100 likes | 325 Views
Secure Identity Services Accreditation Corporation. NIST PKI R&D Workshop April 17, 2007. Overview of SISAC. Wholly-owned subsidiary of the Mortgage Bankers Association (MBA)
E N D
Secure Identity Services Accreditation Corporation NIST PKI R&D Workshop April 17, 2007
Overview of SISAC • Wholly-owned subsidiary of the Mortgage Bankers Association (MBA) • Responsible for defining and maintaining interoperable policy, technical and accreditation requirements for issuing and managing digital certificates to be used in support of electronic mortgage processes and applications • More information can be found at www.sisac.org
SISAC Model – Accreditation SISAC 6. Audit Letter 7. Accredit 3. Accredit 2. Apply 4. Apply 1. Requirements Accredited Auditors Accredited Issuing Authorities (AIAs) 5. Audit 8. Credential Reliance Relying Parties Relying Parties
SISAC Model – Operations SISAC Accreditation, Policy and Technical Requirements AIA1 (Approved CPS, Root Key and Policy IDs) AIA2 (Approved CPS, Root Key and Policy IDs) AIAn (Approved CPS, Root Key and Policy IDs) Issuance, Management & Validation Services Issuance, Management & Validation Services Issuance, Management & Validation Services Certs Certs Certs Validation Services Validation Services Validation Services Subscribers Relying Parties Subscribers Relying Parties Subscribers Relying Parties
CA Certificate Profile • Non-critical authorityKeyIdentifier • Non-critical subjectKeyIdentifier • Critical basicConstraints with cA=TRUE • Non-critical keyUsage with keyCertSign and cRLSign asserted • Non-critical certificatePolicies with SISAC approved policy OID asserted • Non-critical cRLDistributionPoints containing location of CRL information • Non-critical authorityInfoAccess containing location of OCSP Responder
User Certificate Profile • Non-critical authorityKeyIdentifier (must be same as subjectKeyIdentifier defined in CA Certificate for CA that issued this Device Certificate) • Non-critical subjectKeyIdentifier • Non-critical keyUsage with appropriate key usage bits asserted (except for keyCertSign and cRLSign, which are reserved for CA Certificates only) • Non-critical certificatePolicies with SISAC approved policy OID asserted • Non-critical cRLDistributionPoints containing location of CRL information • Non-critical authorityInfoAccess containing location of OCSP Responder
Device Certificate Profile • Non-critical authorityKeyIdentifier (must be same as subjectKeyIdentifier defined in CA Certificate for CA that issued this Device Certificate) • Non-critical subjectKeyIdentifier • Non-critical keyUsage with appropriate usage asserted (except for keyCertSign and cRLSign, which are reserved for CA Certificates only) • Non-critical extendedKeyUsage with appropriate usage asserted based on device application (e.g., SSL); must adhere to extendedKeyUsage OIDs defined in RFC 3280 • Non-critical certificatePolicies with SISAC approved policy OID asserted • Non-critical cRLDistributionPoints containing location of CRL information • Non-critical authorityInfoAccess containing location of OCSP Responder
Issues and Lessons Learned • Key generation tags need to match with certificate profile keyUsage extension • Interest in carrying static attribute information • Considering optional, non-critical private extensions that are application specific (e.g., notary) • Certificate renewal notices need to go out before certificates expire • Interest in defining software vs. hardware token at the Medium Assurance level • Will probably follow what FPKI did • Staying consistent with the FPKI/FPBCA policies has helped greatly • Parts of the mortgage industry exist in Government • Applications driving use of certificates • Electronic notary services • MERS Registry • Electronic closing and recording (coming…)