ongoing efforts to build the us federal pki bridge

Ongoing Efforts to BuildThe US Federal PKI Bridge

From Presentations byFederal PKI Policy Authority Officials

and OthersPut together by J. Scott, 2006

Federal Bridge PKI J. Scott 2006 of 33

HSPD-12 -- George Bush

• On August 27, 2004, the White House issued Homeland Security Presidential Directive (HSPD) 12.

• Primary objectives of HSPD 12 are: – To develop and deploy a Federal

Government-wide common and reliable identification verification system

– To use this system to interoperate between all Government agencies and serve as the basis for reciprocity between those agencies.


HSPD-12

• Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05

• Mandates all Federal Agencies begin issuing SmartCards with medium assurance digital certificates by 10/06

• Authorization remains a local prerogative within each participating agency


Federal PKI Architectureafter HSPD-12

• Agency and other government PKIs required to cross-certify with the Federal Bridge CA

• As of 12/05 no new agency PKIs; agencies procure PKI services from vendors participating in the Shared Service Provider (SSP) program

• Architecture issues TLS/SSL certs to credential service providers who CAF, to provide mutual authentication

• Federal Bridge CA serves as “point of insertion” for external PKIs and other bridges.


Simplified Diagram of Federal PKISimplified Diagram of Federal PKI

Federal BridgeCA

C4 CAE-Gov

CAs (3)

Common PolicyCA

Cross-Certified

govPKIs

Cross-CertifiedExternal

PKIs

eAuthCSPs

SharedServiceProvider

PKIs

(CommonPolicy OIDAnd root

Cert)


Electronic Authentication

• Initiatives– Assessment Framework for Credentials:

evaluating the level of assurance (LOA) of identity of credential service providers

– Membership in Liberty Alliance– Frequent meetings with Microsoft– Interfederation Interoperability Project with

Cybertrust and Internet2/Shibboleth team


Credentials Assessment Framework

• Credential Assessment Framework consists of the following:– A structured methodology and procedures for

evaluating the LOA of a CSP’s credentials– An assessment team that goes out and

evaluates CSPs– A process for conflict resolution – Posting CSPs and their credential LOAs to a

trust list (unfortunate term) on the website


E-Authentication: Interfed Interop

• inCommon Higher Education Identity Federation– Using Shibboleth middleware technical

protocols – Policy-light

• E-Authentication US Identity Federation– Using a variety of technical protocols– Policy intensive


What Are Electronic Identity Federations?

• Associations of electronic identity credential providers and credential consumers (electronic service providers) who:– Agree to trust each others’ credentials;– Agree to hold credential providers authoritative for the

validity of their credentials;– Agree to use common communications protocols and

procedures to enable interoperability– Agree to common business rules


Purpose of Electronic Identity Federations

• To enable trusted electronic business transactions between end users and service providers– The service provider does not have to issue

and manage identity credentials, including attributes.

• It’s all a matter of scaling..• No, it’s also a matter of control


Characteristics of Identity Federations

• Standards and protocols for technical interoperability among credential providers, services providers, end users and infrastructure utilities

• A governance mechanism to assert common business rules, ensure credentials can be used and trusted by all members of the federation and a central control point for entry and exit of members


LOA Mapping: E-Auth to Fed PKI

E-Auth Level 1

E-Auth Level 2

E-Auth Level 3

E-Auth Level 4

FPKI Rudimentary,C4

FPKI Medium/HW &Medium/HW-cbp

FPKI Basic

FPKI Medium & Medium-cbp

FPKI High (government only)


Federal Bridge CA Goals

• Leverage emerging Federal Agency PKIs to create a unified Federal PKI and provide a cross-governmental, ubiquitous, interoperable Public Key Infrastructure.

• Limit workload on Agency CA staff• Support Agency use of:

– Any FIPS-approved cryptographic algorithm– A broad range of commercial CA products

• Propagate policy information to certificate users in different Agencies

• Support the development and use of applications which employ that PKI in support of Agency business processes.


