SAFE Public Key Infrastructure PKI

1

SAFE Public Key Infrastructure (PKI)
Terry Zagar Chair, SAFE Operations Technology
Working Group April 21, 2005
2
Topics

• SAFE Biopharmaceutical Community
• SAFE Community Framework
• Architecture Drivers
• SAFE Architecture
• Certificate/OCSP Structure
• Building Understanding Conformance
• Future SAFE Directions

3
SAFE Bio-Pharmaceutical Community
MAY 2003
SAFE ? strategic PhRMA initiative

• CONCEPT
• Trusted e-identity credentials
• Closed contractual system
• Accredited
• Business focus
• DRIVERS
• Regulatory compliance
• Business efficiency
• Cost savings

DEC 2003
Seed investment ? 12 bio-pharmaceuticals
JUN 2003
SAFE Standard v1.0
DEC 2004
SAFE-Biopharma ? 8 bio-pharmaceutials
JUN 2005 planned
SAFE Bridge IOC SAFE Standard v2.0
4
SAFE Community Framework

• Services
• CA / RA / CSA
• Credentials for Members
• Identity Proofing

5
SAFE Architectural Drivers

• High trust system
• Pre-existing Member PKIs
• Minimum of reinvention
• Regulatory compliance
• Move burden from user to infrastructure
• Do not preclude other uses
• What time is it in ?

6
SAFE Architecture
SAFE Issuer
Registration and Certificate Management Systems
SAFE Certificate
SAFE Certificate
Cross Certificates
OCSP Response
OCSP Request
OCSP
SAFE Cert.
Response
Subscriber
Authentication
SAFE- Biopharma
SAFE Bridge CA
Central Systems
End-User Systems
Machine Systems
OCSP
Request
Validation Request Response
Signing Validation Request Response
Signing Validation Request Response
OCSP Response
OCSP Request
SAFE Member
SAFE Enabled Applications
Details contained in associated
Details contained in SAFE CP
Technical Specification
7
Key SAFE Certificate OCSP Features

• SAFE Subscriber Certificate
• Issuer Subject Distinguished Name field
• Subject Alternate Name extension
• Key Usage extension
• Authority Information Access extension
• Certificate Policies extension
• SAFE OCSP Request/Response
• SAFE certificate validation must use OCSP
• OCSP Responder must accept unsigned requests
• Nonce required for digital signature validation
  purposes only

8
Building Understanding Interoperability

• Participation
• Member working groups
• Member control mechanisms
• Member tools
• Issuers, Infrastructure providers, Application
  vendors, Integrators
• Accreditation
• Members
• Issuers
• Certification
• Application vendors
• Infrastructure providers
• Integrators

9
Future SAFE Directions

• Easing SAFE application enablement
• API Specification between applications and
  certificate validation software/services
• API Specification between applications and smart
  card/token middleware
• Verifying SAFE application enablement
• Designation of independent certification test
  labs
• Supporting other uses for SAFE identity
• SAFE specifications/guidance for authentication
  uses

10
Discussion