Documente Academic
Documente Profesional
Documente Cultură
Strategies for the implementation of a Public Key Authentication Framework (PKAF) in Australia
SAA MP751996
SAA MP751996
PUBLISHED BY STANDARDS AUSTRALIA (STANDARDS ASSOCIATION OF AUSTRALIA) 1 THE CRESCENT, HOMEBUSH, NSW 2140
ISBN 0 7337 0802 1
Standards Australia
ABSTRACT
As electronic commerce becomes commonplace, there is a growing need for users to ensure that electronic transactions can be validated. Compatible national and international systems of digital signatures are necessary for the introduction of secure electronic commerce. Standards Australia formed the Public Key Authentication Framework (PKAF) Task Group to examine all options for operating a national system for the creation and management of digital signatures as well as being compatible with systems in other
This is a free 14 page sample. Access the full version at http://infostore.saiglobal.com.
countries. This strategy report describes issues and recommendations relevant to Australias businesses and government operations, and also addresses compatibility issues between organizations and private citizens (both locally and internationally). Policy and legal issues are also canvassed.
Copyright
STANDARDS AUSTRALIA
Users of Standards are reminded that copyright subsists in all Standards Australia publications and software. Except where the Copyright Act allows and except where provided for below no publications or software produced by Standards Australia may be reproduced, stored in a retrieval system in any form or transmitted by any means without prior permission in writing from Standards Australia. Permission may be conditional on an appropriate royalty payment. Requests for permission and information on commercial software royalties should be directed to the head office of Standards Australia. Standards Australia will permit up to 10 percent of the technical content pages of a Standard to be copied for use exclusively in-house by purchasers of the Standard without payment of a royalty or advice to Standards Australia. Standards Australia will also permit the inclusion of its copyright material in computer software programs for no royalty payment provided such programs are used exclusively in-house by the creators of the programs. Care should be taken to ensure that material used is from the current edition of the Standard and that it is updated whenever the Standard is amended or revised. The number and date of the Standard should therefore be clearly identified. The use of material in print form or in computer software programs to be used commercially, with or without payment, or in commercial contracts is subject to the payment of a royalty. This policy may be varied by Standards Australia at any time.
Standards Australia
TABLE OF CONTENTS
1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.1 1.2 1.3 1.4
This is a free 14 page sample. Access the full version at http://infostore.saiglobal.com.
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Purpose of a Public Key Authentication Framework . . . . . . . . . . . 12 Scope of the Public Key Authentication Framework (PKAF) . . . . . 13 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2 TERMINOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 Certicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Certication Authority (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Certication Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Digital Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Digitized Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Distinguished Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Intermediate Certication Authority (ICA) . . . . . . . . . . . . . . . . . . . 16 Organizational Registration Authority (ORA) . . . . . . . . . . . . . . . . . 16 Policy and Root Registration Authority (PARRA) . . . . . . . . . . . . . . . 16
2.10 Public Key Authentication Framework (PKAF) . . . . . . . . . . . . . . . . 17 2.11 PKAF Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.12 Revocation of Certicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.13 Trusted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.14 Trustedness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.15 Valid Certicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3 PKAF REQUIREMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.1 Summary of Key PKAF Requirements . . . . . . . . . . . . . . . . . . . . . . . 19 3.1.1 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.1.2 Certication Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Standards Australia
3.1.3 Certication Practice Statements . . . . . . . . . . . . . . . . . . . . 19 3.1.4 Trusted Certication Authority . . . . . . . . . . . . . . . . . . . . . . . 19 3.1.5 Multiple Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.1.6 Certicate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.1.7 Services of CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.2 General Infrastructure Requirements . . . . . . . . . . . . . . . . . . . . . . . 21 3.2.1 Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
This is a free 14 page sample. Access the full version at http://infostore.saiglobal.com.
3.2.2 Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.2.3 Naming Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.2.4 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.2.5 Flexibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.2.6 Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.3 Key Generation and Management . . . . . . . . . . . . . . . . . . . . . . . . 23 3.3.1 Certied Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.3.2 Secure Key Generation and Key Management . . . . . . . . . . 25 3.3.3 Key Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.3.4 Initiating Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.3.5 Notice of Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.3.6 Presumptions in Adjudications . . . . . . . . . . . . . . . . . . . . . . . 25 3.4 Certication Authority (CA) Requirements (applicable to PARRA, ICA, ORA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.4.1 Level of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.4.2 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.4.3 Services and Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.4.3.1 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.4.3.2 Certicate Generation . . . . . . . . . . . . . . . . . . . . . . . 27 3.4.3.3 Certicate Distribution . . . . . . . . . . . . . . . . . . . . . . . 27 3.4.3.4 Certicate Storage and Retrieval . . . . . . . . . . . . . . 28
Standards Australia
3.4.3.5 Certicate Revocation Request . . . . . . . . . . . . . . . . 28 3.4.3.6 CRL Generation and Maintenance . . . . . . . . . . . . . 28 3.4.3.7 CRL Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.4.3.8 CRL Storage and Retrieval . . . . . . . . . . . . . . . . . . . . 29 3.4.4 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.4.5 Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.5
This is a free 14 page sample. Access the full version at http://infostore.saiglobal.com.
