The NIH PKI Pilots Peter Alterman, Ph.D. … again

A Simplified Description of the NIH Extramural Research Business Process NIH publishes RFAs and other announcements of research topics and training opportunities NIH publishes RFAs and other announcements of research topics and training opportunities Researchers submit applications for funding under a number of mechanisms Researchers submit applications for funding under a number of mechanisms Applications are reviewed by independent study sections 3 – 4X/year Applications are reviewed by independent study sections 3 – 4X/year Approved applications are ranked Approved applications are ranked Grants are funded by score and mission relevance Grants are funded by score and mission relevance Annual reports submitted Annual reports submitted Noncompeting renewals make up bulk of ~40k grants issued annually (about $13B!) Noncompeting renewals make up bulk of ~40k grants issued annually (about $13B!)

Currently, NIH Extramural Business Process is ALL PAPER

Phase I: PKI-enable an Adobe I-form Version of a PHS-398, Application for Research Grant Allergy Institute created an electronic version of the application form Allergy Institute created an electronic version of the application form NIH and Digital Signature Trust working to allow attachment of two TrustID digital signatures to the completed I-form NIH and Digital Signature Trust working to allow attachment of two TrustID digital signatures to the completed I-form Institutions will acquire TrustID digsigs courtesy of NIH, download I-form, complete dummy application, sign (PI and AOR) and return to NIH as attachment Institutions will acquire TrustID digsigs courtesy of NIH, download I-form, complete dummy application, sign (PI and AOR) and return to NIH as attachment NIH will transfer attachment to local hard disk, then validate signatures using E-lock Assured Office client NIH will transfer attachment to local hard disk, then validate signatures using E-lock Assured Office client Some platform and process constraints understood in pilot Some platform and process constraints understood in pilot Outcomes: Outcomes: demonstration of successful creation, signing and validating of I- form 398 demonstration of successful creation, signing and validating of I- form 398 Identification of areas requiring further development Identification of areas requiring further development

What it Looks Like NIH CA And Directory University 3 End users University 1 end-users University 2 end-users trust path trust paths Actually DST CA for Pilot NIH test user

Phase II: Replace NIH-supplied Digital Certificate with Institution’s Digital Certificate (in multiple flavors) UAB, UW-M and UCOP UAB, UW-M and UCOP TrustID cert (no-brainer, already done in Phase I) TrustID cert (no-brainer, already done in Phase I) VeriSign cert VeriSign cert Netscape IPlanet cert Netscape IPlanet cert NIH cross-certifies with the Fed Bridge at the test level of assurance NIH cross-certifies with the Fed Bridge at the test level of assurance Educause sets up the HE Bridge Educause sets up the HE Bridge Fed Bridge and HE Bridge cross-certify at the test level of assurance Fed Bridge and HE Bridge cross-certify at the test level of assurance Institutions cross-certify with the HE Bridge at the test level Institutions cross-certify with the HE Bridge at the test level NIH validates certs using modified E-Lock product NIH validates certs using modified E-Lock product Validation path runs through Fed Bridge to HE Bridge to Institutions’ CRLs Validation path runs through Fed Bridge to HE Bridge to Institutions’ CRLs

Remember This? Slightly Modified… Fed Bridge CA And Directory HE Bridge CA And Directory NIH CA, Directory, End user CA, Directory, CRL, end users CA,Directory, CRL, end users Validation path Validation paths Actually DST CA for Pilot

The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee and Acting Director, Federal Bridge Certification Authority

The FBCA Architecture Bridge CA And Directory Bridge CA And Directory CA, Directory, End users CA, Directory, End users CA,Directory, End users Trust paths

FBCA Overview Designed for the purpose of creating trust paths between among PKI domains Designed for the purpose of creating trust paths between among PKI domains Issues cross-certificates to Member CAs only Issues cross-certificates to Member CAs only Employs a distributed, NOT a hierarchical, model Employs a distributed, NOT a hierarchical, model Commercial products participate within the membrane of the Bridge OR interoperate with products within the membrane Commercial products participate within the membrane of the Bridge OR interoperate with products within the membrane Develops cross certificates within the membrane to bridge the gap among dissimilar products Develops cross certificates within the membrane to bridge the gap among dissimilar products

