1 / 16

The ABA PAG

The ABA PAG. Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information Technology University of Maryland. Background. American Bar Association Section of Science and Technology Law Electronic Commerce Division Information Security Committee

aliya
Télécharger la présentation

The ABA PAG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The ABA PAG Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information TechnologyUniversity of Maryland

  2. Background • American Bar Association • Section of Science and Technology Law • Electronic Commerce Division • Information Security Committee • 1996 Digital Signature Guidelines • DRAFT PKI Assessment Guidelines (PAG) • DRAFT developed over a period of 5 years • Developed As An Educational Resource • Comments are due by October 18, 2001

  3. ABA Information Security Committee A group of lawyers and non-lawyers who are practicing attorneys in corporate, private, and government practice, information technologists, auditors, notaries from various legal regimes, trade experts, academics, and others dedicated to exploring and advancing the legal and information security aspects of e-commerce and information technology.

  4. Digital Signature Guidelines Provided basic technical and legal guidelines regarding the rights and responsibilities of certification authorities, certificate subscribers, and relying parties for digital signature applications of PKI. http://www.abanet.org/scitech/ec/isc/digital_signature.html

  5. PKI Assessment GuidelinesDRAFT The draft PAG provides an overview of PKI, discusses specific technical, legal, business, and policy issues related to PKI operations, and provides guidelines for the assessment of particular PKIs and their components. http://www.abanet.org/scitech/ec/isc/pag/pag.html

  6. Goals of the PAG • Provide a tool by which people can assess a PKI and its trustworthiness • Explain basic PKI assessment models, PKI assessment terminology, and the interface among, and implications of business, legal, and technical issues in PKI • Provide guidance for the selection of policies, standards, and legal agreements, including certificate policies (CPs), certification practice statements (CPSs), relying party agreements, and subscriber agreements

  7. Goals (cont’d) • Promote smooth interoperation among different PKIs and their components; and • Provide an intellectual framework and educational resource for understanding PKI services, products, technologies, and emerging legal concepts

  8. PAG is not intended: • dictate policies, processes, or legal doctrines • Mandate any particular models for assessment • Remain static • Be self-contained

  9. Overview of Contents • PKI Overview • Glossary of Definitions and Acronyms • Tutorial on Public Key Technology • Legal Preface • PAG Provisions • Appendices • Bibliography with Online URLs

  10. Legal Issues • Sources of Law • Agency Principles • Evidence and Expert Witnesses • Foundations and Presumptions • Consumer and Privacy Issues • Risk Management and Insurance

  11. PAG Provisions • General, Legal, and Business Provisions • Initial Validation of Identity, Authority, and/or Other Attributes • Certificate Life Cycle Operational Requirements • Management, Operational and Physical security Controls • Technical Security Controls • Certificate, CRL, And OCSP Profiles • Specific Administration

  12. General, Legal, and Business Provisions • Apportioning Legal Responsibilities and Potential Liability • Issue Summary • Relevant Considerations • Appropriate Requirements and Practices • Risk Management and Insurance • Financial Responsibility

  13. Provisions (cont’d) • Interpretation and Enforcement • Fees • Publication and Repositories • Compliance Audit and Other Assessments • Consumer Issues, Information Practices, Privacy • Intellectual Property Rights

  14. PKI Documentation • Policy Documents • Convey at a high level the requirements to which a PKI adheres and the practices the PKI employs to meet these requirements • “Certificate Policy” • “Certification Practice Statement” • Agreements • Bind participants to the requirements of the PKI • “Subscriber Agreement” • “Relying Party Agreement” • Security, Operational, and Auditing Practices • Detailed policies, guidelines, and procedures

  15. Implications for Higher Ed • Policies and Procedures • NET@EDU PKI Working Group • EDUCAUSE Security Task Force • Policy and Legal Issues Committee • Contracts and Agreements • Academic Culture and Traditions • Practical Uses and Simplification • Coordination Across Communities

  16. For more information, contact: Rodney PetersenPhone: 301.405.7349Email: rp72@umail.umd.edu URL: www.oit.umd.edu/ppURL: www.umd.edu/NEThics

More Related