1 / 15

Direct Project

Direct Project. Direct + Policy Enablement. Overview. Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo. Policy Role In Direct. Scalable Trust Philosophy for enabling Direct exchange between a large number of endpoints

pearly
Download Presentation

Direct Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Direct Project Direct + Policy Enablement

  2. Overview • Policy Role In Direct • Policy Enablement • Security and Trust Support • Architecture • Tool Demo

  3. Policy Role In Direct • Scalable Trust • Philosophy for enabling Direct exchange between a large number of endpoints • Policy first class citizen in scalable trust • Mitigates policy variance • Proposed Policy Requirements • Federal Community Requirements • Governance • Trust Bundles • Technical solution to scalable trust • Bundle profiles define policy requirements • Only define and attest policy compliance • Can not assert and enforce policy • Bundles alone are not enough

  4. Policy Enablement • Facilitate Policy Decisions at Runtime • Systemic assertion of policy profile compliance • Direct 2.0 vs Policy Enablement • 2.0 may imply specification changes • Potential compatibility issues • Policy enablement requires no specification changes • Optional module • Backward compatible at transport

  5. Security and Trust Support • Modular Components • Encryption • Signature • Cert Discovery • Trust Chaining • Current Policy Ability • Simple binary trust decision based on certificate chain validation

  6. Security and Trust Support Current State – Outgoing Message • Certificate Store • Dual Use Certificates • Private Resolver • All non-expired • All non-revoked • Public Resolver • All non-expired • All non-revoked • Trust • Chain to trust anchor

  7. Security and Trust Support Current State – Incoming Message • Certificate Store • Dual Use Certificates • Private Resolver • All non-expired • All non-revoked • Verification • Message integrity • Trust • Chain to trust anchor

  8. Security and Trust Support • Optional Policy Enablement Module • Policy implemented as filters • Injected into security and trust process • Private Certificate Resolution • Public Certificate Resolution • Trust Chain Validation • Configurable Granularity • Message Direction • Message Source • Message Destination • Circles of Trust • Can be applied to DNS or LDAP hosting • Defined Policy Best Practices

  9. Security and Trust Support Policy Enabled State – Outgoing Message • Certificate Store • Dual Use or Single Use Certificates • Private Resolver • All non-expired • All non-revoked • Public Resolver • All non-expired • All non-revoked • Trust • Chain to trust anchor • Policy Filter • Filter certs that meet configured criteria

  10. Security and Trust Support Policy Enabled State – Incoming Message • Certificate Store • Dual Use or Single Use Certificates • Private Resolver • All non-expired • All non-revoked • Public Resolver • All non-expired • All non-revoked • Verification • Message integrity • Policy Filter • Filter certs that meet configured criteria

  11. Architecture • Policy Engine (direct-policy.jar) • Policy defined in lexicon specific language • Definition + X509 Certificate processed by engine • Engine evaluates boolean value to indicate certificate compliance with policy • Policy filter equates to policy engine process in security and trust agent Policy Definition X509 Cert Policy Engine Lexicon Parser Intermediate State Compiler Opcodes Executor Boolean Decision

  12. Policy Engine Use Cases • Build Policy Definitions • Tooling to build definition file • Policy filters in security and trust agent • Out of band policy validation • Trust bundle profile validation for anchors • End entity certificate validation to CP or CPS

  13. Release Schedule • Q2 2013 • Policy Engine • Security and Trust Agent • Configuration Service • Command Line Import and Configuration of Definitions • Gateway • Policy Validator • Summer/Early Fall 2013 • Visual Policy Builders • Config-UI integration • Java RI 3.0 to include Q2 2013 release components

  14. For More Information • Direct + Policy Proposal: http://wiki.directproject.org/file/detail/Direct+%2B+Policy+Enablement.docx • Scalable Trust Forum: http://wiki.directproject.org/Direct+Scalable+Trust+Forum • Scalable Trust Summary: http://www.healthit.gov/sites/default/files/direct-scalable-trust-forum-summary-of-findings-report.pdf • Direct Trust Bundle Workgroup: http://wiki.directproject.org/Trust+Bundle+Sub+Work+Group • Scalable Trust Story: https://secure.bluebuttontrust.org

  15. Policy Validation Tool Demo DEMO!!

More Related