Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.

Federal Initiatives in IdM

Dr. Peter Alterman

Chair, Federal PKI Policy Authority

Wilmington, NC November 2005 2

HSPD-12

• Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05

• Mandates all Federal Agencies begin issuing SmartCards with medium assurance digital certs by 10/06

• Authorization remains a local prerogative


E-Authentication

• Initiatives– Assessment Framework for Credentials:

evaluating the level of assurance (LOA) of identity of credential service providers

– Membership in Liberty Alliance– Frequent meetings with Microsoft– Interfederation Interoperability Project with

Cybertrust and Internet2/Shibboleth team


E-Authentication: CAF

• Credential Assessment Framework consists of the following:– A structured methodology and procedures for

evaluating the LOA of a CSP’s credentials– An assessment team that goes out and

evaluates CSPs– A process for conflict resolution – Posting CSPs and their credential LOAs to a

trust list (unfortunate term) on the website


E-Authentication: Interfed Interop

• inCommon Higher Education Identity Federation– Using Shibboleth middleware technical

protocols – Policy-light

• E-Authentication US Identity Federation– Using a variety of technical protocols– Policy intensive


What Are Electronic Identity Federations?

• Associations of electronic identity credential providers and credential consumers (electronic service providers) who:– Agree to trust each others’ credentials;– Agree to hold credential providers authoritative for the

validity of their credentials;– Agree to use common communications protocols and

procedures to enable interoperability– Agree to common business rules


Purpose of Electronic Identity Federations

• To enable trusted electronic business transactions between end users and service providers where the service provider does not have to issue and manage identity credentials, including attributes.

• It’s all a matter of scaling..• No, it’s also a matter of control


Characteristics of Identity Federations

• Credential providers• Service providers• Standards and protocols for technical

interoperability among credential providers, services providers, end users and infrastructure utilities

• A governance mechanism to assert common business rules, ensure credentials can be used and trusted by all members of the federation and a central control point for entry and exit of members


Accomplishments to Date

• Demonstration of proof of concept for technical interoperability of identity credentials and utilities: E-Authentication SAML 1.0 and Shibboleth 1.2

• Production-level interoperability built into Shibboleth 1.3 (in beta)

• Extensive groundwork done on identifying policy and procedure mapping/treaty requirements

• Credential Assessment of 3 Universities, fourth scheduled


Work in Progress

• Development of common SAML 2.0 schemes• Development of common USPerson profile and

profile management infrastructure• Development of production-quality scheme

translator• Ongoing work to enable cross-federation trust

and interoperability• NSF FastLane to accept 3 universities’

Shibboleth-based identity and attribute credentials on or before December, 2005 (slippage)


Unresolved Issues

• Mapping null attributes• Ensuring privacy of attribute information in a

variety of instances• Portal integration• Scaling issues for listing credential providers• Issues of transitivity across federations• Multiple authoritative sources/conflicting

authoritative sources• Vocabulary and “data dictionary” issues• Liability and indemnification issues


Federal PKI Architecture

• Agency and other government PKIs required to cross-certify with the Federal Bridge CA

• As of 12/05 no new agency PKIs; agencies procure PKI services from vendors participating in the Shared Service Provider (SSP) program

• Architecture issues TLS/SSL certs to credential service providers who CAF, to provide mutual authentication

• Federal Bridge CA serves as “point of insertion” for external PKIs and other bridges.


Simplified Diagram of Federal PKISimplified Diagram of Federal PKI

Federal BridgeCA

C4 CAE-Gov

CAs (3)

Common PolicyCA

Cross-Certified

govPKIs

Cross-CertifiedExternal

PKIs

eAuthCSPs

SharedServiceProvider

PKIs

(CommonPolicy OIDAnd root

Cert)


LOA Mapping: E-Auth to Fed PKI

E-Auth Level 1

E-Auth Level 2

E-Auth Level 3

E-Auth Level 4

FPKI Rudimentary,C4

FPKI Medium/HW &Medium/HW-cbp

FPKI Basic

FPKI Medium & Medium-cbp

FPKI High (government only)


Discussion

• [email protected]

Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.

Documents

Transcript of Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.