RE: Digital Certificates

Hi Ed,

This is an interesting point.  I have both a short response and a long
response to your clarification.  The short response:

I searched through all of the Joint-UDC MDMA meeting documents and found
in the 05/04/98 meeting held in San Diego,  a table defining System
Availability and Security Criteria  developed by the UDCs and required
of MDMAs and potential MDMA candidates.  The table contains 5 criteria
of which  criteria #3 and #4 are relevant to this discussion.
Criteria #3 states : 
		"Must have secure socket layer (SSL) or other security
mechanism agreed upon by the parties for all situations where data is
transmitted from MDMA server to other parties over a common carrier."
Criteria #4 states:
		"MDMA data on the server awaiting transport to the MDMA
user must be protected from unauthorized access by a firewall,
encryption or some other reasonable security measures "

Nowhere in criteria #3 or #4 is the discussion of digital certificates
explicitly mentioned.  Also not mentioned is the process for obtaining
these certificates and who is responsible (UDC? ESP? other entities?)
for granting and administrating the certificates.  

You mentioned that it was your understanding that certificates would be
required for all MDMAs as an integral part of SSL.  The information I
included as part of  Appendix F was based on reviewing all the relevant
info and discussions in the PSWG and all the Joint-UDC  MDMA meetings.
I didn't find any material that discussed this expanded requirement
which, if this is now the case, I would support.
 
Since some folks will read this and may not have a starting reference,
I'm including the following information for those not familiar with the
SSL protocol and what it means for data security. SSL provides these
levels of protection:
*	Encryption established for data between a client and server who
have negotiated a secure channel
*	Data integrity established such that the data being transferred
has reasonable assurances that it has not been altered
*	Authentication  is enabled that assures the client that data is
being sent to the correct server and that the server is secure.
*	If basic authentication is enabled, SSL will improve its
security level by encrypting passwords at the client before it is
transmitted.

To fully implement these levels of security, you must obtain a digital
certificate from a specific entity called a certificate authority.
However, I'm not sure I fully agree with your statement that
certificates are required by Internet Server Software in order to
establish secure socket connection.  Not a big issue...just a detail.

 As a further point of clarification, the two dominant Web browsers,
Microsoft Internet Explorer versions 3 on up and Netscape
Navigator/Communicator 3.0 on up support Secured Sockets Layer protocol.
However, data security needs and requirements constantly change and, in
response, security protocols are also an evolving science.  Both
browsers also support newer standards such as Private Communication
Technology (PCT), a more efficient and secure upgrade to the SSL
protocol and another new security protocol  called Transport Layer
Security  (TLS).  The TLS protocol  incorporates both SSL and PCT into a
single standard supporting both digital certificates and password-based
authentication .  The last two protocols are mentioned for reference
only. I am not advocating their implementation at this time
.. 
The long response to all of this is... well, that's why the entire data
security issue has been forwarded to the DQIWG for further discussion.

If you can confirm that the digital certificate requirement is being
extended for all MDMAs and potential candidates at the server level,
I'll go ahead and change the language in Appendix F to reflect this.

Thanks

Ed Quiroz
Office of Ratepayer Advocates

>  
.