Direct Project Direct + Policy Enablement Overview • • • • • Policy Role In Direct Policy Enablement Security and Trust Support Architecture Tool Demo Policy Role In Direct • Scalable Trust • Philosophy for enabling Direct exchange between a large number of endpoints • Policy first class citizen in scalable trust • Mitigates policy variance • Proposed Policy Requirements • Federal Community Requirements • Governance • Trust Bundles • Technical solution to scalable trust • Bundle profiles define policy requirements • Only define and attest policy compliance • Can not assert and enforce policy • Bundles alone are not enough Policy Enablement • Facilitate Policy Decisions at Runtime • Systemic assertion of policy profile compliance • Direct 2.0 vs Policy Enablement • 2.0 may imply specification changes • Potential compatibility issues • Policy enablement requires no specification changes • Optional module • Backward compatible at transport Security and Trust Support • Modular Components • Encryption • Signature • Cert Discovery • Trust Chaining • Current Policy Ability • Simple binary trust decision based on certificate chain validation Security and Trust Support Current State – Outgoing Message • Certificate Store • Dual Use Certificates • Private Resolver • All non-expired • All non-revoked • Public Resolver • All non-expired • All non-revoked • Trust • Chain to trust anchor Security and Trust Support Current State – Incoming Message • Certificate Store • Dual Use Certificates • Private Resolver • All non-expired • All non-revoked • Verification • Message integrity • Trust • Chain to trust anchor Security and Trust Support • Optional Policy Enablement Module • Policy implemented as filters • Injected into security and trust process • Private Certificate Resolution • Public Certificate Resolution • Trust Chain Validation • Configurable Granularity • Message Direction • Message Source • Message Destination • Circles of Trust • Can be applied to DNS or LDAP hosting • Defined Policy Best Practices Security and Trust Support Policy Enabled State – Outgoing Message • Certificate Store • Dual Use or Single Use Certificates • Private Resolver • All non-expired • All non-revoked • Public Resolver • All non-expired • All non-revoked • Trust • Chain to trust anchor • Policy Filter • Filter certs that meet configured criteria Security and Trust Support Policy Enabled State – Incoming Message • Certificate Store • Dual Use or Single Use Certificates • Private Resolver • All non-expired • All non-revoked • Public Resolver • All non-expired • All non-revoked • Verification • Message integrity • Policy Filter • Filter certs that meet configured criteria Architecture • Policy Engine (direct-policy.jar) • Policy defined in lexicon specific language • Definition + X509 Certificate processed by engine • Engine evaluates boolean value to indicate certificate compliance with policy • Policy filter equates to policy engine process in security and trust agent Policy Definition X509 Cert Policy Engine Lexicon Parser Intermediate State Compiler Opcodes Executor Boolean Decision Policy Engine Use Cases • Build Policy Definitions • Tooling to build definition file • Policy filters in security and trust agent • Out of band policy validation • Trust bundle profile validation for anchors • End entity certificate validation to CP or CPS Release Schedule • Q2 2013 • Policy Engine • Security and Trust Agent • Configuration Service • Command Line Import and Configuration of Definitions • Gateway • Policy Validator • Summer/Early Fall 2013 • Visual Policy Builders • Config-UI integration • Java RI 3.0 to include Q2 2013 release components For More Information • Direct + Policy Proposal: http://wiki.directproject.org/file/detail/Direct+%2B+Policy+Enablement.docx • Scalable Trust Forum: http://wiki.directproject.org/Direct+Scalable+Trust+Forum • Scalable Trust Summary: http://www.healthit.gov/sites/default/files/direct-scalable-trust-forumsummary-of-findings-report.pdf • Direct Trust Bundle Workgroup: http://wiki.directproject.org/Trust+Bundle+Sub+Work+Group • Scalable Trust Story: https://secure.bluebuttontrust.org Policy Validation Tool Demo DEMO!!