4th CACR Information Security Workshop
Eric Rosenfeld, SPYRUS
Certificate Issuing and Management System Protection Profiles
Digital certificates are being deployed in increasing numbers of
applications to address many security vulnerabilities. But digital
certificates require a Public Key Infrastructure, or PKI, which has its
own security vulnerabilities. The part of the PKI directly responsible
for generation, issuance, and revocation of digital certificates is
referred to as the Certificate Issuing and Management System, or CIMS.
In order to secure applications using digital certificates, the
supporting PKI, and in particular the CIMS, must also be secure.
Thus it is important to be able to evaluate a CIMS against a common set
of security requirements. These security requirements should be written
in internationally accepted terms, such as the Common Criteria.
Furthermore, they should be generic enough so that a wide variety of
architectures can be evaluated, but sound enough so that they can be
used to provide a meaningful evaluation. The resulting evaluations would
allow CIMS customers to accurately compare products or services that
were built by different companies.
This presentation describes the development of four Common Criteria
Protection Profiles that can be used to evaluate CIMS products or
services. These four profiles specify the minimum security requirements
for different assurance levels. The profiles define the assumptions
about the security aspects of the environment in which the CIMS is used;
define the threats that the CIMS must address; define
implementation-independent security objectives of the CIMS and its
environment; define functional and assurance requirements to meet those
objectives; and provide a rationale demonstrating how the requirements
meet the security objectives.
Eric Rosenfeld is a Scientist at SPYRUS. Eric started out at BBN as a
software engineer on the BBN Certification Authority Workstation. At GTE
CyberTrust, Eric served as a System Engineer for GTE Internetworking's
VPN Advantage, providing expertise in the areas of IPsec and PKI. Now at
SPYRUS, Eric is working on Common Criteria evaluations for PKI products,
and other PKI-related activities such as VPNs.