PKI Policy, Practices and Audit

Motivation for study

• Current Public Key Infrastructure (PKI) Standards do not adequately consider Levels of’ Assurance’(“one size fits none”);
• There are PKI “Oligopolies’of’Trust”’ that limit cooperation between governing bodies, thereby impeding global interoperability;
• While there are many domain-specific PKI Authorities in place, there is need for more consistent security and auditing standards, policies and procedures that drive these entities;
• ISO 21188:2006 “Public key infrastructure for financial services – Practices and  policy framework”, apart from its domain-specific focus, no longer represents current best practices;
• Security breaches in the Certification Authority (CA)/Browser space have occurred, causing ‘government agencies to recommend tighter network standards;
• There is wide variation among PKI governance bodies on the nature, purpose, timing and methodologies of a PKI Audit;
• Overarching PKI guidance is required to create greater consistency in governance practices and greater interoperability between domain-specific authorities.

The following represents a starter set of questions/topics that are proposed to be addressed by the Study Period.
PKI StandardsGovernance

• Do we need an ISO Certification Schema to help drive domain-specific needs?
• How would one define a LoA for a PKI?
• What standards unite disparate certificate types such as identity and SSL cert PKI systems?
• How can ISO emerge as a global leader in this space?
• How will PKI be affected by greater global focus and investment in cyber security?”

PKI Audit

• What constitutes an auditable requirement/practice statement?
• Should all audits be consistent? Are there different types of PKI that need different kinds of’audit? Can they be characterized down to a few types?
• How does one change auditing culture (i.e., auditor as advocate for improvement vs. auditor as policeman)? Is it wise in all cases?
• What should be done about audit findings and by whom?
• How can ISO establish itself as a widely recognized global reference source for PKI audit?
• What should be the experience, qualifications for a Lead Auditor and Staff Audito in PKI?’

See experience from:

1. TC68/SC2
2. ITUHT’Q11/17 Erik Anderson
3. ETSI Standards and EU Standardisation of Trust Service Providers –Nick Pope (ETSI)
4. JTC’1/SC6
5. JTC’1/SC27
6. ISACA (E-commerce and Public Key Infrastructure (PKI) Audit /Assurance Programme
7. VISA/MASTERCARD

References

• US Study Period Presentation based on the proposal SC27N12297
• ITU-T ‘Q11/17 Presentation-Planned PKI activities for ITU-T ‘Study Period 201342016
• ETSI Standards and EU Activities
• Special Report SR 001 604; Rationalised Framework for Electronic Signature

Standardisation

• EN 319 401: General Policy Requirements for Trust Service Providers supporting Electronic  Signatures
• EN 319 411-2: Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Policy requirements for certification authorities issuing qualified certificates
• EN 319 411-3: Part 3: Policy Requirement for Certification Authorities issuing public key certificates
• Guidance for Auditors and CSPs on ETSI TS 102 042 for Issuing Publicly Trusted TLS/SSL

Certificates’

• Trust Service Provider Conformity Assessment General requirements and guidance
• JTC1 SC6 (ANS1/OID/Directories)
• ISACA – E-commerce and Public Key Infrastructur’(PKI) Audit/Assurance Programme

Make comments to this article in order to receive more info

Country report Japan

New Technologies Working Group (NTWG) 

February 19-21, 2013

JAPAN

Operations

Last year, about 3.92 million ordinary Japanese e-Passports were issued. This is a 0.9 % decrease compared with that in 2011. On the other hand, the number of Japanese nationals travelled abroad in 2012 was 18.43million, which is an 8.5 % increase from the previous year level.

Japan issues both 10-year e-Passports and 5-year e-Passports. Among passports issued last year, 60% of them are 10-year ones and 40% are 5-year ones.

A little more than 30 million Japanese valid passports are in circulation as of the end of 2012, and about 90 percent of them were e-Passport.

New Technologies

Japan has been continuously preparing for issuing new version of e-Passports, and will start issuing them from this autumn. Basically the design of the booklet will not be changed, although several security features will be replaced or improved. The new e-Passports will also be supported by Active Authentication.

Security Issues / Developments

The number of lost or stolen Japanese passports in 2012 amounts to approximately 42,000, and it is reported that about 80% of them were occuered in Japan.

