Title: SAFE Public Key Infrastructure PKI
1SAFE Public Key Infrastructure (PKI)
Terry Zagar Chair, SAFE Operations Technology
Working Group April 21, 2005
2Topics
- SAFE Biopharmaceutical Community
- SAFE Community Framework
- Architecture Drivers
- SAFE Architecture
- Certificate/OCSP Structure
- Building Understanding Conformance
- Future SAFE Directions
3SAFE Bio-Pharmaceutical Community
MAY 2003
SAFE ? strategic PhRMA initiative
- CONCEPT
- Trusted e-identity credentials
- Closed contractual system
- Accredited
- Business focus
- DRIVERS
- Regulatory compliance
- Business efficiency
- Cost savings
DEC 2003
Seed investment ? 12 bio-pharmaceuticals
JUN 2003
SAFE Standard v1.0
DEC 2004
SAFE-Biopharma ? 8 bio-pharmaceutials
JUN 2005 planned
SAFE Bridge IOC SAFE Standard v2.0
4SAFE Community Framework
- Services
- CA / RA / CSA
- Credentials for Members
- Identity Proofing
5SAFE Architectural Drivers
- High trust system
- Pre-existing Member PKIs
- Minimum of reinvention
- Regulatory compliance
- Move burden from user to infrastructure
- Do not preclude other uses
- What time is it in ?
6SAFE Architecture
SAFE Issuer
Registration and Certificate Management Systems
SAFE Certificate
SAFE Certificate
Cross Certificates
OCSP Response
OCSP Request
OCSP
SAFE Cert.
Response
Subscriber
Authentication
SAFE- Biopharma
SAFE Bridge CA
Central Systems
End-User Systems
Machine Systems
OCSP
Request
Validation Request Response
Signing Validation Request Response
Signing Validation Request Response
OCSP Response
OCSP Request
SAFE Member
SAFE Enabled Applications
Details contained in associated
Details contained in SAFE CP
Technical Specification
7Key SAFE Certificate OCSP Features
- SAFE Subscriber Certificate
- Issuer Subject Distinguished Name field
- Subject Alternate Name extension
- Key Usage extension
- Authority Information Access extension
- Certificate Policies extension
- SAFE OCSP Request/Response
- SAFE certificate validation must use OCSP
- OCSP Responder must accept unsigned requests
- Nonce required for digital signature validation
purposes only
8Building Understanding Interoperability
- Participation
- Member working groups
- Member control mechanisms
- Member tools
- Issuers, Infrastructure providers, Application
vendors, Integrators - Accreditation
- Members
- Issuers
- Certification
- Application vendors
- Infrastructure providers
- Integrators
9Future SAFE Directions
- Easing SAFE application enablement
- API Specification between applications and
certificate validation software/services - API Specification between applications and smart
card/token middleware - Verifying SAFE application enablement
- Designation of independent certification test
labs - Supporting other uses for SAFE identity
- SAFE specifications/guidance for authentication
uses
10Discussion