SAFE BioPharma Association CONFIDENTIAL1

SAFE Public Key Infrastructure (PKI)

SAFE Public Key Infrastructure (PKI)2005 EDUCAUSE/Dartmouth PKI Deployment Summit

SAFE BioPharma Association CONFIDENTIAL2

Topics

SAFE– What is SAFE?

– History?

– Framework

– Architecture

SAFE Bridge Authority – Architecture

– Timeline

Current Test environment for the SBCA – Architecture

– Services

– Test Package

SAFE BioPharma Association CONFIDENTIAL3

SAFE is a Bio-pharmaceutical Industry Standard that specifies

technical, legal, and regulatory compliance standards

SAFE delivers

unique electronic identity credentials

for legally enforceable & regulatory compliant

digital signatures

across the global biopharmaceutical environment

for

Business-to-Business and Business-to-Regulator transactions

SAFE – Secure Access For EveryoneSAFE – Secure Access For Everyone

SAFE BioPharma Association CONFIDENTIAL4

SAFE & Bio-Pharmaceutical Community

CONCEPTTrusted e-identity credentialsClosed contractual systemAccreditedBusiness focus

DRIVERSRegulatory complianceBusiness efficiencyCost savings

MAY 2003SAFE strategic PhRMA initiative

DEC 2003Seed investment 12 bio-pharmaceuticals

JUN 2004SAFE Standard v1.0

DEC 2004SAFE-Biopharma 8

bio-pharmaceutials

JUL & AUG

2005SAFE Bridge IOC & SAFE Standard v2.0

SAFE BioPharma Association CONFIDENTIAL5

SAFE-Biopharma

Member Issuer

Agreement

Agreement

Agreement

SAFE Community Framework

SAFE Standard• Business/Legal• Governance• Specifications

Services• SAFE Bridge CA• Directory• Issuer Services for

Medical Practitioners/Others

Full• For-Profit Entities• Not-For-Profit Entities• Government Orgs

Associate• Medical Practitioners• Other Entities/Individuals

designated by SAFE

Services• CA / RA / CSA• Credentials for Members• Identity Proofing

SAFE BioPharma Association CONFIDENTIAL6

Subscriber

SAFEMember

SAFEIssuer

SAFE-Biopharma

SAFE Architecture

Registration and Certificate Management Systems

SAFE Enabled Applications

SAFE BridgeCA

CentralSystems

End-UserSystems

MachineSystems

SAFECertificate

OCSPResponse

OCSPRequest

SAFE Cert.Authentication

C P

Details contained in SAFE CPC P Details contained in associatedTechnical Specification

SAFECertificate

CrossCertificates

C P

OCSPResponse

OCSPRequest

OCSPResponse

OCSPRequest

ValidationRequest &Response

Signing & ValidationRequest &Response

Signing & ValidationRequest &Response

SAFE BioPharma Association CONFIDENTIAL7

SAFE Bridge Authority (SBCA) Physical Layout

SAFE BioPharma Association CONFIDENTIAL8

SBCA Operational Authority – Cybertrust

2004

Sep SAFE SBCA RFP

2005

Jan Cybertrust chosen as operational authority for SBCA

Jan - Mar Contract negotiations

Mar - Jul Development of CPS, policies & procedures, test environment, and production environment

Jun 30 SBCA Root Key generation ceremony

Jul 26-27 SBCA acceptance testing [in progress]

Jul 29 Acceptance for Initial SBCA operations [planned]

Aug - Dec Initial Cross certification with initial SAFE Issuers [planned]

SAFE BioPharma Association CONFIDENTIAL9

SBCA Test Environment

Provides emulation of SBCA:– SBCA pre-production testing– SAFE Issuers cross-certifying with the SAFE Bridge CA– SAFE Application Testing – Accredited SAFE Product Certification Labs

Availability:– Operational NOW – Download package at http://safe-biopharma.org – No guaranteed service level– No support available

SAFE BioPharma Association CONFIDENTIAL10

SBCA Test EnvironmentSBCA Test Environment

SAFE BioPharma Association CONFIDENTIAL11

SBCA Test Environment Package

SAFE_CROSS-CERT_TEST_PKG– Version: 1.3– Released: 7/12/2005– TEST Readme file

Test package components:– 2 Test Issuers

• Emulates 2 test-only SAFE Issuers, cross-certified by test-only SBCA• Valid and revoked digital signature certificates - PKCS#12 format• Certificates provide all OCSP, CRL and directory URIs

– Cross-Certificates are available via URL– OCSP

• Accepting both signed & unsigned OCSP requests– Only tested unsigned request

• Only URL to access OCSP Responders– CRL

• For each test CA • Certificate is available via URL

– Cross Certificate Request• PKCS#10 certificate request from the test SBCA• The request is provided in both Binary and Base 64 formats

SAFE BioPharma Association CONFIDENTIAL12

SAFE Bridge Certificates - Test

Every CA has also issued an OCSP Responder certificate– The responder certificate is not explicitly trusted, but can be verified using the CA

cert

Except for the self signed roots, all certificates have the Authority Information Access (AIA) extension

– OCSP entry points to an internet accessible OCSP server– caIssuers entry points to an internet accessible URL for the issuing CA’s

certificate(s) contained in PKCS#7 files

Except for the self signed roots, all certificates have the CRL Distribution Point (CRLDP) extension

– HTTP URL points to an internet accessible location

The above properties allow certificate paths to be built and validated from any user certificate to either trusted root certificate

– Even without prior “knowledge” of the existence of the bridge!

SAFE BioPharma Association CONFIDENTIAL13

SAFE Bridge CA Test StructureSAFE Bridge CA Test Structure

MagiCure WaterTEST CA

SAFE Bridge CA TEST

Cybertrust SAFE IssuerTEST Root CA

Cybertrust From Bridge

MagiCure WaterFrom Bridge

Cybertrust SAFE Issuer Test Sub CA

End Entities

End Entities

SAFE BioPharma Association CONFIDENTIAL14

SAFE Bridge CA - TestSAFE Bridge CA - Test

MagiCure Water

SBCA Test

Cybertrust

Sub CA

OCSP

OCSPOCSP

OCSP

SAFE BioPharma Association CONFIDENTIAL15

Questions

Contact information: Russel F Weiser

PKI SME

Cybertrust Inc.

Russ.Weiser@cybertrust.com

Cell 801-631-1685

SAFE contact information:Terry Zagar

SAFE Core Team

SAFE-BioPharma Association

terry.zagar@ngc.com

Phone 301-527-6780