director, entrust ltd. - international civil aviation ... · • 1000+ l b l pki d l t1000+ global...
TRANSCRIPT
Global eMRP PKI: StatusCraig Delmage, CISSPDirector, Entrust Ltd.
© Copyright Entrust, Inc. 2010
Entrust - World leader in Identity Solutions
• Global security solutions provider• 15 Years
HQ (US) R&D (C d ) Offi (L t )• HQ (US), R&D (Canada), Offices (Lots)• Pioneer: 1st commercial PKI – 1995
1000+ l b l PKI d l t• 1000+ global PKI deployments• 15 eMRP Projects (US, Canada, UK…)
PKI Software & Identity Card Solutions• PKI Software & Identity Card Solutions• PKI SaaS PKI & Credentialing Services
© Copyright Entrust, Inc. 2010
Outline
1. Historical Timeline2 BAC PKI Progression2. BAC PKI Progression3. EAC PKI Progression4. Related PKI Advancements
© Copyright Entrust, Inc. 2010 3
Th M h f P tThe March of ePassportsMajor Milestones (1998 – 2015)
AugustEU BAC Deadline
OctoberU.S. VWP
Expansion to 34 countries
Singapore
OctoberU S
JuneEU EAC Deadline
SeptemberICAO 9303Pt. 1, Vol. 2
2015Only
1998 - Malaysia1st Biometric Passport
100th
StateTo Issue
MRP
g p1st EACeMRP
U.S.Digital photo
for VWPentry
OctoberU.S. eMRP for
NovemberGermany 1st
EU EAC
AprilAll states
must issue only
MRPs
MRPs in circulationPKD
Deployed
eMRP
2005 2006 2007 2008 2009
eMRP forEntry
2010 2011 2012+
eMRP MRPs
2004
3 3610 49 60 75 90 115?100
© Copyright Entrust, Inc. 2010
3 3610 49 60 75 90 115?
# Countries Deploying ePassports
100
BAC PKI Progression
• 2006: ICAO 9303 Standards2006: ICAO 9303 Standards• 2007: PKD deployment• 2008: PKD Master List Signing (MLS)• 2008: PKD Master List Signing (MLS)• 2010: Validation channels• Future: Supplemental Access Control (SAC)
© Copyright Entrust, Inc. 2010 5
1st Generation ePassport
1st Generation (BAC) ePassport Adoption
(2010)
© Copyright Entrust, Inc. 2010 6
~90 ProjectsPilot or ProductionConsidering / In Progress
EAC PKI Progression
• 2006: EU EAC specification2006: EU EAC specification• 2009: EU SPOC specification• 2010: Validation channels• 2010: Validation channels• 2010: Emergence of other ‘communities of interest’• 2011: Other applications (National ID smart cards)• 2011: Other applications (National ID smart cards)• Future: LDS 2.0, Border Control Optimization
© Copyright Entrust, Inc. 2010 7
2nd Generation ePassport
2nd Generation2nd Generation (EAC)
ePassport Adoption
2010
© Copyright Entrust, Inc. 2010 8
2010Pilot or ProductionConsidering / In Progress
BAC and EAC Validation Channel
• From CA down to Inspection Station ClientFrom CA down to Inspection Station Client– CA > DS/DV > MLS/SPOC > Concentrator > Client
• For ongoing, automated distribution of PKI material– Certificates (DS, Link), Master Lists, CRLs, etc.
• Secure: Authenticated, encrypted channelC tifi t th lid ti• Certificate path validation
© Copyright Entrust, Inc. 2010 9
The March of eMRP PKI1995 – 2012+
1st EAC eMRP1995 September
ICAO 9303
1st BAC/EAC ‘Dual-Rooted’eMRP PKI
World’s 1st
commercialPKI solution 1st EAC SPOC
Demonstrator
ICAO 9303PKI Standards 1st ICAO
Compliant Identity Card (INTERPOL)
eMRP PKI
1st ICAOCompliant BAC PKIeMRP 1st EU
EAC eMRP
1st Commercial 5-Tier EAC
Architecture
EU BIG EU EAC BAC eMRP
Master ListSigning (MLS)
Introduced
PKI PKDDeployed
2005 2006 2007 2008 2009 2010 2011 2012+2004
DissolvesEU EAC
Refocus?C e
Mandatory?
© Copyright Entrust, Inc. 2010
“BAC” EAC MLS SPOCPKD
PKI EvolutionSACICAO
BAC ?
PKI: 5 Tier ArchitectureTIER BAC PKI COMPONENTS EAC PKI COMPONENTS
#1
E
CSCA CVCA
#2
ISSU
AN
CE
MLS
Cha
nnel
SinglePoint ofContact(SPOC)
Cha
nnel
#3Document Signer
Val
idat
ion
Document Verifier
Val
idat
ion
#4
der C
ontr
ol InspectionStation
Concentrator
I ti
InspectionStation
Concentrator
© Copyright Entrust, Inc. 2010 11
#5 Bor
d InspectionStationClient
InspectionStationClient
2010: World’s First ICAO 9303 Compliant Identity Card (with BAC/EAC)
(Front) (Back)(Front) (Back)
Employee ID Physical Access Logical Access
© Copyright Entrust, Inc. 2010
Employee ID – Physical Access – Logical Access
Other Related Advancements
• Automated Border Control (ABC) integrationElli i h (ECC)• Elliptic curve cryptography (ECC)
• Hosted BAC/EAC PKI (cloud services)• Hosted validation services• LDS 2 0LDS 2.0• Emergence of ‘Virtual Borders’
© Copyright Entrust, Inc. 2010 13
Hosted PKI
CloudPKI
Services
HOSTEDVALIDATION
PKIPKI
© Copyright Entrust, Inc. 2010
LDS 2.0• Potential for additionalPotential for additional
applications• Potential for Additional
biometrics• Storage and retrieval of visa infog• Recording and retrieval of
entry/exit• Implications for PKI
– Additional support for CV PKI
© Copyright Entrust, Inc. 2010
– Which objects to digitally sign?15
Portable, Virtual Border Solutions
© Copyright Entrust, Inc. 2010 16
Summary• BAC and EAC evolution continues
– More advancements coming – e.g. SAC, LDS 2.0– Starting to be used for other applications
• EU EAC deadline missed– SPOC will ease deployment
• eMRP architecture will continue evolve• eMRP architecture will continue evolve– Additional applications– Migration toward smart card formats
• PKI has kept up!
PKI is ready for future challenge!© Copyright Entrust, Inc. 2010 17
PKI is ready for future challenge!
Want to learn more?
Craig Delmage, CISSPDirector, Entrust Ltd.
© Copyright Entrust, Inc. 2010
[email protected]+1 (613) 270-3489