Among fraudulent cases detected in Japan, illicit acquisitions of e-Passports by imposters were the most in number. In order to prevent from the illicit acquisition all, 700 passport offices in Japan the hold special campaign for strengthening their screening twice a year. The number of detected cases decreased; from 86 in 2010, to 43 in 2011, to 26 last year.

After the Great East Japan Earthquake in 2011, Japan enacted a special law to enable those who lost their passports by the disaster including tsunami. It enables the victims to obtain alternative special passports free of charge if they apply for the new passports by submitting disaster-victim certificates.

This legislation is aimed to encourage the victims who had the passports to submit lost or stolen reports to invalidate their passports as soon as possible if they had lost them. More than 1800 alternative special passports have been issued until the end of December 2012. Recently the number of application is very small, and we will close this project at the end of this March, as the law is temporary legislation.

Best practice in national identification management

ICAO’s interest in travel security has, in the past, largely concentrated on the security of the travel document itself. However, ICAO’s interest is wider with a goal to ensuring that a consistent level of security and integrity applies to all components of the ‘travel continuum’: the application and supporting documents, the interview (where required), and the the adjudicative decision-making processes. The provision of a highly secure blank travel document allows the approval decision to be followed by secure personalization and issuance, with interoperability at international borders.
“TOWARDS BETTER PRACTICE IN NATIONAL IDENTIFICATION MANAGEMENT”, Technical Report (TR) release 3, 20 Nov 2012 highlights the need for consistent effort across all processes. However, it suggests that in the decision processes, particularly the establishment of confidence in a person’s identity, is an area that can easily fall behind in the strength of its security when compared with that of the document itself.

Current ICAO guidance does not set standards for how confidence in a person’s identity should be established, as the best way of achieving this will vary from country to country, depending on local laws, customs, and the uses to which ‘foundation’ documents are put. Rather it sets out a framework of outcomes which should be achieved in order to be confident in a person’s identity prior to issuing a travel document.

Biometrics Labo Annual Workshop 22 Feb 2012

We take this opportunity to invite you to the Norwegian  (NBLAW) 2013. The workshop will take place on Friday 22nd February 2013 at Gjøvik University College (GUC), Norway.

This event is facing all who are interested in technologies, policies, applications, and wider acceptability of biometrics. The event in 2013 focuses on the topic “off-the-shelf technologies“ to realize user-centered biometrics with a better acceptability, higher efficiency, and lower deployment cost.

Sponsors:

- European Association of Biometrics (www.eab.org)

- Research Council of Norway (www.rcn.no) via VERDIKT

Agenda (10.00 – 15.15):

- Welcome

(Nils Kalstad Svendsen -Section leader NISlab – GUC)

- Introduction and vision of the Norwegian Biometrics Laboratory

(Christoph Busch – Head of NBL – GUC)

- The theme of the workshop 2013 and topics in brief

(Bian Yang – GUC)

- Biometrics in a networked world

(Kevin C. Mangold – NIST – USA)

- Challenges and opportunities of cloud biometrics

(Ho Chang – BioID – Germany)

- Human dynamics for identification – research in Machine Vision

(Guoying Zhao – Univ. of Oulu – Finland)

- Preliminary analysis and vision of fingerprints collection

using smartphone cameras

(Bian Yang – GUC)

- Face recognition using light field camera

(Raghavendra Ramachandra – GUC)

- Usage of face biometrics in airports -

passenger timing, watch-listing and more

(Bendik Mjaaland – Accenture)

- On the fly head shape parameter estimation for

Automatic Border Control applications

(Catherine Herold – Morpho – France)

- Panel discussion: Key factors for deployment of Mobile and

User-Centered Biometrics

The event will take place in room K102 on campus of the Gjøvik University College. More details on NBLAW 2013 including talks / speakers and logistic information can be found via:

http://nislab.no/biometrics_lab/nbl_workshop_13

The registration (http://www.eab.org/events/registration/29)

as well as the attendance is free of any charge.

