Presentation is loading. Please wait.

Presentation is loading. Please wait.

The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health.

Similar presentations


Presentation on theme: "The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health."— Presentation transcript:

1 The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health

2 The Federal Bridge CA is Now the Federal PKI Architecture (SuperSize Me) Components include: Components include: –US Federal Bridge CA –Common Policy Framework CA –E-Authentication CA –Citizen and Commerce Class CA

3

4 Key Points Main connection between US Federal PKI and external PKIs (including other Bridges) continues to be the Federal Bridge CA. Main connection between US Federal PKI and external PKIs (including other Bridges) continues to be the Federal Bridge CA. Common Policy Framework CA issues cross- certificates to SSP primary CAs. Common Policy Framework CA issues cross- certificates to SSP primary CAs. Common Policy Framework CA cross-certified with FBCA Common Policy Framework CA cross-certified with FBCA E-Authentication CA - Two other CAs service E- Authentication levels one and two CSP SSL/TLS server cert issuance E-Authentication CA - Two other CAs service E- Authentication levels one and two CSP SSL/TLS server cert issuance C4 CA services alternative PKIs (ultra lights) C4 CA services alternative PKIs (ultra lights)

5 Cross-Certified with the US FBCA Department of Defense (one way) Department of Defense (one way) DOD Key Management Infrastructure DOD Key Management Infrastructure NASA NASA USDA/National Finance Center USDA/National Finance Center Treasury Treasury State State Energy Energy Labor Labor State of Illinois State of Illinois DST/Identrus ACES (and HHS) DST/Identrus ACES (and HHS) ORC ACES ORC ACES

6 Pending/In Process U.S. Patent and Trade U.S. Patent and Trade Wells Fargo Bank / Identrus Wells Fargo Bank / Identrus Government of Canada Government of Canada Boeing Boeing HEBCA HEBCA Government of Australia Government of Australia UK Ministry of Defence UK Ministry of Defence

7 Approved Shared Service Providers VeriSign VeriSign CyberTrust CyberTrust National Finance Center/USDA National Finance Center/USDA Others pending Others pending

8 Other Bridges Emerging: A Global Trust Infrastructure Aerospace Industry (CertiPath) Aerospace Industry (CertiPath) Pharmaceutical Industry (SAFE)\ Pharmaceutical Industry (SAFE)\ Unofficially, and really not a bridge, but might as well be: Crimson Logic Pacific Rim Import/Export Application (9 economies) Unofficially, and really not a bridge, but might as well be: Crimson Logic Pacific Rim Import/Export Application (9 economies)

9 And Now A Graphic Showing how the Federal PKI fits into the overall U.S. E-Authentication Architecture -  Showing how the Federal PKI fits into the overall U.S. E-Authentication Architecture - 

10 FBCA Certification Authority Two way Cross-certified (FBCA High & FBCA Medium) Agencies (Legacy Agency CA policy) States Foreign Entities Citizen & Commerce Class Common (C4) Certificate Policy -certified Wells FargoAOLPEPCO Private Sector FPKI Common Policy Framework (FCPF) Certificate Policy C4 Policy Certification Authority (Included in browser list ofCAs) FCPF Policy Certification Authority (Trust anchor for Common FPKI Policy hierarchical PKI subscribers) E-Governance Certification Authority (Mutual authentication of SAML/SSL Certificates only) Qualified Shared Service Provider USDA/NCF Verisign DST Two way Cross-certified One way Cross - certified Federal PKI Assurance Level 1 Assurance Level 2 E-Governance Certificate Policy Other BridgeCAs ACES New Agency Optionally Two Way Cross - certified Two Way Cross Federal PKI The US Federal PKI & The E-Authentication Federated Approach Note: Red lines indicate technical areas to resolve. Working Groups are formed to address these areas by 1 st week of March 2004. T w o w a y C r o s s - c e r t i f i e d XKMS OCSP CAM SOAP Others ©p©p Step #1: User goes to Portal to select the AA and ECP Portal Step #3: The user authenticates to the AA directly using SSL or TLS. Figure : FPKI Validation Service AA CA 1 Community 1 CA 4 CA 4bCA 4a CA 2 Community 2 Bridge CA 3 Community 3 FPKI Step #4: The AA uses the validation service to validate the certificate Step #2: The user is passed directly to the AA eAuth Trust List FBCA Certificate Policy

