Johnson & Johnson’s Public Key Infrastructure

1. Johnson & Johnson’sPublic Key Infrastructure Bob Stahlrstahl@corus.jnj.com

2. Johnson & Johnson • The world’s largest and most comprehensive manufacturer of health care products • Founded in 1886 • Headquartered in New Brunswick, New Jersey • Sales of $42 billion in 2003 • 200+ operating companies in 50+ countries • 109,000+ employees worldwide • Customers in over 175 countries

3. Baseline PKI Architecture JJEDS JJEDS Offline Root CA (ORCA) Authoritative Feeds - Employees, Partners, Servers, Email addresses,Windows IDs JJEDS Enterprise Directory CRLDistributionWebsite JJEDS Principal Online CA (POLCA) PKI and Directory Enabled Applications

4. JJEDS PKI Principles • Based on open standards • Directory-driven • Directory is the global identity master • Web-based, self service model • Strong identity proofing • Build and operate it ourselves • Separate signing and encryption keys • Hardware tokens preferred • Support operation in FDA-validated environments

5. Standards Based • LDAP Directory • X.509v3 Certificates and CRLs • RFC 2459, Internet X.509 Public Key Infrastructure Certificate and CRL Profile • RFC 2527 Certificate Policy and Certificate Practice Statement • Rewrite underway based on RFC 3647

6. 3. When Alice is ready to get her Digital Identity, she visits the JJEDS web site CAC IVC Self-Service Registration 1. New employee, Alice, is entered into HR Database 2. Overnight, Alice has an entry in the Enterprise Directory EnterpriseDirectory 4. One-time codes are generated and emailed to Alice and her supervisor 4. Alice’s supervisor delivers her IVC to her person-to-person 5. Alice returns to JJEDS and authenticates with her IVC and CAC 6. Alice’s certificates are generated on her client, and provide only her ID, not her access privileges 7. Alice’s certificates are published to the Enterprise Directory and from there to the Email directory 9. When Alice’s cert is about to expire or if her Name or Email changed, then she can revoke her old certificate and get a new one by herself. 8. Alice’s signature key is never duplicated -- her decryption key is escrowed for contingencies If Alice ever need to recover an old encryption key, she can do it herself

7. Security Vision Unique identities for people (and machines) Directory- Centric Corporation (Global Identity Master) Legal & Regulatory Compliance SecureElectronicTransactions Eliminate Passwords JJEDS Digital Identities Authoritative Sources

8. Applications • Directory took off on its own – 150,000+ active entries • WWID-based login • Workflow routing • Phonebook replacement • Online organization charts • Compliance tracking / training • Email lookups for applications

9. PKI Applications • Remote Access – 60,000+ users • Secure Email • Research collaboration • Legal department • Marketing • Personnel discussions • Adverse event reporting • Skincare marketing intelligence web site • SOX compliance reporting • Ethics certification • Coming Soon – Enterprise Apps • e.g., SAP, Oracle, Windows Login

10. Next Leap - SAFE • SAFE – Secure Access for Everyone • What is it? • Biopharma industry consortium aimed at facilitating e-transactions through SAFE-wide digital credentials • Participants include J&J, Pfizer, Merck, GSK, Aventis, Lilly, PG, Novartis, others • Technology selected for use: PKI • PKI perspective: • Additional emphasis on Digital Signatures

11. SAFE Value Potential