1	What is PKI and Where is its Future December 6, 2002
2	Business Need for PKI Authentication Identity of originator confirmed Non-Repudiation Originator cannot disavow transaction Integrity Information has not been altered Confidentiality Content hidden during transport
3	PKI Provides Privacy and Confidentiality Secure Transport File Encryption Secure e-mail Authentication Network components & end users Non-repudiation and Data Integrity Digital signature Trusted time stamp
4	Terms - PKI Participants Subscribers Hold private key, use certificates for digital signature, authentication, receipt of secure e-mail Relying Parties Rely on certificates, validate signatures, authenticate system users, send secure e-mail Certification Authority Authenticate subscribers, issue & manage certificates, publish CPS, publish certificate status for relying parties
5	Terms - Policy & Practices Certificate Policy Defines requirements and standards for issuance and management of keys and certificates and the obligations of all PKI entities Used to determine level of trust the certificate affords Certification Practice Statement Defines specific practices employed by CA for issuance and management of keys and certificates Used for accreditation Policy Interoperability CP and CPS have standard format & content Facilitates policy mapping between PKIs
6	Public Key Encryption Technology
7	Secure Messaging
8	Digital Signature
9	How Does eSigning Work What (document) WYSIWYS = What You See Is What You Sign Why (intent) Declarative statement within signing ceremony Who (authentication) Certificate binds individual to keys Certificate Policy defines trustworthiness of identity When (non-repudiation) Trusted Time Stamp
10	Certificate Value Issued by Certificate Authority Provides trust in identity by linking keys to individual or organization Method used authenticate identity Security of CA infrastructure Procedures and practices for life-cycle management Level of Assurance is dependant upon all of these variables Certificate Policy defines Levels of Assurance
11	Public Key Infrastructure Requires a Trusted Certification Authority Why is the Certification Authority important? Entity that ‘vouches’ for subscriber identity Entity that is potentially liable for trust decisions made by relying parties Why is subscriber authentication important? Primary basis for trust between parties Level of trust dependent upon method of authentication
12	PKI Landscape
13	Trust Interoperability Needed if Certificates are used outside the Enterprise Hierarchical PKI with common trust anchor Intrastate – State Root Authority Interstate – Federal Root Authority Cross Certification another option Possible only if policies can be mapped Federal Bridge
14	Historical Challenge Return on investment Restrictive use Perceived technical complexity Labor intensive support In-House vs. Outsource Speed of deployment
15	Not Only a Technical Project Legal Policies, Liability, Cross Certification, … Organizational Registration, Distribution, Revocation, Help Desk, Training Operational Secure Data Centers, Disaster Recovery, Audits
16	Business Need Still Exists HIPAA Homeland Security eGovernment and eCommerce Paperwork Reduction Application Modernization
17	What Organizations Want Certificates that are accepted nationwide for government, commercial, and financial transactions A trusted CA with strong internal controls over issuance, distribution, and management Policies that are enforceable nationwide An issuer that will not go out of business Liability protection Reasonable pricing
18	Next Wave A Federal Government Issued Certificate Common legal and policy framework Useable and enforceable nationally Economies of scale for cost of operations Could bridge internationally to other nationally endorsed Certificate Authorities Not a National ID-Card Privacy protection Participation optional