Best regards,

Bian Yang and Christoph Busch

(Norwegian Biometrics Laboratory)

–

————————————————

Prof. Dr. Christoph Busch

Norwegian Information Security Laboratory (NISlab) Gjøvik University College Teknologiveien 22

2815 Gjøvik, Norway

Phone: +47-611-35-194

email: christoph.busch@hig.no

http://nislab.no/biometrics_lab

http://www.christoph-busch.de

————————————————

Identity proofing and verification processes

Best practices and guidance on required processes for initial establishment and subsequent confirmation of an entity’s identity for parties are  expected to use ITU-T X.1254, ISO/IEC IS 29115 or other similar standards. The material is used to establish and/or confirm identity and thus should give greater confidence in an entity’s identity prior to delivery of a service to that entity, by or for that entity.
In scope:
• The development of identity proofing and verification (IPV) processes to be used as a national body standard in support of enrolment of entities. Definitions are provided for IPV principles, risk assessment, and controls sufficient to meet the requirements of ISO identity management standards for entities, notably ITU-T X.1254 l ISO/IEC IS 29115. These controls shall take account of threats, counter-fraud requirements and best practice guidance described by national policy specifications from government organisations.
• Entities that require to be authenticated in accordance with ISO standards, for which they need to be enroled: o Persons, particularly citizens, consumers, government employees and industry employees.
o Devices or Security Modules, particularly (but not limited to) for computer and telecommunication use cases, including e.g. Trusted Platform Module (TPM), Mobile Trusted Module (MTM) and similar approved standards
o Software applications.
o Organisations. For the purposes of trust, all persons, devices and software have a relationship with one or more organisations for reasons of ownership, issuance and management. Each organisation must be trustworthy to the same Level of Assurance as any credentials being issued or asserted, or higher.
A resulting International Standard that is sufficient for:
o Nations and industry to have confidence in using them
o Nations and industry to have confidence in the results of each others’ national IPV systems and the credentials
o Certification bodies to develop assessment and audit criteria against which certified auditors can successfully conduct Trusted Third Party (TTP) audit and assurance of IPV service providers.

Existing and emerging ISO standards for identity management focus primarily on the policy and technical standards for the operation of identity management and access management systems. They describe the use of credentials and make reference to processes for the issuance of identity credentials. These issuance processes are dependent upon entity Identity Proofing and Verification (IPV) processes for which no reference standards exist. An ISO standard for IPV is required to which other identity management standards can refer, based on the four Levels of Assurance described in ISO/IEC 29115.

ETSI security

ETSI is pleased to invite you to the 8th ETSI Security Workshop
taking place on 16-17 January 2013
in ETSI’s Headquarters, in Sophia Antipolis (France)

The Annual ETSI Security Workshop has built a reputation of being a premier event on Security. It brings together the latest from those developing International Standards and security experts to discuss recent developments, share knowledge, identify gaps and co-ordinate on future actions and work areas.

The workshop aims at creating stimulating discussions arising from interesting contributions from those working within the following areas:

• International standardization
• CEN/CENELEC Standardization
• Machine to Machine and Smart Grid Security
• Mobile and network security
• Intelligent Transport System Security
• Privacy and Cloud
• Security Testing

The event is free of charge and open to all upon registration.

The full programme together with registration are available from the event site.

ETSI is looking forward to welcoming you to this event!

The ETSI Event team

Mail: events@etsi.org

Site: www.etsi.org/events
Subscribe to the ETSI-EVENTS mailing list
Subscribe to the ETSI-NEWSLETTER mailing list
Unsubscribe
Follow ETSI on Twitter

Security 2013 utlysning

SECURITY 2013

by Magnar Aukrust

• Call identifier: FP7-SEC-2013-1
• Date of publication: 10/July/2012[1]
• Deadline:22/November/2012 at 17.00.00, Brussels local time[2]
• Indicative budget:EUR 298.73 million[3]

• Call identifier: FP7-SEC-2013-1
• Date of publication: 10/July/2012[1]
• Deadline:22/November/2012 at 17.00.00, Brussels local time[2]
• Indicative budget:EUR 298.73 million[3]

