the u.s. federal pki and the federal bridge certification authority
DESCRIPTION
The U.S. Federal PKI and the Federal Bridge Certification Authority. Peter Alterman, Ph.D . Senior Advisor to the Chair, Federal PKI Steering Committee and Acting Director, Federal Bridge Certification Authority. Introduction - Overview. The Goals of the U.S. Federal PKI. - PowerPoint PPT PresentationTRANSCRIPT
The U.S. Federal PKI and The U.S. Federal PKI and the Federal Bridge the Federal Bridge Certification AuthorityCertification Authority
Peter Alterman, Ph.DPeter Alterman, Ph.D..
Senior Advisor to the Chair, Federal PKI Senior Advisor to the Chair, Federal PKI Steering CommitteeSteering Committee
andand
Acting Director, Federal Bridge Acting Director, Federal Bridge Certification AuthorityCertification Authority
Introduction - OverviewIntroduction - Overview
The Goals of the U.S. Federal The Goals of the U.S. Federal PKIPKI
A cross-governmental, ubiquitous, A cross-governmental, ubiquitous, interoperable Public Key Infrastructure.interoperable Public Key Infrastructure.
The development and use of The development and use of applications which employ that PKI in applications which employ that PKI in support of Agency business processes.support of Agency business processes.
Why A U.S. Federal PKI?Why A U.S. Federal PKI?
Statutory mandates for e-government Statutory mandates for e-government and implementing electronic signature and implementing electronic signature technologytechnology
Demands for improved services at lower Demands for improved services at lower costcost
International CompetitionInternational Competition International CollaborationInternational Collaboration
Why NOT a U.S. Federal PKI?Why NOT a U.S. Federal PKI?
Concerns of Privacy AdvocatesConcerns of Privacy Advocates Agency internal politicsAgency internal politics Vendor battles for market spaceVendor battles for market space CostCost
The Approach to a U.S. The Approach to a U.S. Federal PKIFederal PKI
Agencies implement their own PKIsAgencies implement their own PKIs
Create a Federal Bridge CA using COTS Create a Federal Bridge CA using COTS products to bind Agency PKIs togetherproducts to bind Agency PKIs together
Establish a Federal PKI Policy Authority to Establish a Federal PKI Policy Authority to oversee operation of the Federal Bridge oversee operation of the Federal Bridge CACA
Ensure directory compatibilityEnsure directory compatibility
Use ACES for transactions with the publicUse ACES for transactions with the public
A Snapshot of the U.S. A Snapshot of the U.S. Federal PKIFederal PKI
Federal Bridge CA
NFC PKI
Higher Education Bridge CA
NASA PKI
DOD PKI Illinois PKI
University PKI
CANADA PKI
The U.S. Federal Bridge The U.S. Federal Bridge Certification Authority Certification Authority (FBCA)(FBCA)
FBCA OverviewFBCA Overview
Designed to create trust paths among individual Designed to create trust paths among individual Agency PKIsAgency PKIs
Employs a distributed - NOT a hierarchical - Employs a distributed - NOT a hierarchical - modelmodel
Commercial CA products participate within the Commercial CA products participate within the membrane of the Bridgemembrane of the Bridge
Develops cross-certificates within the membrane Develops cross-certificates within the membrane to bridge the gap among dissimilar productsto bridge the gap among dissimilar products
FBCA GoalsFBCA Goals
Leverage emerging Agency PKIs to Leverage emerging Agency PKIs to create a unified Federal PKIcreate a unified Federal PKI
Limit workload on Agency CA staffLimit workload on Agency CA staff Support Agency use of:Support Agency use of:
Any FIPS-approved cryptographic Any FIPS-approved cryptographic algorithmalgorithm
A broad range of commercial CA productsA broad range of commercial CA products Propagate policy information to Propagate policy information to
certificate users in different Agenciescertificate users in different Agencies
FBCA ArchitectureFBCA Architecture
Multiple commercial CAs within a Multiple commercial CAs within a “membrane” that cross-certify and “membrane” that cross-certify and interoperateinteroperate
CAs offlineCAs offline No network connectivity (CA No network connectivity (CA
sneaker net to directory)sneaker net to directory) FBCA directory online 24 X 7 X 365FBCA directory online 24 X 7 X 365
FBCA Directory FBCA Directory ArchitectureArchitecture
Chained X.500 directoriesChained X.500 directories Dual-rooted FBCA directory is “hub”Dual-rooted FBCA directory is “hub”
dc=govdc=gov o=U.S. Government, c=USo=U.S. Government, c=US
LDAP supported for non-X.500 LDAP supported for non-X.500 directoriesdirectories
Directory ModelDirectory Model
FBCA OperationFBCA Operation
Issues Certificates Issues Certificates to Participating CAs onlyto Participating CAs only FPKI Steering Committee oversees FBCA FPKI Steering Committee oversees FBCA
development and operationsdevelopment and operations DocumentationDocumentation EnhancementsEnhancements Client-side softwareClient-side software
Operates in accordance with Policy Authority Operates in accordance with Policy Authority and FPKISC directionand FPKISC direction
FPKI Policy Authority FPKI Policy Authority
Determines participants and levels of Determines participants and levels of cross-certification cross-certification Participants become voting membersParticipants become voting members
Administers Certificate PolicyAdministers Certificate Policy Enforces compliance by member Enforces compliance by member
organizationsorganizations General Services Administration serves General Services Administration serves
as Operational Authorityas Operational Authority
Policy MappingPolicy Mapping
Candidate Certificate Policies evaluated Candidate Certificate Policies evaluated against the FBCA CP for adequacy and against the FBCA CP for adequacy and levels of assurance:levels of assurance: Identity bindingIdentity binding CA securityCA security
Performed by the Federal Policy Management Performed by the Federal Policy Management Authority Certificate Policy Working Group with Authority Certificate Policy Working Group with contractor supportcontractor support
Requirements publicly available on NIST Requirements publicly available on NIST websitewebsite
Policy Equivalence ExamplePolicy Equivalence Example
DoD2
DoD3
DoD4
CanBasic
CanMed
CanHigh
CanRud
ISOBanking
Fed PKIHigh
Fed PKIMed
Fed PKIBasic
Fed PKIRud
Policy Mapping ExamplePolicy Mapping Example
Bridge CA
Canadian CA
DoD CLASS 3Subscriber
DoD CA
DoD CLASS 3Subscriber
Can. HIGHSubscriber
Can. MEDSubscriber
DoD CLASS 4 = Federal High DoD CLASS 3 = Federal Medium
Federal High = DoD CLASS 4Federal Medium = DoD CLASS 3
Canadian High = Federal High Canadian Medium = Federal Medium
Federal High = Canadian HighFederal Medium = Canadian Medium
ReferencesReferences
Federal PKI Steering Committee Federal PKI Steering Committee Website: http://Website: http://www.cio.gov/fpkiscwww.cio.gov/fpkisc
NIST PKI Website: NIST PKI Website: http://csrc.nist.gov/pkihttp://csrc.nist.gov/pki
ANSI Website: ANSI Website: http://www.ansi.orghttp://www.ansi.org IETF Website: http:/www.ietf.orgIETF Website: http:/www.ietf.org
AcknowledgementsAcknowledgements
Thanks to:Thanks to: Judith Spencer, Chair, Federal PKI Judith Spencer, Chair, Federal PKI
Steering CommitteeSteering Committee Tim Polk, National Institute of Tim Polk, National Institute of
Standards and TechnologyStandards and Technology Dave Fillingham, National Security Dave Fillingham, National Security
AgencyAgency