11 Other Federal/Higher Ed Initiatives, or Places We Meet: (In Hoc Signo Vinces) NIH-EDUCAUSE PKI Interoperability Project, Phase 4 NIH-EDUCAUSE PKI Interoperability Project, Phase 4 E-Authentication-Shibboleth Interoperability Initiative E-Authentication-Shibboleth Interoperability Initiative E-Authentication Partnership E-Authentication Partnership International Collaborative Identity Management Forum (ICIDM) International Collaborative Identity Management Forum (ICIDM)

12 Issues Being Pursued Actively Path Discovery / Path Validation Path Discovery / Path Validation –CAM works Bridge-Bridge Interoperability Procedures, including Bridge Operations Issues – Citizenship, etc. Bridge-Bridge Interoperability Procedures, including Bridge Operations Issues – Citizenship, etc. FIPS 201 and HSPD-12 FIPS 201 and HSPD-12

13 Path Discovery / Path Validation CAM 4 RC7 Ready for Prime Time and Configurable to map LOA CAM 4 RC7 Ready for Prime Time and Configurable to map LOA CAM 4 RC8 due January, 2005 (GUI interface for configuration) CAM 4 RC8 due January, 2005 (GUI interface for configuration) Validation Service/Tool Requirements Document about ready for release Validation Service/Tool Requirements Document about ready for release No COTS service/tool yet a reality No COTS service/tool yet a reality Betting on SCVP for next generation validation checking protocol. Betting on SCVP for next generation validation checking protocol.

14 Bridge-to-Bridge Interoperability Policy and Procedures – FPKI Policy Authority Leads the Pack Policy and Procedures – FPKI Policy Authority Leads the Pack Technical Implementation Issues – Architecture and Trust Technical Implementation Issues – Architecture and Trust Politics and Money Politics and Money Current sticking point is citizenship requirements for trusted operators Current sticking point is citizenship requirements for trusted operators

15 HSPD-12, The Black Hole: Background Requires NIST to promulgate technical and procedural standards for electronic identity authentication for Feds and contractors (PIV = Personal Identity Verification) Requires NIST to promulgate technical and procedural standards for electronic identity authentication for Feds and contractors (PIV = Personal Identity Verification) Encompasses physical and logical access to government resources Encompasses physical and logical access to government resources Ultra short timeframe: Standards done in Spring, Agency implementation plans due late June, Agency implementation begins October. Ultra short timeframe: Standards done in Spring, Agency implementation plans due late June, Agency implementation begins October. Means Medium Assurance Digital Certificates on SmartCards, but next generation crypto being pushed. Means Medium Assurance Digital Certificates on SmartCards, but next generation crypto being pushed.

16 HSPD-12, The Black Hole: Status Current action is with three documents: FIPS 201, SP 800-73 and the Implementation Guide Current action is with three documents: FIPS 201, SP 800-73 and the Implementation Guide Current Draft of FIPS 201 being heavily revised, final version due mid-February Current Draft of FIPS 201 being heavily revised, final version due mid-February Revision to SP 800-73 (Smart Card Standards) under way, IAB hard at work revising to accommodate industry input, due late January Revision to SP 800-73 (Smart Card Standards) under way, IAB hard at work revising to accommodate industry input, due late January Implementation in two phases to accommodate installed base and vendor community Implementation in two phases to accommodate installed base and vendor community WILL AFFECT EVERYONE WILL AFFECT EVERYONE

17 Reminder: PKI R&D Workshop April 19 – 21, 2005 April 19 – 21, 2005 NIST Gaithersburg, MD NIST Gaithersburg, MD www.middleware.internet2.edu/pki05 www.middleware.internet2.edu/pki05 www.middleware.internet2.edu/pki05 This year, the workshop has a particular interest in how emergent trust mechanisms will interact with each other at technical, policy and user levels. This year, the workshop has a particular interest in how emergent trust mechanisms will interact with each other at technical, policy and user levels.


Download ppt "The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health."

Similar presentations


Ads by Google