Activity/ Area		Topics called		Funding Schemes
Activity 10.1 Security of citizens
Area: 10.1.1 Organised crime	Topic SEC-2013.1.1-1 Serious organised economic crime		CP-IP
	Topic SEC-2013.1.1-2 “Stronger Identity for EU citizens”		CP-FPCoordinate proposal (NO) with (SL) and (TR)
Area: 10.1.2 Intelligence against terrorism	none		none
Area: 10.1.3 Explosives	Topic SEC-2013.1.3-1 Inhibiting the use of explosives precursors		CP-FP
Area: 10.1.4 Ordinary crime and forensics	Topic SEC-2013.1.4-1 Smart and protective clothing for law enforcement and first responders		CP-FP
	Topic SEC-2013.1.4-2 Development of a Common European Framework for the application of new technologies in the collection and use of evidence		CSA
Area: 10.1.5 CBRN protection	Topic SEC-2013.1.5-1 European toolbox, focusing on procedures, practices and guidelines for CBRN forensic aspects		CP-FP
Area: 10.1.6Information gathering	Topic SEC-2013.1.6-1 Framework and tools for (semi-) automated exploitation of massive amounts of digital data for forensic purposes		CP-IP
	Topic SEC-2013.1.6-2 Novel technologies and management solutions for protection of crowds		CP-IPMight interest smartphone sensor tech. and elaborate from ICT Call 9 on Crowd
	Topic SEC-2013-1.6-3 Surveillance of wide zones: from detection to alert		CP-IP
	Topic SEC-2013-1.6-4 Information Exploitation		CP-IP
Activity: 10.2 Security of infrastructures and utilities
Area: 10.2.1 Design, planning of buildings and urban areas		Topic SEC-2013.2.1-1 Evidence based and integral security concepts for government asset protection		CP-FP
		Topic SEC-2013.2.1-2 Impact of extreme weather on critical infrastructure		CP-FP
Area: 10.2.2 Energy, transport, communication grids		Topic SEC-2013.2.2-1 A research agenda for security issues on land transport		Coordination and Support Action (Coordinating Action)ITS/Ertico proposal
		Topic SEC-2013.2.2-2 Toolbox for pandemics or highly dangerous pathogens in transport hubs – Capability Project		CP-FP
		Topic SEC-2013.2.2-3 Protection of smart energy grids against cyber attacks		CP-FPGUC Protergy proposal updates
		Topic SEC-2013.2.2-4 Cost effectiveness of security measures applied to renewable/distributed energy production and distribution		CP-FP
		Topic SEC-2013.2.2-5 Security of ground based infrastructure and assets operating space systems		CP-FP
Area: 10.2.3 Surveillance		none		none
Area: 10.2.4 Supply chain		Topic SEC-2013.2.4-1 Phase II demonstration programme on logistics and supply chain security		CP-IP
		Topic SEC-2013.2.4-2 Non-military protection measures for merchant shipping against piracy		CP-FP or Coordination and Support Action
Area: 10.2.5 Cyber crime		Topic SEC-2013.2.5-1 Developing a Cyber crime and cyber terrorism research agenda		CSA
		Topic SEC-2013.2.5-2 Understanding the economic impacts of Cyber crime in non-ICT sectors across jurisdictions		CP-FP
		Topic SEC-2013.2.5-3 Cross border Real-time detection and management of cyber incidents/attacks/espionage on critical infrastructures in sectors other than the ICT sector and government networks (i.e. energy, transport, finance, health, etc)		CP-IP
		Topic SEC-2013.2.5-4 Protection systems for utility networks		CP-FP
Activity: 10.3 Intelligent surveillance and border security
Area: 10.3.1 Sea borders		none		none
Area: 10.3.2 Land borders		Topic SEC-2013.3.2-1 Pre-Operational Validation (POV) on land borders		CP-CSAITS/Ertico proposal
		Topic SEC-2013.3.2-2 Sensor technology for under foliage detection		CP-IP
		Topic SEC-2013.3.2-3 Mobile equipment at the land border crossing points		CP-FP
Area: 10.3.3 Air borders		none		none
Area: 10.3.4 Border checks		Topic SEC-2013.3.4-1 Border checkpoints – hidden human detection		CP-FP
		Topic SEC-2013.3.4-2 Extended border security – passport breeder document security		CSAGUC proposal based on BCP of the Future (Sule)
		Topic SEC-2013.3.4-3 Security checks versus risk at borders		CP-FP
Area: 10.3.5 Intelligent border surveillance		none		none
Activity: 10.4 Restoring security and safety in case of crisis
Area: 10.4.1 Preparedness, prevention, mitigation and planning		Topic SEC-2013.4.1-1 Phase II demonstration programme on aftermath crisis management		CP-IP
