FW: Response to Digital Certificates clarification

This response was originally submitted Friday PM but was sent to the
Meter Hardware site by mistake.  Since Appendix F , as it will appear in
the PSWG report, was modified to reflect the SDG&E clarification, this
note is being reposted for those who didn't read the Friday (July 24 )
posting.

Thanks
Ed Quiroz

> -----Original Message-----
> From:	Quiroz, Edgar A. 
> Sent:	Friday, July 24, 1998 5:31 PM
> To:	'McCann, Ed'
> Cc:	'pswg1web@dra1.cpuc.ca.gov'
> Subject:	RE: Digital Certificates
> 
> Hi Ed,
> 
> This is an interesting point.  I have both a short response and a long
> response to your clarification.  The short response:
> 
> I searched through all of the Joint-UDC MDMA meeting documents and
> found in the 05/04/98 meeting held in San Diego,  a table defining
> System Availability and Security Criteria  developed by the UDCs and
> required of MDMAs and potential MDMA candidates.  The table contains 5
> criteria of which  criteria #3 and #4 are relevant to this discussion.
> Criteria #3 states : 
> 	"Must have secure socket layer (SSL) or other security mechanism
> agreed upon by the parties for all situations where data is
> transmitted from MDMA server to other parties over a common carrier."
> Criteria #4 states:
> 	"MDMA data on the server awaiting transport to the MDMA user
> must be protected from unauthorized access by a firewall, encryption
> or some other reasonable security measures "
> 
> Nowhere in criteria #3 or #4 is the discussion of digital certificates
> explicitly mentioned.  Also not mentioned is the process for obtaining
> these certificates and who is responsible (UDC? ESP? other entities?)
> for granting and administrating the certificates.  
> 
> You mentioned that it was your understanding that certificates would
> be required for all MDMAs as an integral part of SSL.  The information
> I included as part of  Appendix F was based on reviewing all the
> relevant info and discussions in the PSWG and all the Joint-UDC  MDMA
> meetings.  I didn't find any material that discussed this expanded
> requirement which, if this is now the case, I would support.
>  
> Since some folks will read this and may not have a starting reference,
> I'm including the following information for those not familiar with
> the SSL protocol and what it means for data security. SSL provides
> these levels of protection:
> *	Encryption established for data between a client and server who
> have negotiated a secure channel
> *	Data integrity established such that the data being transferred
> has reasonable assurances that it has not been altered
> *	Authentication  is enabled that assures the client that data is
> being sent to the correct server and that the server is secure.
> *	If basic authentication is enabled, SSL will improve its
> security level by encrypting passwords at the client before it is
> transmitted.
> 
> To fully implement these levels of security, you must obtain a digital
> certificate from a specific entity called a certificate authority.
> However, I'm not sure I fully agree with your statement that
> certificates are required by Internet Server Software in order to
> establish secure socket connection.  Not a big issue...just a detail.
> 
>  As a further point of clarification, the two dominant Web browsers,
> Microsoft Internet Explorer versions 3 on up and Netscape
> Navigator/Communicator 3.0 on up support Secured Sockets Layer
> protocol. However, data security needs and requirements constantly
> change and, in response, security protocols are also an evolving
> science.  Both browsers also support newer standards such as Private
> Communication Technology (PCT), a more efficient and secure upgrade to
> the SSL protocol and another new security protocol  called Transport
> Layer Security  (TLS).  The TLS protocol  incorporates both SSL and
> PCT into a single standard supporting both digital certificates and
> password-based authentication .  The last two protocols are mentioned
> for reference only. I am not advocating their implementation at this
> time
> . 
> The long response to all of this is... well, that's why the entire
> data security issue has been forwarded to the DQIWG for further
> discussion.
> 
> If you can confirm that the digital certificate requirement is being
> extended for all MDMAs and potential candidates at the server level,
> I'll go ahead and change the language in Appendix F to reflect this.
> 
> Thanks
> 
> Ed Quiroz
> Office of Ratepayer Advocates
> 
>  
.