peter alterman, ph.d. assistant cio for e-authentication national institutes of health
DESCRIPTION
NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop. Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health. Topics. Introduction and Background Certificate Path Discovery and Validation - PowerPoint PPT PresentationTRANSCRIPT
NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the PromiseDartmouth PKI Implementation Workshop
Peter Alterman, Ph.D.
Assistant CIO for E-Authentication
National Institutes of Health
Topics
Introduction and Background
Certificate Path Discovery and Validation
Automated Receipt Server
Automated Archive Log
Questions
Project Motivators
Government Paperwork Elimination Act (GPEA)
Move paperwork-based transactions to electronic applications through the Internet
Quicksilver ProjectsList of applications for e-Government services, including e-Authentication and e-formsE-Authentication focuses on authenticating electronic identity credentials to authenticate citizens or business access
NIH-EDUCAUSE PKI Interoperability Project
Funded by the Federal PKI Steering Committee to develop models and technology to allow locally-issued digital certificates to be used to sign digital versions of government forms
Benefits to Higher Education
Universities and colleges are adopting digital signature technology for many reasons. It is vital that electronic credentials be reusable.The project enables secure electronic forms-based transactions among diverse, unaffiliated business partners (including, but not limited to, the Federal Government)Project is universally applicable for all forms-based business transactions requiring one or more signatures
Accomplishments
Certificate path discovery and validation infrastructure
Operational PKI bridge pathway between prototype of the FBCA and prototype of the HEBCA, which is funded and operated by EDUCAUSE
Resolution of multiple certificate configuration and directory interoperability issues
Ability for faculty and staff at academic institutions to download, complete, digital signing (two digital signatures), and send XML forms to US Government
Automated receipt to submitter
NARA requirements for audit logs
Concept of Operations
Internalworkflow
DigitallySigned
App.HEBCA
UN VERS TY
CA - Research Institution
IBM
Agency Backend
Internet
ReceiptServer
DigitallySigned
App.
DigitallySigned
App.
Federal Government
Applicant orCo-Signer
Agency Server
AuditLog
(NARA)
DigitallySigned
App.
FBCA
CAM Server
UNIVERSITY
Applicant or Business
ACLDatabase
FBCA
X.500 Based Directory
Directories Interconnect via Chaining (X.500 DSP)
FBCA PA and CP oversite
FBCA Infrastructure CA
RootCert
FBCADirectory
CrossCertPair
CrossCertPair
CrossCertPair
CrossCertPair
RootCert
CrossCertPair
CA
CRLs
RootCert
CrossCertPair
CA
CRLs
DST ACES PKIOther CrossCertified PKI
Border Dir Border Dir
X.500 DSP Protocol(ChainingAgreements) betweenFBCA and CrossCertified PKI provider
RootCert
CrossCertPair
CA
CRLs
Border Dir
HEBCA PKIOther CrossCertified PKIs
CRLs
RootCert
HEBCA
LDAP Based Directory
Utilizing the Registry of Directories
Utilizing LDAP Referrals
HEBCA PA and CP oversite
HEBCAInfrastructure
CA
RootCert
HEBCADirectory
CrossCertPair
CrossCertPair
CrossCertPair
CrossCertPair
RootCert
CrossCertPair
CA
CRLs
RootCert
CrossCertPair
CA
CRLs
University 1 PKI University 2 PKI
Border Dir Border Dir
RootCert
CrossCertPair
CA
CRLs
Border Dir
FBCA PKIOther CrossCertified PKIs
RODFBCAReferral
University 1Referral
University 2Referral
CRLs
RootCert
Path Discovery and Validation1. Certificate submitted
to CAM 2. Based on Trust
Anchor CAM accesses the FBCA
3. At FBCA find a Cross Certificate to HEBCA
4. Cross Certificate points to the HEBCA
5. At HEBCA find a Cross Certificate to University 2 PKI
6. Return LDAP referral to the CAM
7. CAM directly follow the referral to University 2 information
NIH CAM
CRL cache
CRL
CARL
CRL CARL
Path cache
Path 1Path 3
Validation cache
Trans 1Trans 2Trans 3
CARL
CRL
crosscert pr
University 1
CARL
CRL
crosscert pr
University 2
CARL
CRL
crosscert pr
University 3
RoDFBCAReferraal
University 1Referral
University 2Referral
University 3Referral
.....
NIH Application
1
2
7
University 2SignedSF424
c
c
CARL
FBCAHEBCA
CRL
crosscert pr
crosscert pr
NIH
crosscert pr
crosscert pr
crosscert pr
crosscert pr
others
3
4
HEBCA
CRL
CARL
crosscert pr
FBCA
crosscert pr
crosscert pr
crosscert pr
crosscert pr
crosscert pr
crosscert pr
othersUniversity 1 University 2 University 3
56 NIH Submission App
c
Trusted CAs
Path Discovery / Path Validation Lessons
Publish all CA certificates within the directory using subjectDN found in the certificate
Consistently populate Certificate Extensions wherever possible
Minimize mixing of LDAP, HTTP, and X.500 methods
Get the SKID and AKID correctly populated
During cross certification, verify that policyMapping and nameConstraints are correctly defined
Path Discovery/Path Validation as well as Tools are still evolving. (Ongoing work)
Automated Receipt Server
ACLACLDatabaseDatabase
SSL/WEBSSL/WEBServerServer
CAMCAM
OCSPOCSP
PublicPublic DMZDMZ SecureSecure
DirectoryDirectory
Remote CARemote CA
Application Flow
ArchiveArchiveDatabaseDatabase
Email ServerEmail Server
Co-signer
Applicant
Automated Archive LogTrustworthiness of electronically signed XML forms and associated transactions was ensured by:
Storing the original digitally signed electronic form received in the NARA archive XML documentDigital signature on NARA archive XML document included authenticated timestamp as part of the signatureNARA Archive XML document included digital certificate for verification purposes for each signatory on the original digitally signed XML form NARA Archive XML document provided for signature verification at any time for each signatory on the original digitally signed electronic formNARA Archive XML document included a certificate validation result (from CAM) for each signatory on the original digitally signed electronic form, the receipt signer’s own certificate validation result and an authenticated attribute of its signatureLong-term integral storage of all of the above items will be achieved by optical media back-up of the archive database.
Schools Completing Successful Interoperability Testing
Dartmouth College
University of Alabama-Birmingham
University of Wisconsin-Madison
University of California
Participating Organizations
Questions?