the fbca architecture: lessons learned tim polk, nist march 9, 2001
TRANSCRIPT
![Page 1: The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001](https://reader036.vdocuments.us/reader036/viewer/2022082820/5697bf831a28abf838c86242/html5/thumbnails/1.jpg)
The FBCA Architecture:Lessons Learned
Tim Polk, NIST
March 9, 2001
![Page 2: The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001](https://reader036.vdocuments.us/reader036/viewer/2022082820/5697bf831a28abf838c86242/html5/thumbnails/2.jpg)
FBCA Goals
• Leverage emerging agency PKIs to create a unified federal PKI
• Limit workload agency CA staff• Support agency use of
– Any FIPS-approved cryptographic algorithm– A broad range of commercial CA products
• Propagate policy information to certificate users in different agencies
![Page 3: The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001](https://reader036.vdocuments.us/reader036/viewer/2022082820/5697bf831a28abf838c86242/html5/thumbnails/3.jpg)
EMA Challenge Architecture
![Page 4: The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001](https://reader036.vdocuments.us/reader036/viewer/2022082820/5697bf831a28abf838c86242/html5/thumbnails/4.jpg)
Multiple CAs in FBCA Membrane
• Support multiple cryptographic algorithms
• Support for multiple certificate management protocols
![Page 5: The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001](https://reader036.vdocuments.us/reader036/viewer/2022082820/5697bf831a28abf838c86242/html5/thumbnails/5.jpg)
FBCA architecture
• FBCA CAs– Offline– No network
connectivity
• FBCA directory online
![Page 6: The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001](https://reader036.vdocuments.us/reader036/viewer/2022082820/5697bf831a28abf838c86242/html5/thumbnails/6.jpg)
An Alternative Bridge Architecture
• Bridge CAs offline but have network connectivity
• Internal directory
• Firewall (strict)
• Border Directory
![Page 7: The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001](https://reader036.vdocuments.us/reader036/viewer/2022082820/5697bf831a28abf838c86242/html5/thumbnails/7.jpg)
FBCA Directory Architecture
• Chained X.500 directories• Dual-rooted FBCA directory is “hub”
– dc=gov
– o=U.S. Government, c=US
![Page 8: The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001](https://reader036.vdocuments.us/reader036/viewer/2022082820/5697bf831a28abf838c86242/html5/thumbnails/8.jpg)
![Page 9: The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001](https://reader036.vdocuments.us/reader036/viewer/2022082820/5697bf831a28abf838c86242/html5/thumbnails/9.jpg)
Lessons Learned
• Bridge CAs can unite PKIs with– Different architectures– Different cryptographic algorithms– Different DITs
• Heterogeneous commercial products can be used inside the bridge
• Client software is the limiting factor• X.500 chaining simplifies certificate retrieval• Offline bridge architecture is secure but inefficient