1999 Conferences

4th CACR Information Security Workshop

Eric Rosenfeld, SPYRUS

Certificate Issuing and Management System Protection Profiles

Digital certificates are being deployed in increasing numbers of applications to address many security vulnerabilities. But digital certificates require a Public Key Infrastructure, or PKI, which has its own security vulnerabilities. The part of the PKI directly responsible for generation, issuance, and revocation of digital certificates is referred to as the Certificate Issuing and Management System, or CIMS. In order to secure applications using digital certificates, the supporting PKI, and in particular the CIMS, must also be secure.

Thus it is important to be able to evaluate a CIMS against a common set of security requirements. These security requirements should be written in internationally accepted terms, such as the Common Criteria. Furthermore, they should be generic enough so that a wide variety of architectures can be evaluated, but sound enough so that they can be used to provide a meaningful evaluation. The resulting evaluations would allow CIMS customers to accurately compare products or services that were built by different companies. This presentation describes the development of four Common Criteria Protection Profiles that can be used to evaluate CIMS products or services. These four profiles specify the minimum security requirements for different assurance levels. The profiles define the assumptions about the security aspects of the environment in which the CIMS is used; define the threats that the CIMS must address; define implementation-independent security objectives of the CIMS and its environment; define functional and assurance requirements to meet those objectives; and provide a rationale demonstrating how the requirements meet the security objectives.

Speaker Bio
Eric Rosenfeld is a Scientist at SPYRUS. Eric started out at BBN as a software engineer on the BBN Certification Authority Workstation. At GTE CyberTrust, Eric served as a System Engineer for GTE Internetworking's VPN Advantage, providing expertise in the areas of IPsec and PKI. Now at SPYRUS, Eric is working on Common Criteria evaluations for PKI products, and other PKI-related activities such as VPNs.