		Topic SEC-2013.4.1-2 Better understanding of the cascading effect in crisis situations in order to improve future response and preparedness and contribute to lower damages and other unfortunate consequences		CP-FP
		Topic SEC-2013.4.1-3 Development of simulation models and tools for optimising the pre-deployment and deployment of resources and the supply chain in external emergency situations		CP-FP
		Topic SEC-2013.4.1-4 Development of decision support tools for improving preparedness and response of Health Services involved in emergency situations		CP-FPKITH Jakob Hygen Bjarte Aksnes
		Topic SEC-2013.4.1-5 Preparing societies to cope with large scale and/or cross border crisis and disasters		CSA
		Topic SEC-2013.4.1-6 Preparedness for and management of large scale forest fires		CP-IP
Area: 10.4.2Response		Topic SEC-2013.4.2-1 Fast rescue of disaster surviving victims: Simulation of and situation awareness during structural collapses including detection of survivors and survival spaces		CP-IP
Area: 10.4.3 Recovery		Topic SEC-2013.4.3-1 Shaping immediate relief action in line with the goals of development co-operation in post crisis / post conflict societies to maintain stability		CP-FP
Area: 10.4.4 CBRN response		Topic SEC-2012.4.4-1 Tools for detection, traceability, triage and individual monitoring of victims after a mass CBRN contamination		CP-IP
Activity: 10.5 Security systems integration, interconnectivity and interoperability
Area: 10.5.1 Information management		Topic SEC-2013.5.1-1 Analysis and identification of security systems and data set used by first responders and police authorities		CP-FP
		Topic SEC-2013.5.1-2 Audio and voice analysis, speaker identification for security applications		CP-IP
Area: 10.5.2 Secure communications		none		none
Area: 10.5.3 Interoperability		Topic SEC-2013.5.3-1 Definition of interoperability specifications for information and meta-data exchange amongst sensors and control systems		CP-FP
		Topic SEC-2013.5.3-2 Testing the interoperability of maritime surveillance systems		CP-CSAPortahead partner
Area: 10.5.4 Standardisation		Topic SEC-2013.5.4-1 Evaluation and certification schemes for security products		CP-FP
Activity: 10.6 Security and society
Area: 10.6.1 Citizens, media and security		Topic SEC-2013.6.1-1 The impact of social media in emergencies		CP-FP
		Topic SEC-2013.6.1-2 Varying forms of terrorism		CP-FP
		Topic SEC-2013.6.1-3 Trafficking in Human Beings: analysis of criminal networks for more effective counter-trafficking		CSA
Area: 10.6.2 Organisational requirements for interoperability of public users		Topic SEC-2013.6.2-1 Facilitators for assistance among EU Member States in emergencies at home and abroad		CP-FP or Coordination and Support Action
Area: 10.6.3 Foresight, scenarios and security as evolving concept		Topic SEC-2013.6.3-1 Horizon scanning and foresight for security research and innovation		CSASecurityValley and GUC may partner Austrian Institute of Technology proposal
		Topic SEC-2013.6.3-2 The evolving concept of security		CSA
Area: 10.6.4 Security economics		none		none
Area: 10.6.5 Ethics and justice		Topic SEC-2013.6.5-1 Synthesis of results and reviewing of ethics, legal and justice activities in Security research in FP7		CSA
Activity: 10.7 Security Research coordination and structuring
Area: 10.7.1 ERA-net		none		none
Area: 10.7.2 Small and Medium Enterprises		Topic SEC-2013.7.2-1 Open topic for Small and Medium Enterprises: “Solutions for frequent petty crimes that are of high impact to local communities and citizens”		CP-FPNorSIS may partner SMEs
Area: 10.7.3 Studies		Topic SEC-2013.7.3-1 Increasing the engagement of civil society in security research		Coordination and Support Action (Supporting Action)
Area: 10.7.4 Other coordination		Topic SEC-2013.7.4-1 Trans-national cooperation among public security research stakeholders		Coordination and Support Action (Coordinating Action)
Area: 10.7.5 End-users		none		none
Area: 10.7.6 Training		Topic SEC-2013.7.6-1 Open topic for Small and Medium Enterprises: “Use of serious gaming in order to improve intelligence analysis by law enforcement agents”		CP-FPGUC may partner SMEs (Action: Simon McCallum)