Cross-Certification Guidelines by dfsdf224s

VIEWS: 5 PAGES: 14

									Cross-Certification Guidelines

National PKI Framework for Health




          June 30, 2001
Contents of this publication may be reproduced in whole
or in part provided the intended use is for non-commercial
purposes and full acknowledgement is given to the Canadian
Institute for Health Information.


Canadian Institute for Health Information
377 Dalhousie Street
Suite 200
Ottawa, Ontario
K1N 9N8

Telephone: (613) 241-7860
Fax: (613) 241-8120
www.cihi.ca


 2001 Canadian Institute for Health Information
                                   Cross-Certification Guidelines
                                 National PKI Framework for Health

Table of Contents

1   Cross-Certification Guidelines ............................................................................ 1
    1.1 Introduction ........................................................................................... 1
2   Cross-Certification Process and Criteria ............................................................... 3
    2.1 Phase I: Initiation ................................................................................... 3
          2.1.1    Process ..................................................................................... 3
          2.1.2    Criteria ...................................................................................... 4
    2.2 Phase II: Examination.............................................................................. 5
          2.2.1    Cross-Certification Checklist ......................................................... 5
          2.2.2    Process ..................................................................................... 6
          2.2.3    Criteria ...................................................................................... 6
          2.2.4    Mapping Process ........................................................................ 7
          2.2.5    Test-Bed Trial............................................................................. 7
          2.2.6    Evaluation.................................................................................. 8
    2.3 Phase III: Arrangement............................................................................ 9
          2.3.1    Process ..................................................................................... 9
    2.4 Phase IV: Maintenance ........................................................................... 9
          2.4.1    Process ..................................................................................... 9
                                                                                Cross-Certification Guidelines
CIHI                                                                       National PKI Framework for Health



1           Cross-Certification Guidelines
1.1         Introduction
In an effort to establish a National Framework for the secure communication of health
information, the Canadian Institute for Health Information (CIHI) is developing a Public Key
Infrastructure (PKI) Policy Toolkit to serve as an information package containing the
following documents:
•      Certificate Policy for Health—contains mandatory and desirable policy elements for the
       certificate policies used by Certificate Authorities (CAs) operating in the health domain;
•      Certification Practice Statement Guidelines—identifies the minimum requirements for
       the certificate practice statement to be used by health CAs;
•      Minimum Technical Requirements—outlines the basic elements required of any PKI for
       the exchange of highly sensitive health information;
•      Business Guide—is a guide to establishing a PKI for health; and
•      Cross-Certification Guidelines—outlines the terms and conditions of cross-certification.

This paper is one of the documents from the Toolkit. Although it discusses cross-
certification with a health “Bridge CA”, the concepts can be applied to any cross-
certification in the health environment which requires the exchange of highly sensitive
health information.1 It is assumed that the reader is familiar with the concept of PKI.
Readers are advised to review the Business Guide of the Toolkit before this document. The
purpose of this particular document is to outline the process and criteria for cross-
certification.

Cross-certification is basically “an extended form of third-party trust”. Through cross-
certification, different CA domains are able to establish and maintain trustworthy electronic
interactions and interoperate seamlessly with each other. The cross-certification process
involves comparing the security policies and procedures in the different CA domains to
determine equivalence. This ensures that the PKI domains are compatible with respect to
their certificate management operations such as: identification, revocation policy, liability,
privacy, audit and other issues. Once this is established, certificates can be exchanged
between the CAs. This enables users to trust the other CA as much as their own CA.
Thus, users of each CA domain can now communicate with each other with full assurance
that security procedures are in place (refer to Figure 1).




1
    More information about the health “Bridge CA” concept can be found in the Proposed Governance Model for
    the National PKI Framework for Health.


June 30, 2001                                                                                                 1
Cross-Certification Criteria
National PKI Framework for Health                                               CIHI




           1.1 CA - 1                 TRUST               1.2 CA - 2

                                    through
                                    Cross-Certification


                                    Communication
           User of CA - 1                                 User of CA – 2


Figure 1: Cross-Certification




2                                                                      June 30, 2001
                                                                                           Cross-Certification Guidelines
CIHI                                                                                  National PKI Framework for Health



2              Cross-Certification Process and Criteria

           Health Public Key Infrastructure Cross-Certification Process

                                                 Certificate       ITS and
                                                  Policies          Policy
                                                Examination       Compliance

     Initial        Request     Decision                                         Negotiation     Policy         Cross-
    Request         Review       Point                                                of       Committee     certificate
                                                                                 Arrangement    Decision      Issuance

                                                 Test Bed         System
                                                   Trial          Survey




                                                     Phase II:
               Phase I: Initiation                  Examination                       Phase III: Arrangement



                              Compliance      Problem            Change        Renewal or
                                Review       Resolution        Management      Termination



                                           Phase IV: Maintenance


2.1            Phase I: Initiation
2.1.1          Process
Candidate CA’s must submit a request and all necessary information for cross-certification
with the Health PKI Bridge CA. Upon receipt of a Request for Cross-Certification, the
Bridge CA Secretariat will be required to make a preliminary determination as to whether
the Request is complete including all required documentation.

