Slide 1

IDA Security Experts Workshop Olivier LIBON Vice President GlobalSign November 2000

Slide 2

2 Outlines Interoperability at the EU side Private Key Storage (software, hardware, etc) Certificate Management (expiration, renewal, revocation, etc) Products Limitations (web, mail, etc) Interoperability at the CA side Accreditation Schemes (EESSI vs...) Products Compliance & Interoperability (RA, CA, etc) Common Trust Levels (Cross-certification, etc)

Slide 3

3 Interoperability at the EU side Interoperability at the EU side Private Key Storage (software, hardware, etc) Certificate Management (expiration, renewal, revocation, etc) Products Limitations (web, mail, etc) Interoperability at the CA side Accreditation Schemes (EESSI vs...) Products Compliance & Interoperability (RA, CA, etc) Common Trust Levels (Cross-certification, etc)

Slide 4

4 Private Key Storage Software (Disk) Various Certificate Store (Microsoft, Netscape, Opera, etc...) Key protection (pin code, token, etc...) PC lost? / upgraded? (backup, import/export, etc...) Hardware (SmartCard) Key-pair generation Reader Installation & Costs Compatibility (ship + OS + Data)

Slide 5

5 Certificate Management Certificate Lifecycle (history) Certificate History (Expiration/Renewal) Certificate Revocation (Status Checking) Key Usage (key protection) One certificate for every key usage Multiple certificates (Encryption, Authentication, Non- Repudiation, etc) Certificate Usage (public vs private) One certificate (ID-card) for every application/domain Multiple certificates (one for each application/domain)

Slide 6

6 Products Limitations Certificate Chaining Deliver the complete chain No cross-certification support Certificate Extensions Basic Constraints (the only one supported) Naming Constraints (not supported) Policy Constraints & Mappings (not supported) Certificate Status CRLs (no check) OCSP (not yet available)

Slide 7

7 Interoperability at the CA side Interoperability at the EU side Private Key Storage (software, hardware, etc) Certificate Management (expiration, renewal, revocation, etc) Products Limitations (web, mail, etc) Interoperability at the CA side Accreditation Schemes (EESSI vs...) Products Compliance & Interoperability (RA, CA, etc) Common Trust Levels (Cross-certification, etc)

Slide 8

8 Accreditation Schemes Step1: EC Directive adoption A common framework for electronic signature... defines: Electronic Signature Qualified Certificate TTP requirements Step2: Local Laws adaptation Germany (BSI) UK (T-Scheme) France (MEFI) Netherlands (TTP.NL) Etc... Step3: EESSI Standards... but very complex (and not accepted yet) A lawyers and lobbying world

Slide 9

9 Products Interoperability Component Interoperability Ability to mix and match PKI products Depends on messages exchanged between components to support: Certificate request Certificate renewal Certificate revocation Enterprise Interoperability Ability to connect PKI s into a larger P functional PKI Cross-certification Repositories/Directories

Slide 10

10 Common Trust Levels Hierarchical Model Root Signing (a signle hierarchy of certificates) Proprietary accreditation rules Not flexible and irrealistic Non-hierarchical Model Cross-certification (multiple hierarchies of certificates) Opened cross-certification rules Very flexible but irrealistic Meshed Model CA bridge (multiple hierarchies per business domain) Opened bridging rules Very flexible but need for an independant organization (EC?)