Federal PKI Architecture Update

Slides:



Advertisements
Similar presentations
NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
Advertisements

PKI deployment in the Aerospace Industry
Launching Egyptian Root CA and Inaugurating E-Signature Dr. Sherif Hazem Nour El-Din Information Security Systems Consultant Root CA Manager, ITIDA.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Program Managers Forum
The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council
Ongoing Efforts to Build The US Federal PKI Bridge
Stanley J. Choffrey (202) The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.
Paul D. Grant Special Assistant, Federated Identity Management and External Partnering Office of the DoD CIO Co-Chair, Identity, Credential.
Certificate Interoperability S&I Framework Initiative Final Report August 17, 2011.
The 4BF The Four Bridges Forum Federated PACS A Physical Access Use Case for Bridges FIPS 201/PIV-I PACS Interoperability April 28 th, 2009.
SAFE-BioPharma Association NSTIC Day How does industry drive forward.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication,
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,
The U.S. Federal PKI and the Federal Bridge Certification Authority
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Federal Bridge Certification Authority n Background n Overview n EMA Challenge Test structure n Participants n Results n Conclusions and lessons learned.
Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering Committee
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee.
The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health.
SAFE is a member-governed, not-for-profit enterprise that: Manages and promotes the SAFE standard Provides a legal and contractual framework Provides technical.
1 Digital Credential for Higher Education John Gardiner August 11, 2004.
Bridge-to-Bridge Working Group (BBWG) Debb Blanchard, Cybertrust EDUCAUSE Federal and Higher Education PKI Coordination Meeting June 16, 2005 The Fairmont.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education.
The Evolving U.S. Federal PKI Richard Guida Chair, Federal PKI Steering Committee Federal Chief Information Officers Council
The NIH PKI Pilots Peter Alterman, Ph.D. … again.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.
Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000.
PKI and the U.S. Federal E- Authentication Architecture Peter Alterman, Ph.D. Assistant CIO for e-Authentication National Institutes of Health Internet2.
Government-University Identity Management Opportunities Peter Alterman, Ph.D. Chair, U.S. Federal PKI Policy Authority and Assistant CIO/E-Authentication,
The Federal Bridge A Brief Overview 1. 4BF Industry Forum April Fed PKI: View from 20,000 km FBCA C4 Common Policy CA (HSPD-12) CertiPath SSPs.
I-CIDM Bridge to Bridge Working Group (BBWG) Purpose and Activities Fed-Ed Meeting The Fairmont Hotel Washington, DC December 14, 2004 Debb Blanchard Enspier.
The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.
PKI Summit August 2004 Technical Issues to Deploying PKI on Campuses.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
The Evolving Federal PKI Gary Moore Entrust Technologies Richard Guida Chair, Federal PKI Steering Committee.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Identity Federations and the U.S. E-Authentication Architecture Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health.
1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.
The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001.
Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.
Hajar Sabuur Johnson & Johnson Worldwide Information Security June 16, 2005
Overview of US PKI Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Federal PKI Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
Federal PKI Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
National Institutes of Health Interfederation Initiatives Peter Alterman, Ph.D. Assistant CIO for e-Authentication.
Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority Meet FedFed.
Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.
Interoperability and the Evolving Federal PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
Federal Identity Management Overview and Current Status Dr. Peter Alterman, Chair Federal PKI Policy Authority.
Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.
PKI deployment in the Aerospace Industry
U.S. Federal e-Authentication Initiative
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Overview of US PKI Peter Alterman, Ph.D.
Higher Education Bridge CA (HEBCA) – Planting is required before the harvest (Scott Rea) Fed/Ed June 2007.
Presentation transcript:

Federal PKI Architecture Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority

View from 20,000 km FBCA SAFE CertiPath C4 Common Policy CA SSPs Serving all other Agencies FBCA CertiPath SSP SAFE Industry PKIs CertiPath C4 Industry PKIs eGCA (3) OASIS PKI

