Presentation is loading. Please wait.

Presentation is loading. Please wait.

The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council 202-622-1552.

Similar presentations


Presentation on theme: "The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council 202-622-1552."— Presentation transcript:

1 The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council Richard.Guida@cio.treas.gov; 202-622-1552 (Steering Committee web page: http://gits-sec.treas.gov)

2 E-Transaction Landscape n Intra-agency –personnel matters, agency management n Interagency –payments, account reconciliation, litigation n Agency to trading partner –procurement, regulation n Agency to the public

3 Federal PKI Approach Establish Federal PKI Policy Authority (for policy interoperability) Establish Federal PKI Policy Authority (for policy interoperability) Implement Federal Bridge CA using Commercial Off The Shelf software (for technical interoperability) Implement Federal Bridge CA using Commercial Off The Shelf software (for technical interoperability) Deal with directory interoperability issues Deal with directory interoperability issues Use ACES for public transactions Use ACES for public transactions

4 Federal PKI Policy Authority n Voluntary interagency group - NOT an “agency” n Governing body for interoperability with FBCA – Agency/FBCA cert policy mappings n Oversees operation of FBCA, authorizes issuance of FBCA certificates n Six agency charter members (DOD, DOJ, DOC, Treasury, GSA, OMB)

5 Federal Bridge CA n Non-hierarchical hub (“peer to peer”) n Maps levels of assurance in disparate certificate policies (“policyMapping”) –Issue: assurance level vs. usage policy n Ultimate bridge to CAs external to Federal government n Directory initially contains only FBCA- issued certificates and ARLs

6 Current Status n Prototype FBCA: Entrust, Cybertrust (replaced with Baltimore Unicert) –Initial operation 2/8/00, tested 4/00 n Production FBCA: add other CAs –Operational by late 00 n FBCA Operational Authority is General Services Administration n FBCA Cert Policy by late-00 n FPKIPA operational 7/00

7 FBCA Prototype Test Structure n Six disparate PKI domains cross-certified with FBCA –Five different CA products –Four different X.500 directory products n Interoperability demonstrated via signed S/MIME messages (Eudora, Outlook) n X.500 directory framework - chaining between directories, client access via LDAP

8 Cybertrust CA Entrust CA SFL Client Entrust Client Entrust Client SFL Client DoD Bridge CA Entrust Client Entrust Client Entrust Client PCA CA PCA CA PCA CA PCA CA PCA Entrust Client SFL Client PCA

9 Participants n Government of Canada n NSA/DOD n NIST n NASA n GSA n Georgia Tech Research Institute n CA products: Entrust; Cybertrust; CygnaCom; Spyrus; Motorola n Directories: PeerLogic; ICL; Nexor; CDS; Chromatix n Integrators: Mitretek; JGVanDyke; GNS; Booz Allen; CygnaCom; A&N Associates

10 Test Results

11 Agency Production PKI Examples DOD (>300K certs => >>4M by 2002; high assurance with smartcards) DOD (>300K certs => >>4M by 2002; high assurance with smartcards) FAA (>1K certs => 20K+ in 2000; software now, migrating to smartcards) FAA (>1K certs => 20K+ in 2000; software now, migrating to smartcards) FDIC (>7K certs => 20K+ in 2000) FDIC (>7K certs => 20K+ in 2000) NASA (>1K certs => 25K+ in 2000) NASA (>1K certs => 25K+ in 2000) USPTO (>1K certs => 15K+ in 2000) USPTO (>1K certs => 15K+ in 2000)

12 Access Certs for Electronic Services “No-cost” certificates for the public “No-cost” certificates for the public For business with Federal agencies only (but agencies may allow other uses on case basis) For business with Federal agencies only (but agencies may allow other uses on case basis) On-line registration, vetting with legacy data; information protected under Privacy Act On-line registration, vetting with legacy data; information protected under Privacy Act Agencies billed per-use and/or per-certificate Agencies billed per-use and/or per-certificate Three contractor consortia (DST, ORC, AT&T) Three contractor consortia (DST, ORC, AT&T) President used ACES cert for E-sign Bill President used ACES cert for E-sign Bill

13 Statutory Bases: E-Signatures n Gov’t Paperwork Elimination Act (98) –Technology neutral - select based on risk –But full recognition of dig sig strengths –Gives electronic signature full legal effect –Focus: transactions with Federal agencies n E-Sign in Global/Nat’l Commerce Act (00) –Covers B2B and B2C –Full legal effect if requirements are met

14 Organization

15 U.S./European/Asian Issues n Certificate Policy usage - assurance levels vs. application limitations n Certificate Profiles - differences such as key usage extension conflicts n Models for policy, technical interoperability - prescriptive vs. market-based n Client software configuration - trust path creation vs. browser model


Download ppt "The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council 202-622-1552."

Similar presentations


Ads by Google