Presentation is loading. Please wait.

Presentation is loading. Please wait.

NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication."— Presentation transcript:

1 NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health

2 Topics Introduction and Background Certificate Path Discovery and Validation Automated Receipt Server Automated Archive Log Questions

3 Project Motivators Government Paperwork Elimination Act (GPEA) Move paperwork-based transactions to electronic applications through the Internet Quicksilver Projects List of applications for e-Government services, including e-Authentication and e-forms E-Authentication focuses on authenticating electronic identity credentials to authenticate citizens or business access

4 NIH-EDUCAUSE PKI Interoperability Project Funded by the Federal PKI Steering Committee to develop models and technology to allow locally-issued digital certificates to be used to sign digital versions of government forms

5 Benefits to Higher Education Universities and colleges are adopting digital signature technology for many reasons. It is vital that electronic credentials be reusable. The project enables secure electronic forms-based transactions among diverse, unaffiliated business partners (including, but not limited to, the Federal Government) Project is universally applicable for all forms-based business transactions requiring one or more signatures

6 Accomplishments Certificate path discovery and validation infrastructure Operational PKI bridge pathway between prototype of the FBCA and prototype of the HEBCA, which is funded and operated by EDUCAUSE Resolution of multiple certificate configuration and directory interoperability issues Ability for faculty and staff at academic institutions to download, complete, digital signing (two digital signatures), and send XML forms to US Government Automated receipt to submitter NARA requirements for audit logs

7 Concept of Operations Internal workflow Digitally Signed App. HEBCA UNVERSTY CA - Research Institution IBM Agency Backend Internet Receipt Server Digitally Signed App. Digitally Signed App. Federal Government Applicant or Co-Signer Agency Server Audit Log (NARA) Digitally Signed App. FBCA CAM Server UNIVERSITY Applicant or Business ACL Database

8 FBCA X.500 Based Directory Directories Interconnect via Chaining (X.500 DSP)

9 HEBCA LDAP Based Directory Utilizing the Registry of Directories Utilizing LDAP Referrals

10 Path Discovery and Validation 1.Certificate submitted to CAM 2.Based on Trust Anchor CAM accesses the FBCA 3.At FBCA find a Cross Certificate to HEBCA 4.Cross Certificate points to the HEBCA 5.At HEBCA find a Cross Certificate to University 2 PKI 6. Return LDAP referral to the CAM 7.CAM directly follow the referral to University 2 information

11 Path Discovery / Path Validation Lessons Publish all CA certificates within the directory using subjectDN found in the certificate Consistently populate Certificate Extensions wherever possible Minimize mixing of LDAP, HTTP, and X.500 methods Get the SKID and AKID correctly populated During cross certification, verify that policyMapping and nameConstraints are correctly defined Path Discovery/Path Validation as well as Tools are still evolving. (Ongoing work)

12 Automated Receipt Server ACLDatabase SSL/WEBServer CAM OCSP PublicDMZSecure Directory Remote CA Application Flow ArchiveDatabase Email Server Co-signer Applicant

13 Automated Archive Log Trustworthiness of electronically signed XML forms and associated transactions was ensured by: Storing the original digitally signed electronic form received in the NARA archive XML document Digital signature on NARA archive XML document included authenticated timestamp as part of the signature NARA Archive XML document included digital certificate for verification purposes for each signatory on the original digitally signed XML form NARA Archive XML document provided for signature verification at any time for each signatory on the original digitally signed electronic form NARA Archive XML document included a certificate validation result (from CAM) for each signatory on the original digitally signed electronic form, the receipt signer’s own certificate validation result and an authenticated attribute of its signature Long-term integral storage of all of the above items will be achieved by optical media back-up of the archive database.

14 Schools Completing Successful Interoperability Testing Dartmouth College University of Alabama-Birmingham University of Wisconsin-Madison University of California

15 Participating Organizations

16 Questions?

Download ppt "NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication."

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Federal Approach to Electronic Credentials For services to citizens, businesses, other governments, and employees Mary J. Mitchell Office of Electronic.

Federal Approach to Electronic Credentials For services to citizens, businesses, other governments, and employees Mary J. Mitchell Office of Electronic.
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering Committee 202-622-1552.

Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering Committee
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Similar presentations

Ads by Google