Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rich furr 20111017 topics 2 & 3


Published on

Preso from SAFE-Biopharma's Rich Furr on standards relevant to e-identity: for IIW October 2011

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Rich furr 20111017 topics 2 & 3

  1. 1. NSTIC DayHow does industry drive forward SAFE-BioPharma Association
  2. 2. TopicsTopic C: Assurance levels, “frameworks“, interparty liabilityTopic D: Device-specific methods: mobile; smartcards; browserDNT, etc.– PKI, non-PKI 2 SAFE-BioPharma Association
  3. 3. Assurance levels, “frameworks“, interparty liabilityOMB 04-04– Level 1: Little or no confidence in the asserted identity’s validity– Level 2: Some confidence in the asserted identity’s validity– Level 3: High confidence in the asserted identity’s validity– Level 4: Very high confidence in the asserted identity’s validityNIST SP 800-63 provides additional guidance per level– Registration and identity proofing– Tokens– Token and credential management mechanisms– Protocols used to support the authentication mechanism between the Claimant and the Verifier– Assertion mechanisms 3 SAFE-BioPharma Association
  4. 4. Assurance levels, “frameworks“, interparty liabilityPKI– FBCA • Six increasing, qualitative levels of assurance: Rudimentary, Basic, Medium, PIV-I Card Authentication, Medium Hardware, and High.– Also Medium Hardware Commercial Best Practices (CBP) Assurance RequirementsNon-PKI– FICAM • Levels 1-3 4 SAFE-BioPharma Association
  5. 5. 4BF – Interlinked PKI Network of Trusted Cyber- Communities Abbott SA Exostar Citi Merck EADSI Boeing Raytheon REBCA J&J&J AZ SAFE SAFE:Vz Lockeed CertiPath Bridge CA Biz/Chosen/ Martin Bridge CA Other pharmass TranSped Federal GPO Northrop Bridge CA Grumman SSP SITA Entrust Fed Common DoJ Policy Root CA GSA ARINC VeriSign MSO CertiPath Common Policy GPO ORC Root CA VeriSign US Treasury SSP SSP DoL DoE EPA HUD DoT SSA US PTO Verizon Bus Exostar DoD NRC NASA SSP Interoperability DHS DoJ Root E-Commerce EOP HHS VDoT DoD VA DEA USPS Dept. of State State of Illinois ACES 5 SAFE-BioPharma Association
  6. 6. Non-PKI TFPsFICAM certified– LOA 1 – OIX– LOA 1-2 – InCommon– LOA 1-3 – KantaraIn process– LOA 2-3 – SAFE-BioPharma Assn– Under TFET review 6 SAFE-BioPharma Association
  7. 7. Interparty LiabilitySAFE-BioPharma– Closed membership association– Dispute resolution process governs adjudication • Agree not to sue but rather arbitrate– Liability covered under Operating Policies and Member/Issuer Agreements • Specific caps related to credential management only • Does not cover use of credentialsOther TFPs– Part of why we are here 7 SAFE-BioPharma Association
  8. 8. Authentication and credentialsPKI is covered by the FBCA CP and CPS– Multiple certificate types– Hardware, software and roaming • Roaming currently classed as software by the FBCA • Moving to cloud-based solutions – SAFE-BioPharma/Verizon offering cloud-based HSM protected certificatesNon-PKI– NIST SP 800-63– Issue – currently approved version dates to 2006 and is technically out of date and does not recognize non-PKI multi-factor tokens– Much of industry working with the Dec 2008 (now Jun 2011 draft) • Includes much broader definitions of acceptable tokens at various LOAs 8 SAFE-BioPharma Association
  9. 9. Token typesWho is doing what and how?PKI Smartcards, USB hardware tokens, software tokens on machines/mobile devices, cloud HSMsNon-PKI– LOA 1&2 – memorized secrets, pre-registered knowledge tokens– LOA 2 - look up secret, out of band, SF one-time password device, SF crypto device– LOA 3 – multiple tokens (NIST SP 800-63 (June 2011 draft), Table 7) 9 SAFE-BioPharma Association