FBCA Certification Overview

• Designed for the purpose of creating trust paths between among PKI domains

• Issues cross-certificates to Member CAs only • Employs a distributed, NOT a hierarchical, model

• Commercial products participate within the membrane of the Bridge OR interoperate with products within the membrane

• Develops cross certificates within the membrane to bridge the gap among dissimilar products


FBCA Management Hierarchy

• Steering Committee oversees FBCA development and operations– Direct Operational Authority– Bridge Documentation– Enhancements

• Policy Authority determines participants and levels of cross-certification– Administers Certificate Policy– Approves requests to cross-certify– Enforces compliance by member organizations

• GSA named Operational Authority– Operates in accordance with Policy Authority and Steering

Committee direction


Generalized FBCA Architecture

Bridge CA And Directory

Bridge CAAnd Directory

CA, Directory,End users

CA, Directory,End users

CA,Directory, End users

Trust paths

Trust pathsTrust paths


A Snapshot of the U.S. Federal PKI

Federal Bridge CA

DOANFC PKI

Higher Education Bridge CA

NASA PKI

DOD PKI

Illinois PKI

University PKI

CANADA PKI


FBCA Membrane Architecture

• Multiple commercial CAs within a “membrane” that cross-certify and interoperate – CyberTrust and Entrust Enterprise CA’s for

cross-certification

• CAs offline• No network connectivity

– CA uses “Sneaker Net” to get to the directory

• FBCA directory online 24 X 7 X 365


Cybertrust CA Entrust CA

SFL

Client Entrust

Client Entrust

Client

SFL

Client

DoD Bridge CADoD Bridge CA

Entrust

Client Entrust

Client Entrust

Client

Entrust

Client

SFL

Client

PCA PCA

PCA PCA PCA

PCA PCAPCA PCA

CA CACACA

CACACACA


What Will It Take to Use the FBCA?

• Policy mapping of certificate policies• Sharing annual audits• Careful management of cross-certificates to limit

transitive trust (exclusion trees)• Directory interoperability and synchronization• Client software for certificate path discovery and

processing


Next Steps To Federal Bridge PKI

• Continue to bring federal agencies into interoperability

• Bring additional products into Bridge membrane

• Pursue interoperability with State PKIs

• Pursue interoperability with Nation of Canada

• Pursue interoperability with non-government sector bridges


Why A U.S. Federal PKI?

• Mandates, such as HSPD-12, for e-government and implementing electronic signature technology

• Demands for improved services at lower cost• International Competition• International Collaboration


Why NOT a U.S. Federal PKI?

• Concerns of Privacy Advocates• Agency internal politics• Vendor battles for market space• Cost


Building A U.S. Federal PKI

• Agencies implement their own PKIs

• Create a Federal Bridge CA using COTS products to cross-certify individual Agency PKIs and bind them together

• Establish a Federal PKI Policy Authority to oversee operation of the Federal Bridge CA

• Ensure directory compatibility

• Use ACES for transactions with the public


FPKI Policy Authority

• Determines participants and levels of cross-certification – Participants become voting members

• Administers Certificate Policy

• Enforces compliance by member organizations• General Services Administration serves as

Operational Authority


Policy Mapping

• Candidate Certificate Policies evaluated against the FBCA CP for adequacy and levels of assurance:– Identity binding– CA security

• Performed by the Federal Policy Management Authority Certificate Policy Working Group with contractor support

