The U.S. Federal PKI, The U.S. Federal PKI, 2004:2004:

Report to EDUCAUSEReport to EDUCAUSE

Peter Alterman, Ph.D.Peter Alterman, Ph.D.

Assistant CIO for E-AuthenticationAssistant CIO for E-Authentication

National Institutes of HealthNational Institutes of Health

The Federal Bridge CA is Now the The Federal Bridge CA is Now the Federal PKI Architecture (SuperSize Federal PKI Architecture (SuperSize Me)Me)

• Components include:Components include:– US Federal Bridge CAUS Federal Bridge CA– Common Policy Framework CACommon Policy Framework CA– E-Authentication CAE-Authentication CA– Citizen and Commerce Class CACitizen and Commerce Class CA

1

FBCA Certificate Policy

Federal Bridge Certification Authority

Two way Cross-certified (FBCA High & FBCA Medium)

Agencies (Legacy Agency CA policy)

States

Foreign Entities

Citizen & CommerceClass Common (C4) Certificate Policy

Two Way Cross-certified

Other “PKI Lite”AOLPEPCO

Private Sector

FPKI Common Policy Framework (FCPF) Certificate Policy

C4 Policy Certification Authority (Included in browser list of CAs)

FCPF Policy Certification Authority (Trust anchor for Common FPKI

Policy hierarchical PKI subscribers)

E-Governance Certification Authority

(Mutual authentication of SAML/SSL Certificates only)

Qualified Shared Service Provider

USDA/NCF

Verisign

DST

Two way Cross-certified

FPKI Architecture

AssuranceLevel 1

AssuranceLevel 2

E-Governance Certificate Policies

New Agency

Other Bridge CAs

Two

way

Cross-certified

ACES

New AgencyNew Agency

Key PointsKey Points

• Main connection between US Federal PKI and Main connection between US Federal PKI and external PKIs (including other Bridges) continues external PKIs (including other Bridges) continues to be the to be the Federal Bridge CAFederal Bridge CA..

• Common Policy Framework CACommon Policy Framework CA issues cross- issues cross-certificates to SSP primary CAs. certificates to SSP primary CAs.

• Common Policy Framework CA cross-certified with Common Policy Framework CA cross-certified with FBCAFBCA

• E-Authentication CA - E-Authentication CA - Two other CAs service E-Two other CAs service E-Authentication levels one and two CSP SSL/TLS Authentication levels one and two CSP SSL/TLS server cert issuanceserver cert issuance

• C4 CAC4 CA services alternative PKIs (ultra lights) services alternative PKIs (ultra lights)

Cross-Certified with the US Cross-Certified with the US FBCAFBCA• Department of Defense (one way)Department of Defense (one way)• DOD Key Management InfrastructureDOD Key Management Infrastructure• NASANASA• USDA/National Finance CenterUSDA/National Finance Center• TreasuryTreasury• StateState• EnergyEnergy• LaborLabor• State of IllinoisState of Illinois• DST/Identrus ACES (and HHS)DST/Identrus ACES (and HHS)• ORC ACESORC ACES

Pending/In ProcessPending/In Process

• U.S. Patent and TradeU.S. Patent and Trade

• Wells Fargo Bank / IdentrusWells Fargo Bank / Identrus

• Government of CanadaGovernment of Canada

• BoeingBoeing

• HEBCAHEBCA

• Government of AustraliaGovernment of Australia

• UK Ministry of DefenceUK Ministry of Defence

Approved Shared Service Approved Shared Service ProvidersProviders

• VeriSignVeriSign

• CyberTrustCyberTrust

• National Finance Center/USDANational Finance Center/USDA

• Others pendingOthers pending

Other Bridges Emerging: A Other Bridges Emerging: A Global Trust InfrastructureGlobal Trust Infrastructure

• Aerospace Industry (CertiPath)Aerospace Industry (CertiPath)

• Pharmaceutical Industry (SAFE)\Pharmaceutical Industry (SAFE)\

• Unofficially, and really not a bridge, Unofficially, and really not a bridge, but might as well be: Crimson Logic but might as well be: Crimson Logic Pacific Rim Import/Export Application Pacific Rim Import/Export Application (9 economies)(9 economies)

And Now A GraphicAnd Now A Graphic

• Showing how the Federal PKI fits into Showing how the Federal PKI fits into the overall U.S. E-Authentication the overall U.S. E-Authentication Architecture -Architecture -

FBCACertification Authority

Two way Cross-certified(FBCA High & FBCA Medium)

Agencies (Legacy Agency CA policy)

States

Foreign Entities

Citizen & CommerceClass Common (C4) Certificate Policy

-certified

Wells FargoAOLPEPCO

Private Sector

FPKI Common Policy Framework (FCPF) Certificate Policy

C4 Policy Certification Authority (Included in browser list of CAs)

FCPF Policy Certification Authority

(Trust anchor for Common FPKI Policy hierarchical PKI subscribers)

E-GovernanceCertification Authority

(Mutual authentication of SAML/SSL Certificates only)

Qualified Shared Service Provider

USDA/NCF

Verisign

DST

Two way Cross-certified

On

e w

ay C

ross

-cer

tifi

ed

Federal PKI

AssuranceLevel 1

AssuranceLevel 2

E-GovernanceCertificate Policy Other Bridge CAs

ACES

NewAgency

Op

tio

nal

ly T

wo

Way

Cro

ss-ce

rtif

ied

Two Way Cross

Federal PKI

Federal PKI

The US Federal PKI & The E-AuthenticationFederated Approach

Note: Red lines indicate technical areas to resolve. Working Groups are formed to address these areas by 1st week of March 2004.

