1 / 14

COEN 351: E-Commerce Security

COEN 351: E-Commerce Security. Public Key Infrastructure Assessment and Accreditation. Assessment for PKI. Assessment: Prescribed procedure for determining whether a system or one of its components satisfies defined criteria for trustworthiness and quality. . Assessment for PKI. Assessment:

marly
Télécharger la présentation

COEN 351: E-Commerce Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation

  2. Assessment for PKI • Assessment: • Prescribed procedure for determining whether a system or one of its components satisfies defined criteria for trustworthiness and quality.

  3. Assessment for PKI • Assessment: • Creates favorable legal presumptions. • Legal status. • Stronger presumptions for non-repudiation. • Necessary for licensing and accreditation. • Potential formal requirement for PKI interoperation. • This is the motivating example. • Creates public relations bonus and generates acceptance. • Helps in risk assessment and management. • Might be required for insurance purposes.

  4. Assessment for PKI • Assessment is used by: • Service subscribers. • Relying parties. • Policy management authorities. • Certification and registration authorities. • Licensing and regulatory authorities.

  5. Assessment for PKI • Formal qualification of Assessors • Some laws require assessors to be Certified Public Accountants. • Others specify required years of work in the security profession. • Material qualifications of Assessors • Independence. • Quality assurance for assessment work. • Educational and training qualifications.

  6. Assessment for PKI • Assessment targets: • (System-level) • The overall PKI environment. • Systems and Subsystems. • Discrete Components. • PKI cryptomodules. • (Entity) • Primary certification authority controls. • Key and device management console. • Certificate life-cycle controls.

  7. Assessment for PKI • Attributes of successful assessment criteria • Appropriateness. • Develop threat model first. • Objectivity. • Clarity. • Ubiquity. • general acceptance. • Extensibility. • Criteria can be updated for future developments.)

  8. Assessment for PKI • Self-assessment. • Internal audit. • External audit.

  9. System Assessment Criteria • Formal criteria have evolved: • U.S. Trusted Computer System Evaluation Criteria (TCSEC) 1985. • Orange Book. • Focused on confidentiality to protect national security secrets. • European Information Technology Security Evaluation Criteria (ITSEC) 1991.

  10. System Assessment Criteria

  11. Assessment & Accreditation Schemes • Australia, Gatekeeper: • Australian government effort to enhance secure service delivery, streamline secure intragovernmental transactions, establish a “rational voluntary mechanism for the implementation of PKI by government agencies.” • Gatekeeper is also used to provide interoperationality among PKI providers. • Mandatory for vendors of PKI services for government. • Gatekeeper has two levels of authentication: • Entry-level • Full accreditation

  12. System Assessment Criteria • Canada: Government of Canada PKI • Allows links via cross-certification. • Expert teams establish tables of concordance between requester’s Certificate Policy (CP) and GoC PKI.

  13. System Assessment Criteria • US: Light Touch • State legislation influenced by Utah and Washington. • Reciprocity agreements (e.g. Minnesota, Utah, Washington)

  14. System Assessment Criteria • HIPAA • Requires security controls to ensure the integrity and confidentiality of Internet communications.

More Related