Phase I covers the initiation of the cross-certification process. It comprises three steps:
•      The initial request in which the candidate prepares and submits the required information
       to cross-certify with the Bridge CA.
•      A request review by the Bridge CA Secretariat, to establish the candidate’s suitability
       for cross-certification.
•      The Policy Committee decision on whether to continue the process of cross-
       certification.




June 30, 2001                                                                                                              3
Cross-Certification Criteria
National PKI Framework for Health                                                          CIHI


2.1.2     Criteria
•   The Request must be complete and include all required documentation.
•   The Request must be accompanied by reasons why it is in the interest of the candidate
    to consider cross-certification with the Bridge CA.
•   A Request will be considered if it is from a commercial organization if that organization
    does, or where there are firm projections from the Bridge CA that it will be doing, a
    sufficient amount of interactions with the candidates in the Health PKI.
•   Candidates may be requested to provide evidence of financial capacity to manage risks
    associated with the operation of a Certification Authority. Financial capacity can be
    demonstrated if the organization can provide a copy of a performance bond, a letter of
    credit from a financial institution, a letter indicating that insurance has been put in
    place, or a commitment letter from a bonding company, financial institution or
    insurance company.

    The purpose of this requirement is to demonstrate the organization’s ability to meet any
    financial responsibility associated with operating a Certification Authority, including any
    liability to subscribers or others relying on certificates issued and digital signatures
    verifiable by reference to public keys in such certificates. The nature and sufficiency of
    the required financial capacity will be determined at the discretion of the Policy
    Committee on a case-by-case basis.

Legal status and financial capacity constitute some of the evidentiary requirements needed
to lay a foundation of trust between the Bridge CA and candidates. Candidates exempted
from these evidentiary requirements are:
•   A provincial/territorial government;
•   A financial institution within the meaning of the Bank Act;
•   Any other entity exempted from this requirement by the Policy Committee.

A Request will not be approved if the candidate demonstrates an inability to manage a
Certificate Authority such as:
•   The Candidate has no Certificate Policy(ies) (or equivalent) in place, or
•   No Security Policy (or equivalent) in place with respect to the protection of the
    Certification Authority;
•   No compliance inspection of the Candidate’s Certification Authority has been done;
•   No information has been provided with respect to the technology used by the
    Candidate;
•   The technology used by the Candidate is incompatible with the technology employed
    by the Bridge CA facility;
•   The Candidate is seeking an inappropriate level of assurance;
•   No information or inadequate information has been provided with respect to the legal
    status of the organization operating the Candidate;




4                                                                               June 30, 2001
                                                                        Cross-Certification Guidelines
CIHI                                                               National PKI Framework for Health


•      No information or inadequate information has been provided with respect to the
       financial capacity of the Candidate or the financial capacity appears inadequate for the
       operations of the Candidate Certification Authority;


2.2         Phase II: Examination
2.2.1       Cross-Certification Checklist
The following checklist will help streamline the process of cross-certification as found
during the CIHI PKI Demonstration Project:
1.      Ensure commitment from each cross-certifying entity.

2.      Commit sufficient resources to complete the process including funding, staffing and
        timelines. Travel, hotel and time away must be factored. Staff from both entities
        must travel to each other’s location to evaluate the physical security requirements of
        the CPS.

3.      Gain executive management buy-in and understanding for the process. An executive
        sponsor must champion the process to other senior officials.

4.      Appoint a single contact person to act as the local coordinator for the process.

5.      Discuss resourcing, commitments and expectations with each cross-certifying entity.

6.      Appoint lead analysts from each discipline to act as a local team, including
        •   Security
        •   Network
        •   Application
        •   Help Desk
        •   Others as required

7.      Communicate internally with local team members to discuss resourcing,
        commitments, timelines and expectations.

