Building trust on the internet

Extending Attribute Protocols for Status Management and “Other

Things”Patrick Richard, Xcert International

Extending Attribute Protocols for Status Management and “Other Things”

Company BackgroundCompany Background

• Size: 80+ employees

• Incorporated: 1996 (Vancouver, BC)

• HQ: Walnut Creek, CA

• Funding: Private, backed by founder of

RSA & Verisign)

• Key partners & customers:

Extending Attribute Protocols for Status Management and “Other Things”

Extending Attribute Extending Attribute Protocols for Status Protocols for Status

Management and “Other Management and “Other Things”Things”

• Agenda (40 minutes)

– Conceptual History

– Products in Action

– Application Potential

Extending Attribute Protocols for Status Management and “Other Things”

PKI Enables Risk PKI Enables Risk ManagementManagement

• PKI provides a means to reduce the risk of business-to-business and business-to-consumer internet transactions

• PKI enables institutions to define trust relationships that can be:

– Published

– Audited

– Insured

Extending Attribute Protocols for Status Management and “Other Things”

Digital Certificates Role in Digital Certificates Role in Risk ManagementRisk Management

Digital certificates are the ONLY technology

to satisfy the requirements for secure

transactions among trusted parties.

Extending Attribute Protocols for Status Management and “Other Things”

Certificate Formats and Certificate Formats and Risk ManagementRisk Management

• Digital Certificates, as they are commonly used:– contain generalized end-entity information– this is used as part of the risk mitigation

process– Examples: name, email address, where you

work, etc..

Extending Attribute Protocols for Status Management and “Other Things”

Certificate Attributes Certificate Attributes and Risk Managementand Risk Management

• The collection of information carried in a Certificate is the lowest common denominator for risk-managing transactions– Sometimes too little information– Sometimes too much

• Normally no one cares who you are… they care about your ability to transact.

Extending Attribute Protocols for Status Management and “Other Things”

What is importantWhat is important

• Are the transaction-specific bindings between the participants and their relevant attributes

• Example: – Joe Customer is the owner of the card– The card is still valid– The card has enough credit space for a

transaction

Extending Attribute Protocols for Status Management and “Other Things”

The key conceptThe key concept

• PKI is really the practice of end-entity attribute assertion and management

• I.e.:– CA asserts and distributes your name attribute– VA asserts and distributes your status attribute– AA asserts and distributes your credit attribute

Extending Attribute Protocols for Status Management and “Other Things”

Attribute Management Attribute Management ProtocolsProtocols

• A good, generalized and scaleable attribute management protocol can be the basis for a highly efficient and effective PKI

• Eliminates re-inventing the wheel, solves scaleability problems

• Relevant elements of the transaction are transmitted, nothing else

Extending Attribute Protocols for Status Management and “Other Things”

Effective Attribute Effective Attribute Management Protocol Management Protocol

CharacteristicsCharacteristics

• Ability to serve signed attributes• Ability to generate static collections of

signed attributes• Ability to serve dynamic collections of

signed attributes• Ability to deal with cacheing and

freshness

Extending Attribute Protocols for Status Management and “Other Things”

Real World Example: Real World Example: Certificate Status Certificate Status

ManagementManagement

• Most OCSP implementations rely upon CRLs (I.e. they proxy CRLs)

• Certificate Status is really just an attribute of the certificate being queried

Extending Attribute Protocols for Status Management and “Other Things”

Status Management in Status Management in an Attribute-driven an Attribute-driven

modelmodel• Relating the current semantics against

the model:– CRL : static collection of status attributes– Online query : signed response of status

attribute– OCSP : standard protocol front-end on

CRL/online query

Extending Attribute Protocols for Status Management and “Other Things”

Technical BenefitsTechnical Benefits

• A singular protocol and method for resolving identity and attribute bindings

• Works online and off-line• Can be applied to multiple attributes, not

just status• Is 100% backwards compatible• Provides infinite design flexibility

Extending Attribute Protocols for Status Management and “Other Things”

Business BenefitsBusiness Benefits

• Most implementations hit a “Chinese Wall” when they attempt to scale

• Only cost effective way to scale• Customers with 100,000 + users on 1.x

products (circa 1997), also Powers Public CAs

• Provides business opportunities for Attribute Assertion Providers

Extending Attribute Protocols for Status Management and “Other Things”

Current Real World Current Real World ApplicationsApplications

• Pseudo-anonymous certificates• High-assurance web transactions• Value-based dynamic assertions• Rollover and Revocation simplified• Single certificate, many models (I.e. GUC)

Extending Attribute Protocols for Status Management and “Other Things”

PKI Elements PKI Elements

Extending Attribute Protocols for Status Management and “Other Things”

Future ImplicationsFuture Implications

• Natural evolution is to Index attribute databases from certificates

• Truly Internet-wide certificates should ideally have minimized content

• Businesses are arising that focus exclusively on attribute management

Extending Attribute Protocols for Status Management and “Other Things”

ConclusionConclusion

• A comprehensive attribute management system can provide the backbone for a global deployment of PKI

• Common PKI problems can be easily resolved through the use of attribute management

• Primary obstacles today are not technical, but rather philosophical