safe biopharma association confidential1 safe public key infrastructure (pki) 2005...
TRANSCRIPT
SAFE BioPharma Association CONFIDENTIAL1
SAFE Public Key Infrastructure (PKI)
SAFE Public Key Infrastructure (PKI)2005 EDUCAUSE/Dartmouth PKI Deployment Summit
SAFE BioPharma Association CONFIDENTIAL2
Topics
SAFE– What is SAFE?
– History?
– Framework
– Architecture
SAFE Bridge Authority – Architecture
– Timeline
Current Test environment for the SBCA – Architecture
– Services
– Test Package
SAFE BioPharma Association CONFIDENTIAL3
SAFE is a Bio-pharmaceutical Industry Standard that specifies
technical, legal, and regulatory compliance standards
SAFE delivers
unique electronic identity credentials
for legally enforceable & regulatory compliant
digital signatures
across the global biopharmaceutical environment
for
Business-to-Business and Business-to-Regulator transactions
SAFE – Secure Access For EveryoneSAFE – Secure Access For Everyone
SAFE BioPharma Association CONFIDENTIAL4
SAFE & Bio-Pharmaceutical Community
CONCEPTTrusted e-identity credentialsClosed contractual systemAccreditedBusiness focus
DRIVERSRegulatory complianceBusiness efficiencyCost savings
MAY 2003SAFE strategic PhRMA initiative
DEC 2003Seed investment 12 bio-pharmaceuticals
JUN 2004SAFE Standard v1.0
DEC 2004SAFE-Biopharma 8
bio-pharmaceutials
JUL & AUG
2005SAFE Bridge IOC & SAFE Standard v2.0
SAFE BioPharma Association CONFIDENTIAL5
SAFE-Biopharma
Member Issuer
Agreement
Agreement
Agreement
SAFE Community Framework
SAFE Standard• Business/Legal• Governance• Specifications
Services• SAFE Bridge CA• Directory• Issuer Services for
Medical Practitioners/Others
Full• For-Profit Entities• Not-For-Profit Entities• Government Orgs
Associate• Medical Practitioners• Other Entities/Individuals
designated by SAFE
Services• CA / RA / CSA• Credentials for Members• Identity Proofing
SAFE BioPharma Association CONFIDENTIAL6
Subscriber
SAFEMember
SAFEIssuer
SAFE-Biopharma
SAFE Architecture
Registration and Certificate Management Systems
SAFE Enabled Applications
SAFE BridgeCA
CentralSystems
End-UserSystems
MachineSystems
SAFECertificate
OCSPResponse
OCSPRequest
SAFE Cert.Authentication
C P
Details contained in SAFE CPC P Details contained in associatedTechnical Specification
SAFECertificate
CrossCertificates
C P
OCSPResponse
OCSPRequest
OCSPResponse
OCSPRequest
ValidationRequest &Response
Signing & ValidationRequest &Response
Signing & ValidationRequest &Response
SAFE BioPharma Association CONFIDENTIAL7
SAFE Bridge Authority (SBCA) Physical Layout
SAFE BioPharma Association CONFIDENTIAL8
SBCA Operational Authority – Cybertrust
2004
Sep SAFE SBCA RFP
2005
Jan Cybertrust chosen as operational authority for SBCA
Jan - Mar Contract negotiations
Mar - Jul Development of CPS, policies & procedures, test environment, and production environment
Jun 30 SBCA Root Key generation ceremony
Jul 26-27 SBCA acceptance testing [in progress]
Jul 29 Acceptance for Initial SBCA operations [planned]
Aug - Dec Initial Cross certification with initial SAFE Issuers [planned]
SAFE BioPharma Association CONFIDENTIAL9
SBCA Test Environment
Provides emulation of SBCA:– SBCA pre-production testing– SAFE Issuers cross-certifying with the SAFE Bridge CA– SAFE Application Testing – Accredited SAFE Product Certification Labs
Availability:– Operational NOW – Download package at http://safe-biopharma.org – No guaranteed service level– No support available
SAFE BioPharma Association CONFIDENTIAL10
SBCA Test EnvironmentSBCA Test Environment
SAFE BioPharma Association CONFIDENTIAL11
SBCA Test Environment Package
SAFE_CROSS-CERT_TEST_PKG– Version: 1.3– Released: 7/12/2005– TEST Readme file
Test package components:– 2 Test Issuers
• Emulates 2 test-only SAFE Issuers, cross-certified by test-only SBCA• Valid and revoked digital signature certificates - PKCS#12 format• Certificates provide all OCSP, CRL and directory URIs
– Cross-Certificates are available via URL– OCSP
• Accepting both signed & unsigned OCSP requests– Only tested unsigned request
• Only URL to access OCSP Responders– CRL
• For each test CA • Certificate is available via URL
– Cross Certificate Request• PKCS#10 certificate request from the test SBCA• The request is provided in both Binary and Base 64 formats
SAFE BioPharma Association CONFIDENTIAL12
SAFE Bridge Certificates - Test
Every CA has also issued an OCSP Responder certificate– The responder certificate is not explicitly trusted, but can be verified using the CA
cert
Except for the self signed roots, all certificates have the Authority Information Access (AIA) extension
– OCSP entry points to an internet accessible OCSP server– caIssuers entry points to an internet accessible URL for the issuing CA’s
certificate(s) contained in PKCS#7 files
Except for the self signed roots, all certificates have the CRL Distribution Point (CRLDP) extension
– HTTP URL points to an internet accessible location
The above properties allow certificate paths to be built and validated from any user certificate to either trusted root certificate
– Even without prior “knowledge” of the existence of the bridge!
SAFE BioPharma Association CONFIDENTIAL13
SAFE Bridge CA Test StructureSAFE Bridge CA Test Structure
MagiCure WaterTEST CA
SAFE Bridge CA TEST
Cybertrust SAFE IssuerTEST Root CA
Cybertrust From Bridge
MagiCure WaterFrom Bridge
Cybertrust SAFE Issuer Test Sub CA
End Entities
End Entities
SAFE BioPharma Association CONFIDENTIAL14
SAFE Bridge CA - TestSAFE Bridge CA - Test
MagiCure Water
SBCA Test
Cybertrust
Sub CA
OCSP
OCSPOCSP
OCSP
SAFE BioPharma Association CONFIDENTIAL15
Questions
Contact information: Russel F Weiser
PKI SME
Cybertrust Inc.
Cell 801-631-1685
SAFE contact information:Terry Zagar
SAFE Core Team
SAFE-BioPharma Association
Phone 301-527-6780