![Page 1: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/1.jpg)
Direct Project
Direct + Policy Enablement
![Page 2: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/2.jpg)
12/06/10
Overview
• Policy Role In Direct• Policy Enablement• Security and Trust Support• Architecture• Tool Demo
![Page 3: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/3.jpg)
12/06/10
Policy Role In Direct
• Scalable Trust• Philosophy for enabling Direct exchange between a large number
of endpoints• Policy first class citizen in scalable trust
• Mitigates policy variance• Proposed Policy Requirements
• Federal Community Requirements• Governance
• Trust Bundles• Technical solution to scalable trust• Bundle profiles define policy requirements
• Only define and attest policy compliance• Can not assert and enforce policy• Bundles alone are not enough
![Page 4: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/4.jpg)
12/06/10
Policy Enablement
• Facilitate Policy Decisions at Runtime• Systemic assertion of policy profile compliance
• Direct 2.0 vs Policy Enablement• 2.0 may imply specification changes
• Potential compatibility issues• Policy enablement requires no specification changes
• Optional module• Backward compatible at transport
![Page 5: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/5.jpg)
12/06/10
Security and Trust Support
• Modular Components• Encryption• Signature• Cert Discovery• Trust Chaining
• Current Policy Ability • Simple binary trust decision based on certificate chain validation
![Page 6: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/6.jpg)
12/06/10
Security and Trust Support
Current State – Outgoing Message
• Certificate Store• Dual Use Certificates
• Private Resolver• All non-expired• All non-revoked
• Public Resolver• All non-expired• All non-revoked
• Trust• Chain to trust anchor
![Page 7: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/7.jpg)
12/06/10
Security and Trust Support
Current State – Incoming Message
• Certificate Store• Dual Use Certificates
• Private Resolver• All non-expired• All non-revoked
• Verification• Message integrity
• Trust• Chain to trust anchor
![Page 8: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/8.jpg)
12/06/10
Security and Trust Support
• Optional Policy Enablement Module• Policy implemented as filters• Injected into security and trust process
• Private Certificate Resolution• Public Certificate Resolution• Trust Chain Validation
• Configurable Granularity• Message Direction• Message Source• Message Destination• Circles of Trust
• Can be applied to DNS or LDAP hosting• Defined Policy Best Practices
![Page 9: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/9.jpg)
12/06/10
Security and Trust Support
Policy Enabled State – Outgoing Message
• Certificate Store• Dual Use or Single Use
Certificates• Private Resolver
• All non-expired• All non-revoked
• Public Resolver• All non-expired• All non-revoked
• Trust• Chain to trust anchor
• Policy Filter• Filter certs that meet
configured criteria
![Page 10: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/10.jpg)
12/06/10
Security and Trust Support
Policy Enabled State – Incoming Message
• Certificate Store• Dual Use or Single Use
Certificates• Private Resolver
• All non-expired• All non-revoked
• Public Resolver• All non-expired• All non-revoked
• Verification• Message integrity
• Policy Filter• Filter certs that meet
configured criteria
![Page 11: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/11.jpg)
Policy Engine
• Policy Engine (direct-policy.jar)• Policy defined in lexicon specific
language• Definition + X509 Certificate
processed by engine• Engine evaluates boolean value to
indicate certificate compliance with policy
• Policy filter equates to policy engine process in security and trust agent
12/06/10
Architecture
Intermediate State
Policy Definition
Lexicon Parser
Compiler
Opcodes
Executor
Boolean Decision
X509 Cert
![Page 12: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/12.jpg)
12/06/10
Policy Engine Use Cases
• Build Policy Definitions• Tooling to build definition file
• Policy filters in security and trust agent• Out of band policy validation
• Trust bundle profile validation for anchors• End entity certificate validation to CP or CPS
![Page 13: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/13.jpg)
12/06/10
Release Schedule
• Q2 2013• Policy Engine• Security and Trust Agent• Configuration Service• Command Line Import and Configuration of Definitions• Gateway• Policy Validator
• Summer/Early Fall 2013• Visual Policy Builders• Config-UI integration
• Java RI 3.0 to include Q2 2013 release components
![Page 14: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/14.jpg)
12/06/10
For More Information
• Direct + Policy Proposal: http://wiki.directproject.org/file/detail/Direct+%2B+Policy+Enablement.docx
• Scalable Trust Forum: http://wiki.directproject.org/Direct+Scalable+Trust+Forum
• Scalable Trust Summary: http://www.healthit.gov/sites/default/files/direct-scalable-trust-forum-summary-of-findings-report.pdf
• Direct Trust Bundle Workgroup: http://wiki.directproject.org/Trust+Bundle+Sub+Work+Group
• Scalable Trust Story: https://secure.bluebuttontrust.org
![Page 15: Direct Project Direct + Policy Enablement. 12/06/10 Overview Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo](https://reader036.vdocuments.us/reader036/viewer/2022062422/56649e7e5503460f94b8221f/html5/thumbnails/15.jpg)
12/06/10
Policy Validation Tool Demo
DEMO!!