registration processing for the wireless internet ian gordon director, market development entrust...
TRANSCRIPT
Registration Processing for the Wireless Internet
Ian Gordon
Director, Market Development
Entrust Technologies
Wireless Value Chain
Many players involved….– Terminal Manufacturer– SIM Manufacturer– Infrastructure Manufacturer– Mobile Operator– Virtual Mobile Operator– Systems Integrator– Middleware Provider – Content Provider / Service Provider– Wireless Application Service Provider– Consumer
Depending on the Trust model being adopted any number of these players may/may not be
involved in the registration process. Solution providers must design, develop and deliver a range of products or modules to address the
variety of registration scenarios.
Depending on the Trust model being adopted any number of these players may/may not be
involved in the registration process. Solution providers must design, develop and deliver a range of products or modules to address the
variety of registration scenarios.
Registration Impacters
• Public Root / Private Root
• Insource / Outsource
• Anonymous / Bound
• Device / Central Keygen
• Single / Multiple Terminal
• Token / No-Token
• Combinations
Registration will be the mobile users first experience with the wireless Internet. Failure to
deliver an easy to use and automated registration process will provoke frustration and a decision
point.
Great care and attention must be placed on the design of your registration process.
Registration will be the mobile users first experience with the wireless Internet. Failure to
deliver an easy to use and automated registration process will provoke frustration and a decision
point.
Great care and attention must be placed on the design of your registration process.
Key & Cert Insertion
Phone Manufactur
er
Card Manufactur
er
Mobile Operator End user
CA root key and/or certificate may be placed in firmware
mask from an image file provided by
Certificate Authority
CA root key and/or certificate may be
placed on SIM from an image file provided by
Certificate Authority
End User key-pairs pre-generated and
stored on SIM
Anonymous / Prepaid Certificates
End User enrollment at Mobile Operator:
End User Encryption Public Key and
Verification Public Key sent to
Certificate Authority for “binding” to
certificates.
Returned certificates stored on SIM or on
the network.
End User enrollment Over the Air:
End User Encryption Public Key and
Verification Public Key sent to Certificate
Authority for “binding” to certificates.
Returned certificates stored on SIM or on
the network.
Service Provider
End User enrollment at Service Provider:
End User Encryption Public Key and
Verification Public Key sent to
Certificate Authority for “binding” to
certificates.
Returned certificates stored on SIM or on
the network.
Mobile device users will be able to join new Trust models at any time with OTA provisioning, however the process must be simple and
intuitive as the registration is dependant on the ability of the user.
Mobile device users will be able to join new Trust models at any time with OTA provisioning, however the process must be simple and
intuitive as the registration is dependant on the ability of the user.
Registration Objectives
• Enable requests for authentication certificates
• Enable requests for authorization (signing) certificates
• Permit configurable methods of certificate storage/usage
• Permit massive scalability
WPKI Specification
• Created to permit a standardized method for obtaining certificates for the purposes of authentication & authorization in m-commerce transactions
• Much more…
While the wireless industry is comprised of much more than just WAP solutions the WAP
specifications are evolving to deliver the most standardized approach to registration
processing.
While the wireless industry is comprised of much more than just WAP solutions the WAP
specifications are evolving to deliver the most standardized approach to registration
processing.
WPKI Products
• Enable requests for authentication certificates for WTLS client authentication
• Enable requests for authorization certificates for application level transaction signing
• Determine validity of information contained in the certificate request
• Communicate with the CA for certificate signing
WPKI Products
• Respond to the Mobile Equipment (ME) by:– Returning the certificate directly to the
device including a display name for which the certificate is valid
– Or, returning a certificate information structure for later retrieval of the certificate from a repository and a display name for which the certificate is valid
– Or, confirming the receipt of the HASH of the mobile devices users Public Key
WPKI Products
• Support HTTP and LDAP URL formats
• Support WPKI, WTLS, X.509v3, PKIX & HTTPS standard interfaces
• Deliver detailed error and status reporting
• Deliver performance, scalability and robustness
Simplified Registration Scenario
Mobile Equipment
Registration Portal
Certificate Authority
Certificate Repository
WTLS Handshake
Registration Page
Get RequestVerify POPFormat MessageSign MessageCall CA
Verify SignatureMap User DNLDAP AddCA AddGet CertLDAP Write Cert
Get ResponseSend to M.E.
Complications
• Who owns the Trust model?
• Who performs first time interaction?
• Who is running the gateway / server / portal?
• What is the user experience across differing mobile equipment?
Summary
• Easy, consistent registration is critical to guide the user through their first contact with the wireless Internet.
• A Standardized approach to registration is the only way to ensure that experience is a good one.
• The wireless Internet will eclipse the wired Internet in scope, but only if we all work to make the necessary security as transparent as possible.