3. 1998 was the year of Internet
e-commerce early adopters...
• Scales to millions
• Available 24 x 7 x 365
• Integrated across
applications
• Extranet security
• Scales to millions
• Available 24 x 7 x 365
• Integrated across
applications
• Extranet security
• Scales to 10’s of thousands
• Incompatible infrastructure
across applications
• Scales to 10’s of thousands
• Incompatible infrastructure
across applications
Internal Focus
External Focus
5. • Internet infrastructure for reliable, scalable,
secure E-commerce applications
• Secure management and authentication of
millions of users & hundreds of applications
E-Commerce Ready Infrastructure
Broad Foundation for Internet Commerce
Quality of Service
Application
Services
Content
Delivery
Services
Integration
Services
Directory
&
Security
Services
Professional
Services
6. Netscape Directory for Secure
E-Commerce 4.0
• Broad foundation for Internet commerce
• Complete solution for the mainstream that
provides a flexible range of security options
– Username and password authentication
– Certificate (PKI) based authentication
– SSL for secure communication
• Significantly simplifies administration and
deployment of secure e-commerce
applications
– Enables customer
self service
– Deployable PKI
Netscape Directory for
Secure E-Commerce 4.0
• Certificate Management System 4.0
• Directory Server 4.0
• Delegated Administrator 4.0
7. Certificate Management System 4.0
New Features and Functionality
• Deployment flexibility and scalability
– RA, CA & KRA easily distributed across systems
– Scales to millions of users
– Enhanced directory integration
• Broad support for client, server, CA, and
VPN certificates
• Hardware signing and acceleration
through PKCS#11 CSPs
• Simplified end user experience
• Corporate key recovery
Data Recovery
Manager
Certificate
Manager
Registratio
n Manager
8. Certificate Management System 4.0
Additional Cryptographic Features
• Dual key & expanded algorithm support
• FIPS 140-1
– Level 1 & 2 CSPs
– Interoperability with FIPS 140-1 Level 3
validated hardware CSPs
• Secret splitting for signing and key recovery
keys
• Integration with Litronic Profile Manager
for bulk issuance of smart cards
• Supports CRS and can issue IPSEC
certificates for Cisco Routers
9. Architecture Overview
R e g is t r a t i o n M a n a g e r
D a t a R e c o v e r y M a n a g e r
C e r t i f i c a t e M a n a g e r
H T T P S
H T T P S
C R S E E
in t e r n a l
L D A P
in t e r n a l
L D A P
in t e r n a l
L D A P
E x t e r n a l
P u b lic
D r e c t o r y
C o m m u n i c a t o r
5 . 0
C R S /R S A
o n ly
L D A P
c e r t / p u b l i s h in g
L D A P
c e r t /C R L
p u b l i s h in g
C R M F /C M M F
d u a l k e y
R S A /D S A /m ix e d
K E Y G E N
E E
P K C S # 1 0
E E
R S A /D S A
K E Y G E N
P K C S # 1 0
R S A o r D S A
H T T P
H T T P S
E E s
H T T P
H T T P S
H T T P
H T T P S
E x t e r n a l
P u b lic
D r e c t o r y
E E s
CMMF/HTTPS
10. Internal Architecture
M id d l e w a r e
C A R A K R A
J a v a S e c u r i t y S e r v ic e s
( J S S ) ( J a v a - J N I la y e r )
N e t s c a p e S e c u r it y
S e r v i c e s ( N S S )
P K C S # 1 1 la y e r
S S L
L D A P
J D K 1 .1 . 6 a n d 1 . 2
I n t e r n a l
C S P
( L e v e l 1 )
F I P S
L e v e l 2
C S P
T h i r d
p a r t y
v e n d o r s
IN C L U D E D C S P s S O F T W A R E o r H A R D W A R E C S P s
E x p o s e d D e v e l o p e r A P Is
C u s t o m A u t h e n t ic a t i o n / P o li c y m o d u l e s
T h i r d
p a r t y
v e n d o r s
FIPS 140-1
Validated layer
Pure Java layer
11. Certificate Management System 4.0
Flexibility and Extensibility
• Java Plug-in interfaces -- write once, run
everywhere
– Out of the box authentication modules
– Ability to add groups of extensions
– Customizable policy constraints for different
types of keys/certificates
• Published APIs and tools enable integration
– Kerberos and SecurID authentication modules
– RDBMSs and ERP systems
• Flexible LDAP publishing
• Internationalized end user and admin GUIs
14. Certificate Management System 4.0
Standards Compliance
• IETF PKIX Certificate Management Standards
– CRMF: Certificate Request Message Format
– CMMF: Certificate Management Message Format
• CRS: Certificate Request Syntax [Cisco IPSec]
• FIPS 140-1: NIST Security Requirements for
Cryptographic Modules
• PKCS #11 2.01
• X.509 v3: formats for digital certificates (v1, v3)
• LDAP v2, v3: Lightweight Directory Access
Protocol
• SSL 2.0, 3.0: Secure Socket Layer
15. Extending Security Solutions Through
Partnerships & Services
• Cross-company trust
• Hardware tokens & cryptographic
accelerators
• Secure networking & VPNs
• Systems integration & consulting
• Training
16. Netscape Delivers Robust Security
Solutions Today
• Certificate Server 1.0 deployed today
• Robust infrastructure grows as fast and as
large as required
• Directory Server provides foundation for
Internet security
• Certificate Management System delivers
strong authentication for extranet and
e-commerce services
• Netscape extends solutions through
partners, tools, and services
Notas do Editor
Good Afternoon. Thanks for joining us here today. We’ve got a lot of new information to share with you and because of this we have an updated copy of the presentation. If you didn’t get one on the way in, we have them available for you. One change in the presentation is that we have removed the demos in favor of more time for Q&A since we’ve been demonstrating the products for the last three days in the Exhibit Hall. If you didn’t see the demos and are interested, please talk with us after the session.