Two

way

Cross-certified

XKMSOCSPCAMSOAPOthers

©p

Step #1: User goes to Portal to select the AA and ECP

Portal

Step #3: The user authenticates to the AA directly using SSL or TLS.

Figure : FPKI

Validation Service

AA

CA 1

Community 1

CA 4

CA 4bCA 4a

CA 2Community 2

Bridge

CA 3

Community 3

FPKI

Step #4: The AA uses the validation service to validate the certificate

Step #2: The user is passed directly to the AA

eAuthTrust ListFBCA

Certificate Policy

Other Federal/Higher Ed Other Federal/Higher Ed Initiatives, or Places We Meet: Initiatives, or Places We Meet: (In Hoc Signo Vinces)(In Hoc Signo Vinces)• NIH-EDUCAUSE PKI Interoperability NIH-EDUCAUSE PKI Interoperability

Project, Phase 4Project, Phase 4

• E-Authentication-Shibboleth E-Authentication-Shibboleth Interoperability InitiativeInteroperability Initiative

• E-Authentication PartnershipE-Authentication Partnership

• International Collaborative Identity International Collaborative Identity Management Forum (ICIDM)Management Forum (ICIDM)

Issues Being Pursued Issues Being Pursued ActivelyActively

• Path Discovery / Path ValidationPath Discovery / Path Validation– CAM worksCAM works

• Bridge-Bridge Interoperability Bridge-Bridge Interoperability Procedures, including Bridge Procedures, including Bridge Operations Issues – Citizenship, etc.Operations Issues – Citizenship, etc.

• FIPS 201 and HSPD-12FIPS 201 and HSPD-12

Path Discovery / Path Path Discovery / Path ValidationValidation• CAM 4 RC7 Ready for Prime Time and CAM 4 RC7 Ready for Prime Time and

Configurable to map LOAConfigurable to map LOA• CAM 4 RC8 due January, 2005 (GUI CAM 4 RC8 due January, 2005 (GUI

interface for configuration)interface for configuration)• Validation Service/Tool Requirements Validation Service/Tool Requirements

Document about ready for releaseDocument about ready for release• No COTS service/tool yet a realityNo COTS service/tool yet a reality• Betting on SCVP for next generation Betting on SCVP for next generation

validation checking protocol.validation checking protocol.

Bridge-to-Bridge Bridge-to-Bridge InteroperabilityInteroperability

• Policy and Procedures – FPKI Policy Policy and Procedures – FPKI Policy Authority Leads the PackAuthority Leads the Pack

• Technical Implementation Issues – Technical Implementation Issues – Architecture and TrustArchitecture and Trust

• Politics and MoneyPolitics and Money

• Current sticking point is citizenship Current sticking point is citizenship requirements for trusted operators requirements for trusted operators

HSPD-12, The Black Hole: HSPD-12, The Black Hole: BackgroundBackground• Requires NIST to promulgate technical and Requires NIST to promulgate technical and

procedural standards for electronic identity procedural standards for electronic identity authentication for Feds and contractors (PIV = authentication for Feds and contractors (PIV = Personal Identity Verification)Personal Identity Verification)

• Encompasses physical and logical access to Encompasses physical and logical access to government resourcesgovernment resources

• Ultra short timeframe: Standards done in Spring, Ultra short timeframe: Standards done in Spring, Agency implementation plans due late June, Agency implementation plans due late June, Agency implementation begins October.Agency implementation begins October.

• Means Medium Assurance Digital Certificates on Means Medium Assurance Digital Certificates on SmartCards, but next generation crypto being SmartCards, but next generation crypto being pushed.pushed.

HSPD-12, The Black Hole: HSPD-12, The Black Hole: StatusStatus• Current action is with three documents: Current action is with three documents: FIPS FIPS

201201, , SP 800-73SP 800-73 and the and the Implementation GuideImplementation Guide• Current Draft of FIPS 201 being heavily Current Draft of FIPS 201 being heavily

revised, final version due mid-Februaryrevised, final version due mid-February• Revision to SP 800-73 (Smart Card Standards) Revision to SP 800-73 (Smart Card Standards)

under way, IAB hard at work revising to under way, IAB hard at work revising to accommodate industry input, due late Januaryaccommodate industry input, due late January

• Implementation in two phases to Implementation in two phases to accommodate installed base and vendor accommodate installed base and vendor communitycommunity

• WILL AFFECT EVERYONEWILL AFFECT EVERYONE

Reminder: PKI R&D Reminder: PKI R&D WorkshopWorkshop

• April 19 – 21, 2005April 19 – 21, 2005

• NIST Gaithersburg, MDNIST Gaithersburg, MD

• www.middleware.internet2.edu/pki05www.middleware.internet2.edu/pki05

• This year, the workshop has a This year, the workshop has a particular interest in how emergent particular interest in how emergent trust mechanisms will interact with trust mechanisms will interact with each other at technical, policy and each other at technical, policy and user levels. user levels.