The U.S. Federal PKI, The U.S. Federal PKI, 2004:2004:
Report to EDUCAUSEReport to EDUCAUSE
Peter Alterman, Ph.D.Peter Alterman, Ph.D.
Assistant CIO for E-AuthenticationAssistant CIO for E-Authentication
National Institutes of HealthNational Institutes of Health
The Federal Bridge CA is Now the The Federal Bridge CA is Now the Federal PKI Architecture (SuperSize Federal PKI Architecture (SuperSize Me)Me)
• Components include:Components include:– US Federal Bridge CAUS Federal Bridge CA– Common Policy Framework CACommon Policy Framework CA– E-Authentication CAE-Authentication CA– Citizen and Commerce Class CACitizen and Commerce Class CA
1
FBCA Certificate Policy
Federal Bridge Certification Authority
Two way Cross-certified (FBCA High & FBCA Medium)
Agencies (Legacy Agency CA policy)
States
Foreign Entities
Citizen & CommerceClass Common (C4) Certificate Policy
Two Way Cross-certified
Other “PKI Lite”AOLPEPCO
Private Sector
FPKI Common Policy Framework (FCPF) Certificate Policy
C4 Policy Certification Authority (Included in browser list of CAs)
FCPF Policy Certification Authority (Trust anchor for Common FPKI
Policy hierarchical PKI subscribers)
E-Governance Certification Authority
(Mutual authentication of SAML/SSL Certificates only)
Qualified Shared Service Provider
USDA/NCF
Verisign
DST
Two way Cross-certified
FPKI Architecture
AssuranceLevel 1
AssuranceLevel 2
E-Governance Certificate Policies
New Agency
Other Bridge CAs
Two
way
Cross-certified
ACES
New AgencyNew Agency
Key PointsKey Points
• Main connection between US Federal PKI and Main connection between US Federal PKI and external PKIs (including other Bridges) continues external PKIs (including other Bridges) continues to be the to be the Federal Bridge CAFederal Bridge CA..
• Common Policy Framework CACommon Policy Framework CA issues cross- issues cross-certificates to SSP primary CAs. certificates to SSP primary CAs.
• Common Policy Framework CA cross-certified with Common Policy Framework CA cross-certified with FBCAFBCA
• E-Authentication CA - E-Authentication CA - Two other CAs service E-Two other CAs service E-Authentication levels one and two CSP SSL/TLS Authentication levels one and two CSP SSL/TLS server cert issuanceserver cert issuance
• C4 CAC4 CA services alternative PKIs (ultra lights) services alternative PKIs (ultra lights)
Cross-Certified with the US Cross-Certified with the US FBCAFBCA• Department of Defense (one way)Department of Defense (one way)• DOD Key Management InfrastructureDOD Key Management Infrastructure• NASANASA• USDA/National Finance CenterUSDA/National Finance Center• TreasuryTreasury• StateState• EnergyEnergy• LaborLabor• State of IllinoisState of Illinois• DST/Identrus ACES (and HHS)DST/Identrus ACES (and HHS)• ORC ACESORC ACES
Pending/In ProcessPending/In Process
• U.S. Patent and TradeU.S. Patent and Trade
• Wells Fargo Bank / IdentrusWells Fargo Bank / Identrus
• Government of CanadaGovernment of Canada
• BoeingBoeing
• HEBCAHEBCA
• Government of AustraliaGovernment of Australia
• UK Ministry of DefenceUK Ministry of Defence
Approved Shared Service Approved Shared Service ProvidersProviders
• VeriSignVeriSign
• CyberTrustCyberTrust
• National Finance Center/USDANational Finance Center/USDA
• Others pendingOthers pending
Other Bridges Emerging: A Other Bridges Emerging: A Global Trust InfrastructureGlobal Trust Infrastructure
• Aerospace Industry (CertiPath)Aerospace Industry (CertiPath)
• Pharmaceutical Industry (SAFE)\Pharmaceutical Industry (SAFE)\
• Unofficially, and really not a bridge, Unofficially, and really not a bridge, but might as well be: Crimson Logic but might as well be: Crimson Logic Pacific Rim Import/Export Application Pacific Rim Import/Export Application (9 economies)(9 economies)
And Now A GraphicAnd Now A Graphic
• Showing how the Federal PKI fits into Showing how the Federal PKI fits into the overall U.S. E-Authentication the overall U.S. E-Authentication Architecture -Architecture -
FBCACertification Authority
Two way Cross-certified(FBCA High & FBCA Medium)
Agencies (Legacy Agency CA policy)
States
Foreign Entities
Citizen & CommerceClass Common (C4) Certificate Policy
-certified
Wells FargoAOLPEPCO
Private Sector
FPKI Common Policy Framework (FCPF) Certificate Policy
C4 Policy Certification Authority (Included in browser list of CAs)
FCPF Policy Certification Authority
(Trust anchor for Common FPKI Policy hierarchical PKI subscribers)
E-GovernanceCertification Authority
(Mutual authentication of SAML/SSL Certificates only)
Qualified Shared Service Provider
USDA/NCF
Verisign
DST
Two way Cross-certified
On
e w
ay C
ross
-cer
tifi
ed
Federal PKI
AssuranceLevel 1
AssuranceLevel 2
E-GovernanceCertificate Policy Other Bridge CAs
ACES
NewAgency
Op
tio
nal
ly T
wo
Way
Cro
ss-ce
rtif
ied
Two Way Cross
Federal PKI
Federal PKI
The US Federal PKI & The E-AuthenticationFederated Approach
Note: Red lines indicate technical areas to resolve. Working Groups are formed to address these areas by 1st week of March 2004.