• Requirements publicly available on NIST website


Policy Equivalence Example

CanHigh

ISOBanking

Fed PKIHigh

Fed PKIMed

Fed PKIBasic

Fed PKIRud

CanMedium

CanBasic

CanRud

DoD4

DoD3

DoD2


Policy Mapping Example

Bridge CA

Canadian CA

DoD CLASS 3Subscriber

DoD CLASS 3Subscriber

Can. HIGHSubscriber

Can. MEDSubscriber

DoD CLASS 4 = Federal High DoD CLASS 3 = Federal Medium

Federal High = DoD CLASS 4Federal Medium = DoD CLASS 3

Canadian High = Federal High Canadian Medium = Federal Medium

Federal High = Canadian HighFederal Medium = Canadian Medium

DOD

CA


Cross Certifying with the Bridge

• Applicant PKIs and Bridges may cross-certify with the Federal PKI at one or more of the five levels of assurance of the Federal Bridge CA – Rudimentary, basic, medium, medium

hardware and high

• Applicants can also cross certify at the Citizen and Commerce Class Certificate level of assurance.


Requirements for Cross-Certifying

• Managers of PKI’s that wish to Cross Certify with the Federal Bridge PKI should contact the Policy Authority prior to submitting any documentation, so that we can work with you actively to smooth the process.

• Requirements for Cross-Certification and Interoperability with the Federal PKI:1. Submit a copy of your PKI Certificate Policy for mapping, along with

contact information for the individual tasked with seeing to the cross-certification. Please download a copy of the "mapping matrix" available on the web site to use as you prepare your Policy for mapping.

2. Submit an Application for Cross-Certification signed by the responsible executive in charge of the applicant PKI (e.g., CIO, VP for Systems, etc.) to the Federal PKI Policy Authority Chair. Usually, this individual is in charge of funding and budget for the applicant's PKI.


More Bridge Requirements

3. Submit a copy of the summary of your PKI's audit, stating that your operations comply with your CPS and that your CPS is in conformance with your CP. Please download a copy of the Audit Review Requirements from this web site to ensure you understand what language we are looking for.

• If steps 1 - 3 are accomplished successfully, the Federal PKI Policy Authority will enter into negotiations with you to sign a mutually-acceptable Memorandum of Agreement (MOA) that will spell out our mutual responsibilities and expectations. For Bridges cross-certifying with the Federal Bridge CA, there are additional requirements to be fulfilled mutually.

• Once the MOA is signed, the Federal PKI Policy Authority Chair directs the Director of the Federal PKI Operational Authority to exchange cross-certificates with the new member PKI.

• Detailed discussions of all of these steps may be found in the FPKI Criteria and Methodology document on this web site, as well as many other supporting documents.


An FCBA Status Report

• On Sept. 18, 2002, the FBCA cross-certified with the public key infrastructures to allow them to trust and validate the digital signatures on files issued and received from one another– The US Department of Defense– U.S. Department of the Treasury– U.S. Department of Agriculture – National Finance Center– National Aeronautics and Space Administration


Cross Certified PKI’s March 2006

Organization Certified Certification Level Date Certified• NASA Medium September 18, 2002 • USDA/National Finance Center Medium September 18, 2002• USDA/National Finance Center Basic October 20, 2003 • Department of Defense Medium* September 18, 2002 • Department of the Treasury High September 18, 2002• Department of the Treasury Medium September 18, 2002 • Department of State High January 21, 2004 • State of Illinois Medium January 21, 2004 • State of Illinois Basic** March 8, 2005 • ACES/Digital Signature Trust Medium February 11, 2004 • Department of Energy Medium April 27, 2004 • DoD External Certification Authority Medium** February 8, 2005 • ACES/ORC, Inc. Medium** February 8, 2005 • US Patent & Trademark Office Medium June 1, 2005 • Department of Homeland Security Medium June 1, 2005 • Department of Homeland Security High June 1, 2005 • Department of Homeland Security Basic June 1, 2005 • Wells Fargo Basic* December 13, 2005 • Government Printing Office Medium** December 13, 2005 • Department of Justice High** December 15, 2005 * FBCA issued cross-certificate allowing one-way trust** This was the date the Federal PKI Policy Authority voted on and approved issuing a FBCA cross-certificate

ongoing efforts to build the us federal pki bridge

Documents