8.      Gather all network documents and diagrams.

9.      Ensure compliance with the PKIX CP and CPS formats.
10. Ensure all support documents exist and are available for detailed analysis, including:
        •   Disaster recovery plan
        •   Audit inspection reports
        •   Acceptable use policies
        •   Document management processes

11. Establish support levels with software and hardware vendors to ensure timely
    response.




June 30, 2001                                                                                       5
Cross-Certification Criteria
National PKI Framework for Health                                                             CIHI


12. Review the Government of Canada Public Key Infrastructure Cross-Certification
    Methodology and Criteria for compliance and process

13. Distribute and review all documents well in advance of any face-to-face meetings,
    including CP and CPS mappings and compliance audit reports.


2.2.2     Process
Once the Policy Committee is satisfied with the completeness of information provided by
the candidate CA for request for cross-certification, the next step is to proceed with
examining the candidate’s Certificate Policies and to establish their degree of
harmonization with the Certificate Policies of the Health PKI Bridge CA.

Phase II covers the examination phase of the process. Its four steps include:

•   An examination of the candidate’s Certificate Policies to establish their degree of
    harmonization with the Certificate Policies of the Bridge CA.
•   A test bed trial to identify and resolve potential incompatibilities between the
    Certification Authority technologies of the Bridge CA and the candidate, using a Test
    Bed Certification Authority to minimize the risk to cross-certified Certification
    Authorities already in production mode.
•   A system survey to confirm that the technical details of the respective Certification
    Authorities are available for production mode cross-certification.
•   An evaluation of the candidate’s information technology security and policy
    compliance, to:
    − conduct a security analysis to ensure that, as part of an information technology
        system, the Candidate Certification Authority provides an appropriate level of trust.
    − establish if the technical, physical, procedural and personnel policies of the
        Candidate Certification Authority meet the assurance requirements of its Certificate
        Policies.
    − determine if the Candidate Certification Authority’s actual performance meets the
        standards established in its Certificate Policies and other Certification Authority
        operational documents.

2.2.3 Criteria
PKIX Compliance
•   Where the Type of Document Adheres to the PKIX Framework
    If the Certificate Policy follows the PKIX Framework (Framework) then the mapping
    should involve a straightforward comparison with Health Public Key Infrastructure
    Certificate Policy sections. The mapping will be performed by category and element for
    consistency.




6                                                                                 June 30, 2001
                                                                          Cross-Certification Guidelines
CIHI                                                                 National PKI Framework for Health


•      Where the Type of Document Does Not Adhere to the PKIX Framework
       If the Certificate Policy does not follow the PKIX Framework then the mapping will
       necessarily be to the categories and elements. The major difference between a non-
       Framework Certificate Policy and a Framework Certificate Policy is the location of
       information relative to the Health Public Key Infrastructure Certificate Policy sections. It
       will require more time and analysis to uncover the equivalent or similar information to
       perform the mapping.

2.2.4       Mapping Process
Policy mapping is an exercise in examining the Candidate Certification Authority’s
Certificate Policy and looking for equivalent or similar sections as the category or element
listed. The categories to be used are found in the Mapping Sheets. Any review of the
Candidate Certification Authority’s Certificate Policy involves looking at each section of the
document to determine which section is similar or equivalent to its counterpart in the
Health Public Key Infrastructure Certificate Policy.

It must be borne in mind that:
a)      There may be more than one section that applies for each element;
b)      There will be differences in section headings, especially for non-Framework
        documents;
c)      Some Certificate Policies will have a different number of sub-fields for each element
        in the Certificate Policy;
d)      The Certificate Policy may refer to other documents such as the Certificate Practice
        Statement. In this situation, if there is insufficient information present in the section,
        it must be flagged for additional consideration and further examination of the
        referenced documents;
e)      There may be differences in terminology and usage. For example, "High Assurance"
        to one Certification Authority may not be the same as High Assurance to another.

If the Candidate Certification Authority’s Certificate Policy section does not meet the
specification or is not similar to the corresponding interpretation of the Health Public Key
Infrastructure Certificate Policy section for the equivalent level of assurance, this can
potentially cause a reduction in the level of assurance or a failure of the cross-certification
depending on the severity of the risk.

2.2.5       Test-Bed Trial
Test-bed trials are used to ensure technical interoperability between the Bridge CA and the
Candidate Certification Authority. The objective is to determine whether there can be a
successful exchange of certificates, correct processing of the certificate chains, and
certificate validation. The Bridge CA is not permitted to issue cross-certificates before
successful completion of the interoperability tests in the Test-Bed Trial.




