A Stake in the Ground

1
A Stake in the Ground
A Presentation to The ABA Section of Science and
Technology Red wood City, California January 16,
1999
The First Union Certification Authority
2
At some place along the Super Technobahn you have
to pull off to the side, pitch you tent, and set
up shop. The first thing you do is Put a stake
in the ground!
- Hal Bore
3
Three Quick Points

• We have put a stake in the ground
• This is what we are doing
• A challenge--from the business point of view

4
Point One-Putting a Stake in the Ground

• Definition A benchmark, a foundation, a
  beginning point
• We are establishing the First Union National Bank
  Certification Authority (FunbCA).
• We are aware that
• the technology is still unsettled
• CPS, CP, and other documentation approaches
  differ
• legal and compliance issues are untested
• user acceptance is still unclear
• But, we need to start some place.

5
Point One-Putting a Stake in the Ground, p. 2

• We have made certain assumptions
• Certificates will be widely utilized by financial
  institutions
• It is in FUNBs interest to be its own CA
• Now is the appropriate time to establish the CA

1
2
3
Research
Vision
Validation
6
Point Two-Here Is What We Did

• We set up the infrastructure for a fully
  operational certification authority.
• Whose Mission is To provide PKI products and
  services to First Union business units and their
  customers. (Standards based platforms.)
• We are private-root based, currently partnered
  with
• VeriSign Onsite for secured operational back-end
  services
• KPMG for CPS, CP, and operational documentation
• Tool kit, cryptography, and key management
  vendors as appropriate
• We will be OCC licensed and likely operate as an
  FUNB sub-corporation.

7
Point Two-Here Is What We Did, p. 2

• The initial products and services include
• The issuance of digital certificates
• Browser-based (personal ID and/or authorization)
• Non-browser-based (application or device ID
  and/or authorization)
• The management of their life cycles
• Registration authority services and technical
  support services
• Customer support and training
• Structured to add additional products and
  services as appropriate
• Abbreviated PKI systems?
• Anonymous certificates?
• Biometrics authentication services?

8
Point Two-Here Is What We Did, p. 3
9
Point Two-Here Is What We Did, p. 4
The FunbCA sub-corporation is sponsored through
Information Security Division, an operational
unit of Automation and Operations
10
Point Two-Here Is What We Did, p. 5
Our Approach to Policy
Certification Practice Statement
CPs Cert Type
CPs Cert Type
CPs Cert Type
CPs Cert Type
Subscriber/RP Notice
Subscriber/RP Notice
Subscriber/RP Notice
Subscriber/RP Notice
Related Contract
Related Contract
Related Contract
Related Contract
11
Point Two-Here Is What We Did, p. 6
Our Approach to Policy -- Discussion Points

• Bank-wide policy
• Management of LRAA
• Management of Key Escrow
• Management of Key Issuance/CRL
• Audit polices/binding
• Out sourcing and vendor relationships

Certification Practice Statement

• Business unit aspects
• Chain properties
• Usage and legal definitions of certificates
  (internal/external)
• Specific RA components (revocation/credentials)

CPs Cert Type
Subscriber/RP Notice

• Subscriber/Relying Party
• Click through or acceptance document

Related Contract
12
A Sample of emerging PKI uses at FUNB

• Applications to back-end servers
• Devices to back-end servers
• Employee ID smart cards
• Secure E-mail/Secure FTP
• Business to bank authentication (smart cards)
• Single sign-on platforms (consumer/commercial)

Point Two-Here Is What We Did, p. 6
13
A Challenge--from the business point of view

• We are not in a business driven environment!
• Technologists, standards bodies, legal and
  governmental bodies are developing far beyond the
  business case head lights.
• This is not a bad thing!
• It does leave a gap and confusion about
  expectations.
• It is even in the self-serving best interest of
  all parties to help those of us driving stakes in
  the ground meet with meaningful and visible
  success in the market place.
• How do we do this?
• Mentoring
• Joint efforts beyond our normal models

14
Questions- and Contact Information

• Parker Foley, Vice President
• Secure Electronic Commerce
• Information Security Division
• First Union National Bank
• (704) 590-2471
• (704) 590-6841 (FAX)
• parker.foley_at_firstunion.com