Two
way
Cross-certified
XKMSOCSPCAMSOAPOthers
©p
Step #1: User goes to Portal to select the AA and ECP
Portal
Step #3: The user authenticates to the AA directly using SSL or TLS.
Figure : FPKI
Validation Service
AA
CA 1
Community 1
CA 4
CA 4bCA 4a
CA 2Community 2
Bridge
CA 3
Community 3
FPKI
Step #4: The AA uses the validation service to validate the certificate
Step #2: The user is passed directly to the AA
eAuthTrust ListFBCA
Certificate Policy
Other Federal/Higher Ed Other Federal/Higher Ed Initiatives, or Places We Meet: Initiatives, or Places We Meet: (In Hoc Signo Vinces)(In Hoc Signo Vinces)• NIH-EDUCAUSE PKI Interoperability NIH-EDUCAUSE PKI Interoperability
Project, Phase 4Project, Phase 4
• E-Authentication-Shibboleth E-Authentication-Shibboleth Interoperability InitiativeInteroperability Initiative
• E-Authentication PartnershipE-Authentication Partnership
• International Collaborative Identity International Collaborative Identity Management Forum (ICIDM)Management Forum (ICIDM)
Issues Being Pursued Issues Being Pursued ActivelyActively
• Path Discovery / Path ValidationPath Discovery / Path Validation– CAM worksCAM works
• Bridge-Bridge Interoperability Bridge-Bridge Interoperability Procedures, including Bridge Procedures, including Bridge Operations Issues – Citizenship, etc.Operations Issues – Citizenship, etc.
• FIPS 201 and HSPD-12FIPS 201 and HSPD-12
Path Discovery / Path Path Discovery / Path ValidationValidation• CAM 4 RC7 Ready for Prime Time and CAM 4 RC7 Ready for Prime Time and
Configurable to map LOAConfigurable to map LOA• CAM 4 RC8 due January, 2005 (GUI CAM 4 RC8 due January, 2005 (GUI
interface for configuration)interface for configuration)• Validation Service/Tool Requirements Validation Service/Tool Requirements
Document about ready for releaseDocument about ready for release• No COTS service/tool yet a realityNo COTS service/tool yet a reality• Betting on SCVP for next generation Betting on SCVP for next generation
validation checking protocol.validation checking protocol.
Bridge-to-Bridge Bridge-to-Bridge InteroperabilityInteroperability
• Policy and Procedures – FPKI Policy Policy and Procedures – FPKI Policy Authority Leads the PackAuthority Leads the Pack
• Technical Implementation Issues – Technical Implementation Issues – Architecture and TrustArchitecture and Trust
• Politics and MoneyPolitics and Money
• Current sticking point is citizenship Current sticking point is citizenship requirements for trusted operators requirements for trusted operators
HSPD-12, The Black Hole: HSPD-12, The Black Hole: BackgroundBackground• Requires NIST to promulgate technical and Requires NIST to promulgate technical and
procedural standards for electronic identity procedural standards for electronic identity authentication for Feds and contractors (PIV = authentication for Feds and contractors (PIV = Personal Identity Verification)Personal Identity Verification)
• Encompasses physical and logical access to Encompasses physical and logical access to government resourcesgovernment resources
• Ultra short timeframe: Standards done in Spring, Ultra short timeframe: Standards done in Spring, Agency implementation plans due late June, Agency implementation plans due late June, Agency implementation begins October.Agency implementation begins October.
• Means Medium Assurance Digital Certificates on Means Medium Assurance Digital Certificates on SmartCards, but next generation crypto being SmartCards, but next generation crypto being pushed.pushed.
HSPD-12, The Black Hole: HSPD-12, The Black Hole: StatusStatus• Current action is with three documents: Current action is with three documents: FIPS FIPS
201201, , SP 800-73SP 800-73 and the and the Implementation GuideImplementation Guide• Current Draft of FIPS 201 being heavily Current Draft of FIPS 201 being heavily
revised, final version due mid-Februaryrevised, final version due mid-February• Revision to SP 800-73 (Smart Card Standards) Revision to SP 800-73 (Smart Card Standards)
under way, IAB hard at work revising to under way, IAB hard at work revising to accommodate industry input, due late Januaryaccommodate industry input, due late January
• Implementation in two phases to Implementation in two phases to accommodate installed base and vendor accommodate installed base and vendor communitycommunity
• WILL AFFECT EVERYONEWILL AFFECT EVERYONE
Reminder: PKI R&D Reminder: PKI R&D WorkshopWorkshop
• April 19 – 21, 2005April 19 – 21, 2005
• NIST Gaithersburg, MDNIST Gaithersburg, MD
• www.middleware.internet2.edu/pki05www.middleware.internet2.edu/pki05
• This year, the workshop has a This year, the workshop has a particular interest in how emergent particular interest in how emergent trust mechanisms will interact with trust mechanisms will interact with each other at technical, policy and each other at technical, policy and user levels. user levels.
Top Related