coen 351 e commerce security l.
Skip this Video
Loading SlideShow in 5 Seconds..
COEN 351: E-Commerce Security PowerPoint Presentation
Download Presentation
COEN 351: E-Commerce Security

Loading in 2 Seconds...

play fullscreen
1 / 14

COEN 351: E-Commerce Security - PowerPoint PPT Presentation

  • Uploaded on

COEN 351: E-Commerce Security. Public Key Infrastructure Assessment and Accreditation. Assessment for PKI. Assessment: Prescribed procedure for determining whether a system or one of its components satisfies defined criteria for trustworthiness and quality. . Assessment for PKI. Assessment:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'COEN 351: E-Commerce Security' - marly

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
coen 351 e commerce security

COEN 351: E-Commerce Security

Public Key Infrastructure Assessment and Accreditation

assessment for pki
Assessment for PKI
  • Assessment:
    • Prescribed procedure for determining whether a system or one of its components satisfies defined criteria for trustworthiness and quality.
assessment for pki3
Assessment for PKI
  • Assessment:
    • Creates favorable legal presumptions.
      • Legal status.
      • Stronger presumptions for non-repudiation.
    • Necessary for licensing and accreditation.
    • Potential formal requirement for PKI interoperation.
      • This is the motivating example.
    • Creates public relations bonus and generates acceptance.
    • Helps in risk assessment and management.
      • Might be required for insurance purposes.
assessment for pki4
Assessment for PKI
  • Assessment is used by:
    • Service subscribers.
    • Relying parties.
    • Policy management authorities.
    • Certification and registration authorities.
    • Licensing and regulatory authorities.
assessment for pki5
Assessment for PKI
  • Formal qualification of Assessors
    • Some laws require assessors to be Certified Public Accountants.
    • Others specify required years of work in the security profession.
  • Material qualifications of Assessors
    • Independence.
    • Quality assurance for assessment work.
    • Educational and training qualifications.
assessment for pki6
Assessment for PKI
  • Assessment targets:
    • (System-level)
      • The overall PKI environment.
      • Systems and Subsystems.
      • Discrete Components.
      • PKI cryptomodules.
    • (Entity)
      • Primary certification authority controls.
      • Key and device management console.
      • Certificate life-cycle controls.
assessment for pki7
Assessment for PKI
  • Attributes of successful assessment criteria
    • Appropriateness.
      • Develop threat model first.
    • Objectivity.
    • Clarity.
    • Ubiquity.
      • general acceptance.
    • Extensibility.
      • Criteria can be updated for future developments.)
assessment for pki8
Assessment for PKI
  • Self-assessment.
  • Internal audit.
  • External audit.
system assessment criteria
System Assessment Criteria
  • Formal criteria have evolved:
    • U.S. Trusted Computer System Evaluation Criteria (TCSEC) 1985.
      • Orange Book.
        • Focused on confidentiality to protect national security secrets.
    • European Information Technology Security Evaluation Criteria (ITSEC) 1991.
assessment accreditation schemes
Assessment & Accreditation Schemes
  • Australia, Gatekeeper:
    • Australian government effort to enhance secure service delivery, streamline secure intragovernmental transactions, establish a “rational voluntary mechanism for the implementation of PKI by government agencies.”
    • Gatekeeper is also used to provide interoperationality among PKI providers.
    • Mandatory for vendors of PKI services for government.
    • Gatekeeper has two levels of authentication:
      • Entry-level
      • Full accreditation
system assessment criteria12
System Assessment Criteria
  • Canada: Government of Canada PKI
    • Allows links via cross-certification.
    • Expert teams establish tables of concordance between requester’s Certificate Policy (CP) and GoC PKI.
system assessment criteria13
System Assessment Criteria
  • US: Light Touch
    • State legislation influenced by Utah and Washington.
    • Reciprocity agreements (e.g. Minnesota, Utah, Washington)
system assessment criteria14
System Assessment Criteria
    • Requires security controls to ensure the integrity and confidentiality of Internet communications.