View from 20,000 km FBCA SAFE CertiPath C4 Common Policy CA DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO Treasury Wells Fargo MIT LL UTexasSx Common Policy CA Total: 12 – 15M users SSPs VeriSign Cybertrust ORC Treasury GPO? Exostar Entrust IdenTrusT? Serving all other Agencies FBCA CertiPath SSP SAFE Industry PKIs CertiPath C4 USHER? Industry PKIs Abbott Labs AstraZeneca Bristol-Myers Squibb Genzyme GlaxoSmithKline INC Research Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals eGCA (3) Boeing Raytheon Lockheed Martin EAF member CSPs TLS certs OASIS PKI

Simplified Diagram of U.S. Federal PKI Cross- Certified gov PKIs Federal Bridge CA Common Policy CA Shared Service Provider PKIs (Common Policy OID And root Cert) C4 CA E-Gov CAs (3) Cross- Certified External PKIs eAuth CSPs ? OASIS PKI

LOA Mapping E-Auth Level 1 E-Auth Level 2 E-Auth Level 3 FPKI Rudimentary; C4 FPKI Medium/HW & Medium/HW-cbp FPKI Basic FPKI Medium & Medium-cbp FPKI High (governments only) OASIS PKI

Federal Bridge Works FBCA Issues Routinely Issues Cross- CRL/ARL Cross-Certification Process Completes FBCA Issues Cross- certificates Routinely Issues CRL/ARL Populates Directories LDAP & X.500 OCSP Responder Cert Profile: AIA/SIA Extensions Cert Profile: PolicyMapping, Excluded Subtrees OASIS PKI

Federal Bridge Info FIPS 1540-2 Level 3 HSM Online CAs on double-firewalled, one way, discrete network with backup T-1 connections ISODE M-Vault directories Tepid Backup Site Disaster Recovery Site 24x7 help desk, architected for 99.5% uptime Evolving monitoring architecture Vendor operations transfer in process OASIS PKI

Notional FBCA Directory Implementation* This diagram shows: LDAP Access from email clients to support address lookup. LDAP Access from an application, to provide user authentication. Directory management using Isode's Enterprise Directory Management tool. Data management using Isode's Isode's Directory Data Management tool. A Certification Authority, such as Entrust, accessing and managing data in M-Vault. X.500 chaining using X.500 Directory System Protocol (DSP) to access data in a peer departmental X.500 capable directory. LDAP chaining to access data in a peer departmental LDAP directory. Data replication using X.500 Directory Information Shadowing Protocol (DISP) to share data with other departments to increase performance and resilience. *From ISODE website OASIS PKI

FBCA Cross Certification Process Application - LOA? Policy Mapping Mapping Matrices online Cert Policy WG mapping review Collegial back and forth discussions Technical Interoperability Testing With Prototype instance of FBCA Testing Protocol online Directory and profiles tested (LDAP and X.500) Review of summary of independent audit results Map CP – CPS and CPS to PKI Operations Independent auditors, not FPKI auditors Whole process laid out in “Criteria & Methodology” document online OASIS PKI

Path Discovery and Validation Trust Lists can work but: Don’t scale, are rigid and don’t give level of assurance Bridges can work but: Aren’t supported in native OSs, so require add-on PD/Val tools NIST and FPKI developed test suite for PD/Val products/services 4 products, 2 services passed so far (see the website) Deploy on website, desktop, within enterprise or outsource… OASIS PKI

Grids and Enterprise PKIs Different from the administration and architecture perspectives Overlap from the end user perspective Cross-certification and interoperability solve the problem Grid PKI CP Institution PKI CP End User: single cert. Grid ID for Project(s) Institution ID For AuthN OASIS PKI

Business Case For XCert Simplify trust and control decisions Extend value of issued credentials Scalable trust at known LOA Rely on trusted CSPs instead of managing issued credentials OASIS PKI

Resources www.cio.gov/fpkipa http://csrc.nist.gov/pki www.cio.gov/ficc www.cio.gov/fbca OASIS PKI

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.