Organizational Registration Authority (ORA) Requirements . . . . . . 30 3.5.1 Level of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.5.2 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.5.3 Services and Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.5.3.1 User Verication and Authentication . . . . . . . . . . . . 30 3.5.3.2 Certication Request . . . . . . . . . . . . . . . . . . . . . . . . 31 3.5.3.3 Certicate Receipt . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.5.3.4 Delivery of New Certicate . . . . . . . . . . . . . . . . . . . 31 3.5.3.5 Certicate Revocation Request . . . . . . . . . . . . . . . . 31 3.5.3.6 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.5.3.7 Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.6
Information Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.6.1 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.6.2 Revoked Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.6.3 Current Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.7
Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.7.1 Personal Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.7.2 Multiple Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.7.3 Role-based Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.7.4 Anonymous Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3.7.5 CA Certicates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.7.6 Certicate Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Standards Australia
3.8 3.9
Certicate Revocation List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.9.1 Applications as Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.9.2 Unlisted Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Public Key Authentication Framework (PKAF) . . . . . . . . . . . . . . . . 36 Presumptions in Adjudications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Availability of the Certicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Certicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Valid Certicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Certicate Effective and Expiration Dates . . . . . . . . . . . . . . . . . . . 38 Certicate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Initiating Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Notice of Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
4.10 Revocation of Certicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.11 Certication Authoritys Representations in Certicate . . . . . . . . . 39 4.12 Certication Authoritys Responsibilities . . . . . . . . . . . . . . . . . . . . . 39 4.13 Employees and Contractors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 4.14 Generating the Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 4.15 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 4.16 User Representations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 4.17 Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.18 Safeguarding Private Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.19 User Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.20 Integrity and Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.21 Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.22 Liability Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Standards Australia
5 CONSIDERED STRUCTURES FOR PKAF ELEMENTS . . . . . . . . . . . . . . . . . . . 45 5.1 Architectural Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5.1.1 Architectural Option (a) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 5.1.2 Architectural Option (b) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 5.1.3 Architectural Option (c) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 5.1.4 Comparison of Architectural Options . . . . . . . . . . . . . . . . . 47 5.2
This is a free 14 page sample. Access the full version at http://infostore.saiglobal.com.
5.3
6 COMPOSITION, ROLES AND FUNCTIONS OF THE PREFERRED STRUCTURE . 51 6.1 Policy and Root Registration Authority (PARRA) . . . . . . . . . . . . . . . 54 6.1.1 PARRA Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6.1.2 PARRA Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 6.1.3 PARRA Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 6.1.4 PARRA Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 6.2 Intermediate Certication Authorities (ICA) . . . . . . . . . . . . . . . . . . 56 6.2.1 ICA Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 6.2.2 ICA Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 6.2.3 ICA Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 6.2.4 ICA Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 6.2.5 ICA Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 6.3 Organizational Certication Authorities (OCA) . . . . . . . . . . . . . . . 64 6.3.1 OCA Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 6.3.2 OCA Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6.3.3 OCA Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 6.3.4 OCA Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 6.3.5 OCA Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 6.4 Organizational Registration Authorities (ORA) . . . . . . . . . . . . . . . . 67 6.4.1 ORA Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Standards Australia
6.4.2 ORA Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 6.4.3 ORA Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6.4.4 ORA Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6.4.5 ORA Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 6.5 Consolidated Proposed PKAF Structure . . . . . . . . . . . . . . . . . . . . . 71
A.2 Practices and Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 A.2.1 Procedures for the Operation of a Policy and Root Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . 73 A.2.2 Procedures for the Operation of a Certication Author . . . 74 A.3 Additional PKAF Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 A.3.1 Guidelines for Key Management . . . . . . . . . . . . . . . . . . . . . 74 A.3.2 Guidelines for Identication of People and Entities . . . . . . . 74 APPENDIX B: GUIDELINES FOR STANDARDS . . . . . . . . . . . . . . . . . . . . . . . . 75 B.1 Procedures for the Operation of a Certication Authority . . . . . . . 75 B.1.1 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 B.1.2 Operational Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 75 B.1.3 Technical Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 B.1.3.1 Certicate Management Services . . . . . . . . . . . . . . 76 B.1.3.2 Alert Management Services . . . . . . . . . . . . . . . . . . . 76 B.1.3.3 Protection of Private Digital Signature Keys . . . . . . . 76 B.2 Guidelines for Certication Authorities . . . . . . . . . . . . . . . . . . . . . . 77
APPENDIX C: LEGAL ISSUES 70 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 C.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 C.2 Giving Legal Effect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 C.3 The PKAF Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 C.4 Overseas Reciprocal Arrangements . . . . . . . . . . . . . . . . . . . . . . . 80
Standards Australia
Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Contract Negotiation and Signing . . . . . . . . . . . . . . . . . . . . . . . . . 86 MEMBERSHIP OF THE PUBLIC KEY AUTHENTICATION FRAMEWORK TASK GROUP . . . . . . . . . . . . . . . . . . . . . . . . . 87
APPENDIX G:
10
Standards Australia
EXECUTIVE SUMMARY
Todays corporate and government communications environment is rapidly changing. Solutions to problems must cover: the explosion of inter-corporate and inter-government networking; the tremendous growth of applications such as electronic messaging and electronic commerce; efforts under the banner of business process re-engineering to
This is a free 14 page sample. Access the full version at http://infostore.saiglobal.com.
