial Validation of Identity and Authority
4 Certificate Life Cycle Operational Requirements
4 CA Facility and Management Controls
4 Technical Security Controls
4 Certificate and CRL Profiles
4 Specification Administration
4 Some differences from RFC 2527
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 13
Selected Legal and Policy Issues
4Legal regimes
4Consumer and privacy issues
4Distinction between CP and CPS
4Liability of parties in PKI
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 14
Selected Legal and Policy Issues (cont’d)
4Legal presumptions
4Evidentiary issues
4Separation of roles in certificate lifecycle
4Incorporation by reference
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 15
Current state of international law
4 UNCITRAL
– Model Law on Electronic Commerce
– Electronic Signature Rules
4 OECD: Cryptography Guidelines
4 ICC: GUIDEC
4 European Union
– Directives on Electronic Signatures
– Directives on Electronic Commerce
4 UINL: Ongoing educational process
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 16
Civil law and common law
4 Codification versus precedent through litigation
4 Possible differences– Binding nature of judicial decisions
– Legal Presumptions
– Incorporation by reference
– Form requirements
4 Base all future actions on legislation in either typeof jurisdiction or leave it to the open market?
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 17
Consumer and privacy issues
4 Does the concept of “consumer” map to specificparties in a PKI?
4 Need for minimum requirements between parties?– obligation to protect private key
– obligation to verify certificate status
– liability allocation
– notice and disclosure
4 Collection & use of personal information
4 Applicability of various guidelines & initiatives
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 18
Distinction between CP and CPS
4CP specifies the requirements (the“what’s”)
4CPS specifies how the CA complies withthose requirements– the “how’s”
4Which governs rights between the partieswhen difference between the CP and CPS?
4Model independent...
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 19
Separation of rolesin the certificate lifecycle
CA = Certification Authority
CMA = Certificate Management Authority
RA = Registration Authority
LEGEND
CA CMA
RA
Users (subscribers and/orrelying parties)
- 1 -
Repository
Users (subscribers and/orrelying parties)
- 2 -
RA
CACMA
Repository
RA
Users (subscribers and/orrelying parties)
- 3 -
CMA
CA Repository
RA
Users (subscribers and/orrelying parties)
- 4 -
CACMA
Repository
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 20
Liability of parties in PKI
4CA liability to relying party for wrongfulissuance of certificate
4Liability of subscriber to relying party whencompromise of private key
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 21
Legal Presumptions
4 Traditionally the relying party has burden ofauthenticating signer’s identity.
4 “Electronic signature,” “digital signature,” othertypes of enhanced signatures
4 Understanding burdens and presumptions
4 Digital Signature Guidelines proposed newrebuttable presumption that the digital signaturewas signed by the subscriber named in thecertificate issued by a CA
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 22
Legal Presumptions (cont.)
4 Rebuttable presumption by legislation:– EU Mar 98 Draft Directive, Utah (95), 5 other U.S.
States (1996-99), Germany (97), Italy (98), Spain (99)
4 Rebuttable presumption allowed by regulation:– Canada Electronic Signatures Bill C-54
4 Little or no effective presumption:– UNCITRAL Draft Model, NCCUSL Uniform
Electronic Transactions Act, U.S. S.761 MillenniumDigital Commerce Bill
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 23
Legal Presumptions (cont.)
4Arguments FOR a legal presumption
4Arguments AGAINST a legal presumption
4Broad commercial use of PKI will not waitfor the legislative outcome
4Absence of a legislative presumption willsimply mean more business for trial lawyersuntil a judicial presumption emerges.
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 24
Evidentiary coverage
4What is a signature?
4Elements? (e.g. public key, signature, CRL,time and date stamp)
4Extrinsic evidence involving the facts andcircumstances of the transaction?
4Expert testimony as foundation
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 25
Incorporation by reference
4Technical limitations of size of certificate
4Publication of terms (ETERMS repository)
4Incorporation of legal terms (CP)
4Notification (end user software)
4Legal limitations (civil/common law)
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 26
Related Activities
4ETERMS Project
4Certification Services Agreements andModel Clauses
4PKI Industry Association
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 27
ETERMS Notices/Disclosures
4Practice variations becoming obstacle to thegrowth of global electronic commerce
4ETERMS provide market-based solution toinconsistent notice/disclosure terminology
4Initial application will be betweencommercial entities
4Result: harmonize the implementation ofnotices/disclosures in end-user applications
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 28
Relationship Models
4Open/Unbounded Models– CA ßà Businessà
– CA ß à Consumer/Individualà
4EDI / Existing Relationships to PKI(Addendum)– Business ßà Business over a PKI
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 29
Relationship Models (cont’d)
4Privity Models– [CA ßàBus] ßà Consumer
– CA ßàBusiness ßà [Business orConsumer]
4Non-transactional / communication model– Individual ß à Individual over a PKI
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 30
Global PKI Industry Association
4General education
4Promotion of self-regulation
4Policy development and advocacy
4Develop and advance industry practices
27-Apr-99 The Open Group Conference, Copenhagen, Denmark 31
Wrap up
4Liaisons (who else?)
4Harmonization or unification?
4Collaboration: next steps