pki records management and archive issues october 10, 2002 phoenix, az charles dollar dollar...
Post on 15-Jan-2016
217 views
TRANSCRIPT
![Page 1: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/1.jpg)
PKI Records Management and Archive Issues
October 10, 2002Phoenix, AZ
Charles DollarDollar Consulting
ECURE 2002
![Page 2: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/2.jpg)
Agenda
1. Introduction/Orientation2. Digital Communication3. What is PKI?4. PKI Administrative Records Functions5. PKI Operational Records v. PKI
Electronic Recordkeeping Requirements
6. Recommendations
![Page 3: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/3.jpg)
PKI Case Study: Overview Not a PKI tutorial Work for the National Archives and
Records Administration Opportunity for records
managers/archivists
![Page 4: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/4.jpg)
Digital communication Closed and secure (national
defense, VPN)
Open and secure (SSL)
Open and non-secure (PKI)
![Page 5: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/5.jpg)
PKI a ‘hot technology” E-Commerce
E-Governance
State of Illinois
![Page 6: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/6.jpg)
What Is PKI?
A PKI is an asymmetric cryptography security environment that supports the transmission, delivery, and receipt of digital communications over a non-secure communications channel.
![Page 7: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/7.jpg)
What Does PKI Do?
Authenticates sender of digital communications
Protects integrity of digital communications
Key Pair Private Public
Trusted third party
![Page 8: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/8.jpg)
How PKI Works in Digital Communications
![Page 9: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/9.jpg)
Hash Digest Values
337.60 KB
AaAEAACoAQAKAGjhX84+VC1d3)NgDiPHvG+/R8hKCAUCACOvWKATFOYIz3XS5gAAgI1wrAKO1geAAAAAAAAAAAAAAAA=
337.60 KB
AaAEAACoAQAKAGy2YV8gORjFeuf3yfnn7V)QMKBCgKywNfTD+avB8UVEYKAAAoUB2gKo1gEAALgAAAAAAAAAAAA=
![Page 10: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/10.jpg)
Key PKI management concepts PKI standard: X.509 Certificate Policy (CP): What Certificate Practice Statement
(CPS): How PKI administrative records v. PKI
transaction records Little or no good practice guidance
![Page 11: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/11.jpg)
Certificate Policy (CP) for Access Certificates for Electronic Services General Provisions Identification and Authentication Operational Requirements Physical, Procedural, and Personnel
Security Controls Technical Security Controls Certificate and CRL Profiles Policy Administration
![Page 12: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/12.jpg)
CP Operational Requirements
Certificate Issuance & Acceptance Certificate Suspension & Revocation Computer Security Audit Procedures Records “Archival” Compromise & Disaster Recovery
![Page 13: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/13.jpg)
Certificate Practice Statement (CPS)
To Be Discussed LaterUnder PKI Operational andElectronic Recordkeeping
Requirements
![Page 14: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/14.jpg)
PKI Records
ALL PKI RECORDS
ADMINISTRATIVE RECORDS TRANSACTION RECORDS
UniqueAdministrative
Records
SupportingAdministrative
Records
Subscriber Use ofDigital Signature
![Page 15: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/15.jpg)
ALL PKI RECORDS
ADMINISTRATIVE RECORDS TRANSACTION RECORDS
UniqueAdministrative
Records
SupportingAdministrative
Records
Subscriber Use ofDigital Signature
PKI Administrative Records
![Page 16: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/16.jpg)
PKI Administrative Records Guidance Constraints PKI records are not unique
PKI operational system v. PKI recordkeeping system
Some PKI records are paper-based
![Page 17: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/17.jpg)
PKI functions
Plan/define PKI Establish, startup, install Operate Audit/monitor Reorganize/dismantle
![Page 18: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/18.jpg)
PKI Functions, Activities, and EXAMPLE Records
Function Plan/Define Establish OperateAudit/
MonitorReorganize
Activities
ExampleRecords
Develop business planAuthorize projectDevelop project planPersonnel requirementsIn/out source analysisDevelop Certificate PolicyDevelop Certificate Practice StatementDevelop Certificate Profile
Project AuthorizationProject planIn/out source analhysis decisionCertificate PolicyCertificate Practice Statement
Select Certificate Authority and Registra tion AuthoritySelect/establish CertificateRepositoryEstablish Certificate ArchiveCreate CA signatureInternal -install and test Hw/SWTest security
Analysis/selectionrecords for CA andRA3rd Party validation recordsCA keyInstallation recordsTest recordsSecurity procedures
Identity proof and register usersIssue digital certificatesEstablish CRLMaintain CRLSuspend/revoke certificatesRenew certificatesHire, train staffInstall HW/SW updates
Identity proofingrecordsSubscriberagreementIssuance/rejection ofcertificatesCertificatesCRLAudit trailk of CRL changesJob applications and training records
Monitor external securityInvestigate internal fraudInternal audit of HW/ SW securityExternal audit of HW/ SW securityCreate audit trail of PKI eventsCA/RARenewal approval
Investigative reports and disciplinarry reportsInternal aduit reportsExteranl audit reportsAudit trail of PKI eventsCA/RA renewal, approval documents
Create plan to reorga- nize, consolidate, or terminateApprove terminationNotyify subscribersTransfer inactive keys and CRLs to storageTransfer consenting suscribers to newCA
Decisionn documentsPlan to reorganize or terminate CAList of subscriber notificationSubscriber transfer documentationApproval of termination
![Page 19: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/19.jpg)
Example Operate Functions and Related Records
Identity proofing recordsSubscriber agreementIssuance/rejection of certificatesCertificatesCRLAudit trail of CRL changesJob applications and training records
Identity proof and register usersIssue digital certificatesEstablish CRLMaintain CRLSuspend/revoke certificatesRenew certificatesHire, train staffInstall HW/SW updates
Functions Records
![Page 20: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/20.jpg)
PKI Requirements Overview
![Page 21: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/21.jpg)
PKI Record captureOperational
1. Accurate and complete at or near the time of the event
2. Event log that tracks all activities associated with capture
3. Automatic population of record series title, disposition, and vital records status
Recordkeeping
1. As database tables or as “rendered for viewing”
2. Technology neutral formats
3. Paper-based records4. Document transfer of
records to ERS5. Confirm integrity of
transferred records6. Complete and accurate
transfer of metadata
![Page 22: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/22.jpg)
PKI records metadata
Operational
1. Augment event log data with series title, retention period, vital record status
2. For each unique eventCommon nameCertificate numberDate of eventDistinguished name
3. Restrict changes in metadata to authorized persons
Recordkeeping
1. Minimum attributes specified in operational requirements
2. For CP and CPS use registered Object ID
3. View/print complete metadata
4. Computer generated unique id for each record
5. Record location of electronic and paper records
6. Human readable bar code for all paper records
7. Restrict changes to authorized persons
![Page 23: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/23.jpg)
Recommendations Become knowledgeable about X.509 Get involved in PKI discussions NOW Understand the differences between
operational PKI systems and PKI recordkeeping requirements
Adopt/implement federal government guidance
Don’t accept “we can’t do that” from IT and PKI vendors
Make the risk management argument
![Page 24: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/24.jpg)
Summary
Topics covered
Seize the opportunity
![Page 25: PKI Records Management and Archive Issues October 10, 2002 Phoenix, AZ Charles Dollar Dollar Consulting ECURE 2002](https://reader031.vdocuments.us/reader031/viewer/2022012916/56649d2c5503460f94a01936/html5/thumbnails/25.jpg)
Questions?