Click to add presentation title - Secure Technology Alliance · NACI Result 7.Batch Production...
Transcript of Click to add presentation title - Secure Technology Alliance · NACI Result 7.Batch Production...
CMS InterfacesActivIdentity
Dom Fedronic - CTO Office - v1.0 - 04-15-06
2
DHS PIV System Architecture
PhysicalAccessControlSystem(PACS)
PACSInterface
Enrollment Workstation
Meta Directory
OpenInterface
API
IdentityManagement
System(IDMS)
CA RepositoryActive Directory
DHS HQActive Directory
CertificateAuthority
Life Cycle Mgmt APINotification API
Card Issuance Workstation
Badging API
Issuance RequestNotifications
IssuanceRevocation
HRSecurity
ClearanceUser
Provisioning Authorization
PIV & NetworkAdmin
Browser
Hot List Subsystem
RevocationBrowser
CardManagement
System(CMS)
PIV Card
Logical Access
PIV EnclavePhysicalAccess
HTTPSHTTPS
HTTPS
HTTPS
PIVPre-Enroll
HTTPS
HTTPSApplicantSponsor
Registrar Issuance Op
3
Interfaces of the CMS
Interface with the IDMS:Card Issuance RequestCard status notification
Interface with Credential ProvidersCAsDigital signatories
Interface with the Card Production Facilities (Service Bureaus)
Based on an extension/update of PIR4.2
4
VettingSystem
CardProduction
System
CMS6. BIO,CHUID
SignatureRequest CA
Enrollment Station
IDMS
Applets
RegistrarSponsorApplicantIssuer
Applicant
1. PIVRequest
2. RegistrationRequest
11. PIV CardActivationRequest
PIV Card
3. NACI Request
12. PKICertificateRequest
9. Fulfillment
Activation&Help DeskFront-end
RegistrationFront-End
Obtain IDProofingPackage
ID Proofing Life Cycle
PIV Card ContentLife Cycle
PIV Card ProductionCycle
10. ID Status orVerification Request
(Optional)
14. AccessRequest
To IDMS, OCSP, ..
Synchronous
Asynchronous
4.NACI Result
7.Batch ProductionRequest
(Improvement of CAC Pre-Issuance
Requirements)
5.PIV CardIssuance request
13. PIV IssuanceNotification 8. Production
Notification
Digitalsignatory
Issuance Station
Verify BioObtain PKI
Set PINUnlock
AccessControlSystem
BackendServices
PIV general architecture
5
Interfaces of with the IDMS
The Card Issuance RequestXMLImplemented at DHS with LMCO IDMSSupports PIVExtensibleSecure: XML_DSIG, XML_ENC /W3CTransaction OrientedTransport insured by the Card Life Cycle Mgt API (card/credential management API)
The Card Status NotificationLeverage CIR transaction dataReturns issuance statusPlugins. Implemented at DHS
Published 2005 (Life Cycle Management, Badging).
6
Interfaces of with Credential Providers
SPI
Full Abstract Credential Life Cycle Management
Supports CA
Supports Digital Signatory services
Supports Biometrics sub systems Identification and verification.
7
Interfaces with Card Production Facilities
Requirement:
OpenXML basedExtensibleCover the requirements for PIV Card ProductionSecured (proof of origin and integrity, and confidentiality) .Should leverage an existing standard in a backward compatible manner: Should be backward compatible with PIR.
8
ActivIdentity PartnerOCS
Synchronous AsynchronousData Exchange
Signed, Encrypted XML
AICMS
BatchProductionGateway
CardProduction
System
1. Card IssuanceRequest
Productionfacility
2. Batch Production Request (SBOD)Card profile ID, Issuer Info, CIN, IIN,Signed PIV Data Model Objects (incl
CBEFF face),surface printing layout ID and data
(incl jpeg face)
6. Production Notification (SBDD)
CIN, key config ID, card product ID, physical
description ID, logical description ID, requirements
ID
BatchMgmt
System
Internal Format
OtherCMS
SBOD/SBDD
OtherCMSOtherCMSOtherCMSes
9
Leverage Pre-Issuance Requirements specifications
PIR fulfills need for interoperable format between Issuers and Shared Production Service Providers
Each production facility can support simultaneously multiple issuers (service provider model).
Each Issuer can support simultaneously multiple production facilities (Current PIR 4.2 / DoD CAC production model)
New Issuers can be supported with limited impact on the production system
New Production facilities can be supported with limited impact on the Issuer
Needs Personalization data in SBODAlignment with FIPS201 Data Model
10
PIR, a Proven Data Interchange Specification
PIR has been used to produce several millions of CACs:Multiple manufacturing sites1000s issuance sitesMultiple card typesMultiple card profiles (CACv1, CACv2)Centralized Issuance or face-to-faceNow version 4.2
Production contract between Card Issuer and Card Production Facility.
Self Contained.
Batch Oriented.
Defines two XML message format for transmission of data specific to a batch.
11
Standard – Secure - Open
StandardXML schema, xml-dsig, xml-enc, W3CBackward-compatible with Pre-Issuance requirementsDesign to support 800-73 Data model encoding & FIPS201 layout
SecurityProof of origin, confidentiality, integrity to transport sensitive data in various contexts, possibly offline and asynchronous.
Open- 800-73 Data model extensions- New Applications
12
SBOD/SBDD
SBOD/SBDDService Bureau Order Descriptor / Delivery Descriptor
PurposeComplete Card Production Protocol
Encompasses all card production directives in a single message
Support bulk card production of personalized PIV cards (SBOD)
Provides product configuration, personalization data, delivery site and contact to production facility or Service Bureau.
Support notification of card production for further activation and post-issuance (SBDD)
Returns status and identifiers of produced card/credentials
13
Call for Action
Already started to engaged with the PIR editing community.
Already engaged with Global Platform
Engage with Security Industry Association
Early draft.