automate workow and eliminate expensive paper transactions in an expanding and increasingly competitive global market place; and remote access for mobile employees, clients and those working at home. This report recommends a single purpose national framework for a national infrastructure that will enable strong authentication of users involved in electronic transactions. The system will provide for the unequivocal identication of an individual or entity (authentication). It does not provide specic assistance for a user who wishes to use encryption to reduce or prevent unauthorized access to data or information. This is in line with activities, both in Australia and overseas, to separate authentication techniques from encryption techniques. The problem faced by corporations and governments is providing an infrastructure that will provide the necessary service and enable benets to be gained. Public/private key cryptography is widely recognized as the enabling technology for authentication within a globally dispersed environment. This technology exists today. There is also a need to provide for supporting legislation, the establishment of trusted infrastructure services and the education of users and potential users. The recommendations for this strategy are: 1 that a single national root authority be established in Australia, empowered to establish the framework for interoperation and cross-certication with other recognized national root authorities, in accordance with Section 6; 2 that the root authority accredit certication authorities which comply with the established framework of common policies, procedures and technologies;
Standards Australia
11
3 that the PKAF requirements described in Section 3 be incorporated in the establishment brief of the root authority; and 4 that the necessary technical standards to support the PKAF structure be identied or developed and adopted, using internationally agreed standards where available.
12
Standards Australia
1
1.1
INTRODUCTION
Background
Standards Australia formed a Task Group (see Appendix G for the Task Groups membership) to study the technical, policy and legal issues associated with establishing an infrastructure for the creation, management and distribution of signature key material and associated electronic signature certicates using public key techniques.
The Task Group examined infrastructure requirements and provided recommendations to establish a Public Key Authentication Framework (PKAF) for use within Australia. The group is representative of industry and government elements. As anticipated, the group has encountered aspects which may require government intervention. This report offers these recommendations as input to legislative, infrastructure and technical standards considerations. This document was available for public comment during April and May 1996 and the comments received have been considered in accordance with Standards Australias processes. This report proposes a scheme for Australia but recognises that it must support international interoperability. The PKAF would need to be supported by appropriate legislation to confer legal status on digital signatures created and used under the scheme. There is also a need to dene the liability of users when using the scheme.
1.2
COPYRIGHT
Standards Australia
13
facilitate the generation and management of public key certicates that bind the identity of users to their public key material in a trusted and legally based manner; and provide users, directly or indirectly, with timely announcements of certicate revocations or key compromise. It is a framework for providing a credible national digital signature system which is essential for the conduct of trade and business transactions over electronic communications paths.
1.3
1.4
Standards
Standards are required for the Australian Public Key Authentication Framework to ensure interoperability. With such standards in place, it will be possible to implement the PKAF in a manner that provides trusted services available to all PKAF users. This report recommends a number of standards. These standards will, as a group, provide a statement of requirements for the implementation of the various components of the PKAF. The set of standards will be identied over a period of time, and it is expected
COPYRIGHT
This is a free preview. Purchase the entire publication at the link below:
MP 75-1996, Strategies for the implementation of a Public Key Authentication Framework (PKAF) in Australia
Looking for additional Standards? Visit SAI Global Infostore Subscribe to our Free Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more Do you need to Manage Standards Collections Online? Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation Do you want to know when a Standard has changed? Want to become an SAI Global Standards Sales Affiliate? Learn about other SAI Global Services: LOGICOM Military Parts and Supplier Database Metals Infobase Database of Metal Grades, Standards and Manufacturers Materials Infobase Database of Materials, Standards and Suppliers Database of European Law, CELEX and Court Decisions