FBCA Goals Leverage emerging Federal Agency PKIs to create a unified Federal PKI Leverage emerging Federal Agency PKIs to create a unified Federal PKI Limit workload on Agency CA staff Limit workload on Agency CA staff Support Agency use of: Support Agency use of: Any FIPS-approved cryptographic algorithm Any FIPS-approved cryptographic algorithm A broad range of commercial CA products A broad range of commercial CA products Propagate policy information to certificate users in different Agencies Propagate policy information to certificate users in different Agencies

FBCA Operation Issues Cross-Certificates to Participating CAs only Issues Cross-Certificates to Participating CAs only FPKI Steering Committee oversees FBCA development and operations FPKI Steering Committee oversees FBCA development and operations Documentation Documentation Enhancements Enhancements Client-side software Client-side software Operates in accordance with Policy Authority and FPKISC direction Operates in accordance with Policy Authority and FPKISC direction

FBCA Management Hierarchy Steering Committee oversees FBCA development and operations Steering Committee oversees FBCA development and operations Direct Operational Authority Direct Operational Authority Bridge Documentation Bridge Documentation Enhancements Enhancements Policy Authority determines participants and levels of cross- certification Policy Authority determines participants and levels of cross- certification Administers Certificate Policy Administers Certificate Policy Approves requests to cross-certify Approves requests to cross-certify Enforces compliance by member organizations Enforces compliance by member organizations GSA named Operational Authority GSA named Operational Authority Operates in accordance with Policy Authority and Steering Committee direction Operates in accordance with Policy Authority and Steering Committee direction

Current Status - August 10, 2001 Policy Authority approved final documentation on June 18, 2001 Policy Authority approved final documentation on June 18, 2001 Certificate Policy Certificate Policy Certification Practices Statement Certification Practices Statement Independent Compliance Analysis Independent Compliance Analysis FBCA “open and ready for business” at the GSA/FTS WillowWoods facility operated by Mitretek Systems on June 7, 2001 FBCA “open and ready for business” at the GSA/FTS WillowWoods facility operated by Mitretek Systems on June 7, 2001 Prototyping/Compatibility lab continues operational off-site Prototyping/Compatibility lab continues operational off-site Hot backup site nearing completion Hot backup site nearing completion C & A Audit under way by KPMG C & A Audit under way by KPMG Three federal agencies and one state government preparing documentation for application for interoperability with Bridge: NASA, NFC, FDIC, Illinois Three federal agencies and one state government preparing documentation for application for interoperability with Bridge: NASA, NFC, FDIC, Illinois

What Will It Take to Use the FBCA? Policy mapping of certificate policies Policy mapping of certificate policies Sharing annual audits Sharing annual audits Careful management of cross-certificates to limit transitive trust (exclusion trees) Careful management of cross-certificates to limit transitive trust (exclusion trees) Directory interoperability and synchronization Directory interoperability and synchronization Client software for certificate path discovery and processing Client software for certificate path discovery and processing

Next Steps Continue to bring federal agencies into interoperability Continue to bring federal agencies into interoperability Bring additional products into Bridge membrane and/or verify interoperability with products in membrane: working with RSA, Cylink, Spyrus and talking with VeriSign and Microsoft Bring additional products into Bridge membrane and/or verify interoperability with products in membrane: working with RSA, Cylink, Spyrus and talking with VeriSign and Microsoft Pursue interoperability with State PKIs Pursue interoperability with State PKIs Pursue interoperability with Nation of Canada Pursue interoperability with Nation of Canada Pursue interoperability with non-government sector bridges Pursue interoperability with non-government sector bridges

References Federal PKI Steering Committee Website: Federal PKI Steering Committee Website: FBCA Page: FBCA Page: NIST PKI Website: NIST PKI Website: