© 2003 The MITRE Corporation. All rights reservedFor Internal MITRE Use

Addressing ISO-RTOe-MARC Concerns: Clarifications and Ramifications

Response to ISO RTO Recommendations

2

© 2003 The MITRE Corporation. All rights reserved

Response to ISO RTO e-MARC Recommendations

Recommendation 1– The e-MARC CP must require that all e-MARC certificates be fully

compliant with the X.509 standard.

Clarification:

e-MARC has always been X509 compliant

Believe this recommendations is targeted at the use of specific fields within the X509 format (e.g., OIDs)

Solution:

The e-MARC CP can be modified to list the OIDs of CAs which have completed e-MARC validation

CAs CPS must be validated against the e-MARC CP for e-MARC compliance

Ramification:

The PA will have the increased burden of publishing OIDs that meet the minimum requirements of e-MARC and re-issuing the e-MARC CP

3

© 2003 The MITRE Corporation. All rights reserved

Response to ISO RTO e-MARC Recommendations

Recommendation 2

– Adopt a basic trust model that multiple providers and intended users can handle.

– Clarification: Remove the requirement for an e-MARC hierarchy

Based on past discussions, the desired option is a “Web of Trust”

Each approved CA will need to be populated to participating certificates stores (browsers, web servers, applications)

– Ramification: ‘Web of Trust’ architecture that leaves the onus on users and application owners to

maintain the appropriate security stance.

End users may not make the right decisions pertaining to acceptable vs unacceptable certificates.

Users may likely accept untrusted certificates rather then deny themselves access to particular servers and services.

Should a CA become untrusted in this model, there is no easy way of removing their certificate from all participating certificate stores

Requires users to be proactive

4

© 2003 The MITRE Corporation. All rights reserved

Response to ISO RTO e-MARC Recommendations

Recommendation 2 (continued)– Let the CAs take care of the details required to comply with the

basic trust model rather than prescribing the details in the CP. – Clarification:

Interpreted as the e-MARC CP contains too much detail and should only provide general guidelines and not implementation details

– Ramification: The Certificate Policy followed the RFC 2527 template and is intended to

provide common policy to all CAs A Certificate Policy is "a named set of rules that indicates the applicability

of a certificate to a particular community and/or class of application with common security requirements."

Failure to hold ALL CAs to some common set of rules allows some to be less stringent in the enforcement of Policy

The Policy will be reviewed and unnecessary sections/conditions will be removed

Removal of CA hierarchy

Clean-up of Section 7 Certificate Profile

5

© 2003 The MITRE Corporation. All rights reserved

Response to ISO RTO e-MARC Recommendations

Recommendation 2 (continued)

– Make the e-MARC CP a high-level policy document.

– The CP should limit itself to such things as how the trust is established (requirements for verifying user information and access needs) and certificate usage rules.

– Clarification: Requesting a trimmed down version of e-MARC that does not follow the outline as

specified under RFC 2527.

– Ramification: RFC 2527 is currently the industry standard for PKI CP and CPS documentation.

A Certificate Policy is "a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements."

Failure to hold ALL CAs to some common set of rules allows some to be less stringent in the enforcement of Policy

Distributing a general guideline will not provide the level of security required to support the secure exchange of electronic data.

The Policy will be reviewed and unnecessary sections/conditions will be removed

Removal of CA hierarchy

Clean-up of Section 7 Certificate Profile

6

© 2003 The MITRE Corporation. All rights reserved

Response to ISO RTO e-MARC Recommendations

Recommendation 2 (cont)– Do not require a trust chain with NERC or any other single

organization as the sole Root CA. Instead, encourage multiple qualified CAs, with the ability to cross-certify.

– Clarification: The recommendation is to eliminate the hierarchical architecture described

in the e-MARC CP. Suggest something simple like a ‘web of trust’ architecture be implemented

and not a true “cross-certification” of CAs.

– Ramification: A ‘web of trust’ requires users to import all e-MARC CA root certificates into

their certificate stores (web browsers, web servers, applications). In the event a CA is revoked, all users must be individually notified and the

revoked CA’s certificate must be manually removed from each certificate store.

Requires coordination of deployment of a new CA so that all users (browsers, servers, applications) are “aware” and “trust” the new CA

This can be an arduous task if the number of users is large.

7

© 2003 The MITRE Corporation. All rights reserved

Response to ISO RTO e-MARC Recommendations

Recommendation 3– Allow the CAs to provide the flexibility of multiple levels of

assurance necessary according to risk (e.g. browser certificates for individuals and hardware tokens for shared or role-based systems).

– Clarification: Awaiting response for Kevin Perry

– Ramification:

8

© 2003 The MITRE Corporation. All rights reserved

Response to ISO RTO e-MARC Recommendations Recommendation 3 (cont)

– Allow for two classes of certificates: SSL authentication Non-repudiable certificates

– Clarification: Recommendation is to support separate certificate profiles for SSL authentication and

non-repudiable transactions. SSL authentication would not require the non-repudiation bit

– Ramification: SSL provides mutual authentication from the client to the server and the server to the

client. Certificates used for SSL authentication would have only the digital signature bit set.

Implies that measure have not been taken to assure that the associated private key is in the sole control of the named individual

Little to no recourse on behalf of relying parties that the certificate is being used by named individual

NO additional assurance provided by using a PKI

Why incur cost and overhead of maintaining a PKI Community must be willing and ready to accept this risk

9

© 2003 The MITRE Corporation. All rights reserved

Response to ISO RTO e-MARC Recommendations Recommendation 4

– Revise the requirement for the prospective e-MARC CA to identify their assets.

For security reasons, it is unlikely that a commercial CA would be willing to identify the types and locations of their CA assets.

It is still appropriate for the e-MARC certification process to include a site visit to inspect the procedures and facilities.

– Clarification: Recommendation is to not require prospective e-MARC CAs to provide

information regarding network infrastructure and assets as part of the C&A process.

Recommendation supports an onsite visit to the CA facility as part of the C&A process.

– Ramification: To perform a thorough C&A procedure, an auditor must have a list of assets

that are used during the certificate issuance process. An onsite inspection of the CA facility will validate procedures specified in the

CPS are being implemented correctly. All information pertaining to the C&A procedure (s) is confidential and will not

be supplied to any external party, including the PA. The PA will only be notified if the prospective CA receives a ‘Passing’ or ‘Failing’

grade.