June 30, 2001                                                                                         7
Cross-Certification Criteria
National PKI Framework for Health                                                          CIHI


At a minimum the Test-Bed-Trial will include the following:
a)    A network connectivity test;
b)    A directory access test;
c)    Construction of cross-certificates in accordance with the certificate profile;
d)    Exchange of cross-certificates (either off-line or on-line);
e)    The posting of cross-certificates in the directory;
f)    A usage test, including both encrypt and decrypt, as well as sign and verify;
g)    A revocation test, and
h)    A certificate path constraint test

At a minimum, the test-bed trial will demonstrate:
a)    Network connectivity is achieved using all required protocols;
b)    The directories of the Bridge CA and the Candidate are accessible to each other;
c)    The directory used by the Bridge CA is accessible by a subscriber of the Candidate
      Certification Authority;
d)    The directory used by the Candidate Certification Authority is accessible by a
      subscriber of the Bridge CA;
e)    The Certificate Revocation Lists/Access Revocation Lists are accessible to subscribers
      of each Certification Authority;
f)    The cross-certificate is correctly constructed by the Bridge CA and exchanged—
      (either in an off-line or on-line manner) and recognized by the Candidate Certification
      Authority;
g)    The cross-certificate is correctly constructed by the Candidate Certification Authority,
      exchanged with the Bridge CA—either in an off-line or on-line manner—and
      recognized by the Bridge CA;
h)    A test secure transaction, using a test subscriber of one Certification Authority can
      be successfully received by a test subscriber of the other Certification Authority; and,
i)    When a test subscriber certificate of one cross-certified Certification Authority is
      revoked, a test secure transaction from or to a subscriber of the other Certification
      Authority will fail.

2.2.6     Evaluation
The Candidate must provide attest—in a manner akin to making a declaration or
undertaking—stating that it complies with its Certificate Policies and Certification Practice
Statement(s) in addition to maintaining appropriate IT security. The provision of this
Certificate and any breach of its terms (i.e. a failure to comply with its Certificate
Policy(ies) or maintain appropriate IT security) is enforced by contract; the contract in
question being the cross-certification arrangement together with any financial security
obtained.


8                                                                                June 30, 2001
                                                                        Cross-Certification Guidelines
CIHI                                                               National PKI Framework for Health


Typically, the evaluation of IT security and policy compliance should include security
requirements for:
•      Identification and authentication of administrative and end users
•      Complete access control on security sensitive information and services
•      Data integrity
•      Roles and separation of duties
•      Management of security functions and sensitive data objects
•      Audit of security critical events
•      Secure communications between PKI components
•      Key management
•      Cryptographic services
•      Service and data recovery
•      Non-repudiation mechanisms

2.3         Phase III: Arrangement
2.3.1       Process
The Policy Committee will review the recommendations and decide, based on the
assessment in Phase II, whether to proceed to the next step or terminate the process. The
Bridge CA Secretariat informs the candidate of the decision. If the decision is to proceed,
then the process moves on to the Arrangement stage. The purpose of this process is to
negotiate the terms and conditions of the cross-certification arrangement.

Phase III relates to the formal documentation of the terms and conditions under which a
candidate becomes a member of the Bridge CA and is cross-certified by the Bridge CA. Its
three steps encompass:
•      The negotiation of the terms and conditions governing the cross-certification
       arrangement.
•      The Policy Committee decision on whether to enter into the cross-certification
       arrangement with the candidate.
•      The initiation of the process allowing the Bridge CA and the Candidate Certification
       Authority to issue cross-certificates.

2.4         Phase IV: Maintenance
2.4.1       Process
It is important to ensure that, once in place and for its duration, the cross-certification
arrangement continues to maintain a level of trust between the two parties. Each cross-
certification is governed by the arrangement entered into in Phase III.

The maintenance phase provides mechanisms both for managing the relationship between
cross-certified Certification Authorities as required for the proper operation of the
arrangement, and for terminating the arrangement if either party contravenes its terms and




June 30, 2001                                                                                       9
Cross-Certification Criteria
National PKI Framework for Health                                                           CIHI


conditions. The elements of this phase are not sequential and they will apply as
circumstances warrant.

Phase IV concerns the maintenance of the trust established in the cross-certification
arrangement. It provides mechanisms both for managing the relationship between cross-
certified Certification Authorities and for terminating the arrangement if either party
contravenes its terms and conditions. The elements of this phase are not sequential and
apply as circumstances warrant. It comprises four possible steps:
•    A review to determine if the cross-certified Certification Authority is operating in
     compliance with its stated policies and procedures.
•    A problem resolution process to report and correct problems either party may encounter
     over the period of the cross-certification arrangement.
•    A process to manage changes to the public key infrastructure associated with a
     particular cross-certification arrangement, and to decide on actions to take in response
     to implementing such changes.
•    A procedure for renewing or terminating a cross-certification arrangement.




10                                                                                June 30, 2001

								
To top