The U.S. Federal PKI and The U.S. Federal PKI and the Federal Bridge the Federal Bridge Certification AuthorityCertification Authority

Peter Alterman, Ph.DPeter Alterman, Ph.D..

Senior Advisor to the Chair, Federal PKI Senior Advisor to the Chair, Federal PKI Steering CommitteeSteering Committee

andand

Acting Director, Federal Bridge Acting Director, Federal Bridge Certification AuthorityCertification Authority

Introduction - OverviewIntroduction - Overview

The Goals of the U.S. Federal The Goals of the U.S. Federal PKIPKI

A cross-governmental, ubiquitous, A cross-governmental, ubiquitous, interoperable Public Key Infrastructure.interoperable Public Key Infrastructure.

The development and use of The development and use of applications which employ that PKI in applications which employ that PKI in support of Agency business processes.support of Agency business processes.

Why A U.S. Federal PKI?Why A U.S. Federal PKI?

Statutory mandates for e-government Statutory mandates for e-government and implementing electronic signature and implementing electronic signature technologytechnology

Demands for improved services at lower Demands for improved services at lower costcost

International CompetitionInternational Competition International CollaborationInternational Collaboration

Why NOT a U.S. Federal PKI?Why NOT a U.S. Federal PKI?

Concerns of Privacy AdvocatesConcerns of Privacy Advocates Agency internal politicsAgency internal politics Vendor battles for market spaceVendor battles for market space CostCost

The Approach to a U.S. The Approach to a U.S. Federal PKIFederal PKI

Agencies implement their own PKIsAgencies implement their own PKIs

Create a Federal Bridge CA using COTS Create a Federal Bridge CA using COTS products to bind Agency PKIs togetherproducts to bind Agency PKIs together

Establish a Federal PKI Policy Authority to Establish a Federal PKI Policy Authority to oversee operation of the Federal Bridge oversee operation of the Federal Bridge CACA

Ensure directory compatibilityEnsure directory compatibility

Use ACES for transactions with the publicUse ACES for transactions with the public

A Snapshot of the U.S. A Snapshot of the U.S. Federal PKIFederal PKI

Federal Bridge CA

NFC PKI

Higher Education Bridge CA

NASA PKI

DOD PKI Illinois PKI

University PKI

CANADA PKI

The U.S. Federal Bridge The U.S. Federal Bridge Certification Authority Certification Authority (FBCA)(FBCA)

FBCA OverviewFBCA Overview

Designed to create trust paths among individual Designed to create trust paths among individual Agency PKIsAgency PKIs

Employs a distributed - NOT a hierarchical - Employs a distributed - NOT a hierarchical - modelmodel

Commercial CA products participate within the Commercial CA products participate within the membrane of the Bridgemembrane of the Bridge

Develops cross-certificates within the membrane Develops cross-certificates within the membrane to bridge the gap among dissimilar productsto bridge the gap among dissimilar products

FBCA GoalsFBCA Goals

Leverage emerging Agency PKIs to Leverage emerging Agency PKIs to create a unified Federal PKIcreate a unified Federal PKI

Limit workload on Agency CA staffLimit workload on Agency CA staff Support Agency use of:Support Agency use of:

Any FIPS-approved cryptographic Any FIPS-approved cryptographic algorithmalgorithm

A broad range of commercial CA productsA broad range of commercial CA products Propagate policy information to Propagate policy information to

certificate users in different Agenciescertificate users in different Agencies

FBCA ArchitectureFBCA Architecture

Multiple commercial CAs within a Multiple commercial CAs within a “membrane” that cross-certify and “membrane” that cross-certify and interoperateinteroperate

CAs offlineCAs offline No network connectivity (CA No network connectivity (CA

sneaker net to directory)sneaker net to directory) FBCA directory online 24 X 7 X 365FBCA directory online 24 X 7 X 365

FBCA Directory FBCA Directory ArchitectureArchitecture

Chained X.500 directoriesChained X.500 directories Dual-rooted FBCA directory is “hub”Dual-rooted FBCA directory is “hub”

dc=govdc=gov o=U.S. Government, c=USo=U.S. Government, c=US

LDAP supported for non-X.500 LDAP supported for non-X.500 directoriesdirectories

Directory ModelDirectory Model

FBCA OperationFBCA Operation

Issues Certificates Issues Certificates to Participating CAs onlyto Participating CAs only FPKI Steering Committee oversees FBCA FPKI Steering Committee oversees FBCA

development and operationsdevelopment and operations DocumentationDocumentation EnhancementsEnhancements Client-side softwareClient-side software

Operates in accordance with Policy Authority Operates in accordance with Policy Authority and FPKISC directionand FPKISC direction

FPKI Policy Authority FPKI Policy Authority

Determines participants and levels of Determines participants and levels of cross-certification cross-certification Participants become voting membersParticipants become voting members

Administers Certificate PolicyAdministers Certificate Policy Enforces compliance by member Enforces compliance by member

organizationsorganizations General Services Administration serves General Services Administration serves

as Operational Authorityas Operational Authority

Policy MappingPolicy Mapping

Candidate Certificate Policies evaluated Candidate Certificate Policies evaluated against the FBCA CP for adequacy and against the FBCA CP for adequacy and levels of assurance:levels of assurance: Identity bindingIdentity binding CA securityCA security

Performed by the Federal Policy Management Performed by the Federal Policy Management Authority Certificate Policy Working Group with Authority Certificate Policy Working Group with contractor supportcontractor support

Requirements publicly available on NIST Requirements publicly available on NIST websitewebsite

Policy Equivalence ExamplePolicy Equivalence Example

DoD2

DoD3

DoD4

CanBasic

CanMed

CanHigh

CanRud

ISOBanking

Fed PKIHigh

Fed PKIMed

Fed PKIBasic

Fed PKIRud

Policy Mapping ExamplePolicy Mapping Example

Bridge CA

Canadian CA

DoD CLASS 3Subscriber

DoD CA

DoD CLASS 3Subscriber

Can. HIGHSubscriber

Can. MEDSubscriber

DoD CLASS 4 = Federal High DoD CLASS 3 = Federal Medium

Federal High = DoD CLASS 4Federal Medium = DoD CLASS 3

Canadian High = Federal High Canadian Medium = Federal Medium

Federal High = Canadian HighFederal Medium = Canadian Medium

ReferencesReferences

Federal PKI Steering Committee Federal PKI Steering Committee Website: http://Website: http://www.cio.gov/fpkiscwww.cio.gov/fpkisc

NIST PKI Website: NIST PKI Website: http://csrc.nist.gov/pkihttp://csrc.nist.gov/pki

ANSI Website: ANSI Website: http://www.ansi.orghttp://www.ansi.org IETF Website: http:/www.ietf.orgIETF Website: http:/www.ietf.org

AcknowledgementsAcknowledgements

Thanks to:Thanks to: Judith Spencer, Chair, Federal PKI Judith Spencer, Chair, Federal PKI

Steering CommitteeSteering Committee Tim Polk, National Institute of Tim Polk, National Institute of

Standards and TechnologyStandards and Technology Dave Fillingham, National Security Dave Fillingham, National Security

AgencyAgency