Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering Committee 202-622-1552.

Slides:

Advertisements

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

Advertisements

Launching Egyptian Root CA and Inaugurating E-Signature Dr. Sherif Hazem Nour El-Din Information Security Systems Consultant Root CA Manager, ITIDA.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

Federal PKI Architecture Update

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council

Ongoing Efforts to Build The US Federal PKI Bridge

Stanley J. Choffrey (202) The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

Public Key Infrastructure (PKI) Hosting Services.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,

Toward the Use of DIGITAL Signatures in the Commonwealth of Virginia Prepared for the Council on Technology Services by the Privacy, Security & Access.

The U.S. Federal PKI and the Federal Bridge Certification Authority

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

WSU A Symphony in Four Movements. A Century of Controlled Flight.

NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.

Federal Bridge Certification Authority n Background n Overview n EMA Challenge Test structure n Participants n Results n Conclusions and lessons learned.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee.

The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

16 June ‘04Fed/ED1 Filling the FPKI Void Tice F. DeYoung Fed/ED 16 June ‘04.

The Evolving U.S. Federal PKI Richard Guida Chair, Federal PKI Steering Committee Federal Chief Information Officers Council

U.S. General Services Administration Federal Technology Service November 9, 1999 Judith Spencer Director, Center for Governmentwide Security Office of.

1 June Richard Guida Stephanie Evans Johnson & Johnson Director, WWIS WWIS SAFE Infrastructure Overview.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

The NIH PKI Pilots Peter Alterman, Ph.D. … again.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.

Legislation and Market Forces: PKI Drivers for the U. S. Mortgage Industry November 27, 2006 R. J. Schlecht Director, Industry Technology – Security &

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000.

PKI and the U.S. Federal E- Authentication Architecture Peter Alterman, Ph.D. Assistant CIO for e-Authentication National Institutes of Health Internet2.

Jimmy C. Tseng Assistant Professor of Electronic Commerce

The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.

The Evolving Federal PKI Gary Moore Entrust Technologies Richard Guida Chair, Federal PKI Steering Committee.

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

Identity Federations and the U.S. E-Authentication Architecture Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health.

1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.

The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001.

Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.

Federal Agencies and PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering Committee

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

PKI in Virginia September Commonwealth Bridge Project Time Line of Activity l COVITS Meeting - September 1999 »Commonwealth of Virginia Information.

Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

Interoperability and the Evolving Federal PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

U.S. Federal e-Authentication Initiative

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

Presentation transcript:

Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering Committee Federal Agency PKI Overview/KMS

Government Perspective on Key Management Standards Y Government supports standards which: YAre open in nature (non-proprietary) YPromote interoperability of PKI products and clients YFully implement X509 certificate path discovery and processing including policy mapping YSupport two key pairs - signature, encryption YSupport encryption key recovery (business reasons) YContain appropriate specificity so as to be unambiguous and clear to implementers

Government Perspective on Key Management Standards (continued) Y State of standards today is: YGenerally sufficient to support single product use within an enterprise YProblematic when trying to make different products interoperate YMany competing varieties in critical areas (e.g. CMP vs. PKCS) YInconsistent and incompatible implementations even with single standard

Environments in which encryption is needed are diverse X Intra-agency personnel matters, agency management X Interagency payments, account reconciliation, litigation X Agency to trading partner procurement, regulation X Agency to the public

Current agency use of encryption is very limited X Many PKI implementations among Federal agencies, but all use digital signatures XSSL planned for encryption X Agencies planning to use end-user PKI encryption in near term include: XFederal Aviation Administration XSocial Security Administration XDepartment of Defense (already done w/Fortezza) XUS Patent and Trademark Office

Interoperability Issues Y Policy interoperability Y Technical interoperability Y Interoperability among: Y PKI products (CAs, RAs) Y Directories Y Client software (e.g., ) Y Hardware tokens, devices, drivers

Encryption Key Recovery X KRDP Phase I very successful X KRDP Phase II is underway X FAA X SSA X State Department X Federal Bridge CA (interoperability) X Key recovery essential for business reasons

Federal PKI Approach Establish Federal PKI Policy Authority (for policy interoperability) Implement Federal Bridge CA using COTS (for technical interoperability) Deal with directory issues in parallel –Border directory concept –Use ACES for public transactions

Federal PKI Policy Authority Voluntary interagency group - NOT an “agency” Governing body for interoperability through FBCA – Agency/FBCA certificate policy mappings Oversees operation of FBCA, authorizes issuance of FBCA certificates

Federal Bridge CA Non-hierarchical hub (“peer to peer”) Maps levels of assurance in disparate certificate policies (“policyMapping”) Ultimate bridge to CAs external to Federal government Directory initially contains only FBCA- issued certificates and ARLs

Boundary Conditions Use COTS with “inclusive” architecture Use X509v3 Support four levels of assurance –Rudimentary, Basic, Medium, High –Modeled after Canadian PKI FBCA use cannot be mandatory Focus requirements on agencies as certificate issuers, not relying parties

FBCA Architecture Multiple CAs inside membrane, cross certified –Adding CAs straightforward albeit not necessarily easy Solves inter-product interoperability issues within membrane - which is good Single consolidated X.500 directory

Current Status Prototype FBCA: Entrust, Cybertrust –Initial operation 2/00 Production FBCA: add other CAs –Operation by late 00 FBCA Operational Authority is GSA (Mitretek technical lead and host site) FBCA Cert Policy 12/99 to early 00 FPKIPA Charter 12/99 to early 00

14 Border Directory Concept Each agency would have Border Directory for certificates and CRLs –May shadow all or part of local directory system (allows for agency discretion) –CAs may publish directly in border directory –Unrestricted read access Directory resides outside agency firewall –chain (X.500 DSP) or LDAP referral to FBCA DSA

Border Directory Concept Internal Directory Infrastructure PCA 2 FBCA DSA Internal Directory Infrastructure Border DSA 2 X.500 DSA Border DSA 1 LDAP Server Internal Directory Infrastructure PCA 1 PCA 3 Agency 1 Agency 2 Agency 3 FBCA LDAP Query-Response X DSP chaining

Access Certs for Electronic Services “No-cost” certificates for the public For business with Federal agencies only (but agencies may allow other uses on case basis) On-line registration, vetting with legacy data; information protected under Privacy Act Regular mail one-time PIN to get certificate Agencies billed per-use and/or per-certificate

Access Certs for Electronic Services RFP 1/99; bids received 4/99; first award 9/99 (DST), second award 10/99 (ORC), third award 10/99 (AT&T) Provisions for ACES-enabling applications, and developing customized PKIs Agencies do interagency agreement with GSA Certificates available shortly

Electronic Signatures under GPEA Government Paperwork Elimination Act (October 1998) Technology neutral - agencies select based on specifics of applications (e.g., risk) –But full recognition of dig sig strengths Gives electronic signature full legal effect Focus: transactions with Federal agencies Draft OMB Guidance 3/99; final 4/00

Organization