Key points:
Focus of applications that do go on the Net is very different from what it used to be (these are the standard points made in the slide that we have been making for the past year about scalability, reliability , availability, and integration across applications)
E-Commerce, although a rapidly growing marketplace, is still very young and is dominated by early adopters. The mainstream of corporate America still has not made it onto the web.
The reason they have not made it onto the Net is that in 1998, it was not an easy thing to do. You had to be willing to absorb some pain, that is what early adopters do, they pave the way for others. (next slide)
However, Netscape has spent the last year working with these early adopters, helping them get their E-commerce solutions deployed
Unlike many vendors who put up a list like this, every one of these vendors is deployed with the Netscape Directory. Most people can just talk about customers who haven’t deployed their Ecommerce application yet, we have worked with the pioneers to get their solutions out the door and onto the Internet.
Ford is using the Netscape Directory as part of their supplier network with over 110 applications and 250,000 users as part of the Ford Supplier Network. They have an Ecommerce system that let them lower their vehicle deliver time from 50 to 15 days.
BC Tel is using the Netscape Directory and Security Servers to offer their customers a choice of security levels for online bill presentment. Customers can either present a username/password or they can present a digital certificate as the authentication mechanism to access their online bill
MCI WorldCom is using the Netscape Directory as a meta directory to synchronize their NOS, email and PeopleSoft directories.
AIG wanted to create an extranet application that enabled Brokers and Agents to make insurance sales through the internet. This new application, called Access AIG, serves as a centralized repository for their twenty thousand insurance brokers and agents in the US and Canada. These insurance agents and brokers are able to access real time, up-to-date information by authenticating to the Netscape Directory Server through User ID and Password protection. The agents and brokers can access product info, client services, pre-submissions and other information instantly. Before it took several phone calls, time consuming navigation through different web sites, and extensive paper forms. The benefit of the new Access AIG application for the agents and brokers is customization and time savings. They will be evaluating CMS 4.0 to add digital certificates as an additional layer of security to their application.
Netscape has worked with these early adopters to understand the difficult issues in deploying real Ecommerce applications to make our products more deployable for the mainstream.
Quality of Service: Ability to incrementally scale & guarantee performance and availability
Application Services: An environment to build & host transactional applications
Content Delivery Services: Services for content publishing & management
Integration Services: Capabilities to integrate with existing enterprise systems & applications
Portal Services: Support for custom portals & wiring to mass market portals
One point our customers have made to us is that they don’t just want point solutions. They want a complete infrastructure for developing and deploying Ecommerce applications.
Talk about the requirements for an E-Commerce application. The slide is self explanatory here.
For integration Services, note that these applications can’t exist in a vacuum. they have to be able to tie into the existing infrastructure. for this reason, all aspects of an E-Commerce Ready Infrastructure need to be able to integrate with legacy systems. For this announcement, we will be talking about our Directory and Security integration with existing directory and security infrastructure.
We will also be announcing enhancements to our Directory and Security
Directory provides user management (incl. personalization) and foundation for security
Delegated Administrator provides restricted access for customer self-service.
Broad end entity (EE) support for browser and VPN clients (IE 3.X,4.X, Navigator 3.X,4.X,5.X, RedCreek, etc.), servers (Netscape SuiteSpot 2.X, 3.X, 4.X, Apache, Lotus Domino, Oracle, IIS, etc.), CA’s (Entrust, Microsoft, etc.)
Highly scaleable architecture
Can distribute certification authority (CA), registration authority (RA) and Key Recovery Authority (KRA) across systems
Support for multiple RA’s, CA’s and KRA’s
Directory Server 4.0 for local data storage.
Java Plug-in interfaces for certificate processing policies, authentication modules, servlet and PKCS#11 modules -- write once, run everywhere.
Out of the box Java authentication modules for LDAP based authentication, one time password authentication with pin generator, and certificate processing policies for most PKIX extensions in compiled and source form
Netscape continues to expand their security solution by partnering with key security vendors.
Public CA’s are referenced from our web site at: https://certs.netscape.com
Security Dynamics has signed a bundling agreement with Netscape to embed our Directory.
Litronic and Datakey provide smart card solutions.
Chrysalis-ITS, Ncipher and Rainbow provide hardware acceleration cards to increase the speed of cryptographic operations.
Cisco and other VPNs will interoperate with Certificate Management System 4.0
Shared, centralized directory & security infrastructure supports multiple applications
Professional Services programs and tools enable legacy integration in 2-4 weeks
Strong security provided out-of-the-box
Directory
Scales to 20+ million entries/server
24x7 availability
Blazingly high performance (hundreds to thousands of queries/second)
Directory as foundation of security
Web-based single sign-on, access control, delegated administration
Scalability and security for millions of extranet users
VeriSign service integration makes Netscape the most deployable CA for Extranets
Certificate Management System will increase user transparency, flexibility, and scalability