1 / 13

Federal PKI Architecture Update

Federal PKI Architecture Update. Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority. SAFE. Industry PKIs. View from 20,000 km. Common Policy CA. SSPs. Serving all other Agencies. CertiPath SSP. FBCA. CertiPath. C4. Industry PKIs. eGCA (3). SAFE. Industry PKIs.

rigel-mcclain
Download Presentation

Federal PKI Architecture Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federal PKI Architecture Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority

  2. SAFE Industry PKIs View from 20,000 km Common Policy CA SSPs Serving all other Agencies CertiPathSSP FBCA CertiPath C4 Industry PKIs eGCA (3) OASIS PKI

  3. SAFE Industry PKIs View from 20,000 km DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO Treasury Wells Fargo MIT LL UTexasSx Common Policy CA Total: 12 – 15M users SSPs VeriSign Cybertrust ORC Treasury GPO? Exostar Entrust IdenTrusT? Serving all other Agencies CertiPathSSP FBCA CertiPath C4 USHER? Industry PKIs Abbott Labs AstraZeneca Bristol-Myers Squibb Genzyme GlaxoSmithKline INC Research Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals Boeing Raytheon Lockheed Martin eGCA (3) EAF member CSPs TLS certs OASIS PKI

  4. Simplified Diagram of U.S. Federal PKI Federal Bridge CA Cross- Certified gov PKIs Common Policy CA Shared Service Provider PKIs (Common Policy OID And root Cert) C4 CA E-Gov CAs (3) Cross- Certified External PKIs eAuth CSPs ? OASIS PKI

  5. E-Auth Level 1 FPKI Rudimentary; C4 E-Auth Level 2 FPKI Basic E-Auth Level 3 FPKI Medium & Medium-cbp E-Auth Level 4 FPKI Medium/HW & Medium/HW-cbp FPKI High (governments only) LOA Mapping OASIS PKI

  6. Federal Bridge Works Cross-Certification Process Completes FBCA Issues Cross- certificates Routinely Issues CRL/ARL Populates Directories LDAP & X.500 OCSP Responder Cert Profile: AIA/SIA Extensions Cert Profile: PolicyMapping, Excluded Subtrees OASIS PKI

  7. Federal Bridge Info • FIPS 1540-2 Level 3 HSM • Online CAs on double-firewalled, one way, discrete network with backup T-1 connections • ISODE M-Vault directories • Tepid Backup Site • Disaster Recovery Site • 24x7 help desk, architected for 99.5% uptime • Evolving monitoring architecture • Vendor operations transfer in process OASIS PKI

  8. Notional FBCA Directory Implementation* This diagram shows: LDAP Access from email clients to support address lookup. LDAP Access from an application, to provide user authentication. Directory management using Isode's Enterprise Directory Management tool. Data management using Isode's Isode's Directory Data Management tool. A Certification Authority, such as Entrust, accessing and managing data in M-Vault. X.500 chaining using X.500 Directory System Protocol (DSP) to access data in a peer departmental X.500 capable directory. LDAP chaining to access data in a peer departmental LDAP directory. Data replication using X.500 Directory Information Shadowing Protocol (DISP) to share data with other departments to increase performance and resilience. *From ISODE website OASIS PKI

  9. FBCA Cross Certification Process • Application - LOA? • Policy Mapping • Mapping Matrices online • Cert Policy WG mapping review • Collegial back and forth discussions • Technical Interoperability Testing • With Prototype instance of FBCA • Testing Protocol online • Directory and profiles tested (LDAP and X.500) • Review of summary of independent audit results • Map CP – CPS and CPS to PKI Operations • Independent auditors, not FPKI auditors • Whole process laid out in “Criteria & Methodology” document online OASIS PKI

  10. Path Discovery and Validation • Trust Lists can work but: • Don’t scale, are rigid and don’t give level of assurance • Bridges can work but: • Aren’t supported in native OSs, so require add-on PD/Val tools • NIST and FPKI developed test suite for PD/Val products/services • 4 products, 2 services passed so far (see the website) • Deploy on website, desktop, within enterprise or outsource… OASIS PKI

  11. Grids and Enterprise PKIs • Different from the administration and architecture perspectives • Overlap from the end user perspective • Cross-certification and interoperability solve the problem Grid PKI CP Institution PKI CP End User: single cert. Grid ID for Project(s) Institution ID For AuthN OASIS PKI

  12. Business CaseFor XCert • Simplify trust and control decisions • Extend value of issued credentials • Scalable trust at known LOA • Rely on trusted CSPs instead of managing issued credentials OASIS PKI

  13. Resources • www.cio.gov/fpkipa • http://csrc.nist.gov/pki • www.cio.gov/ficc • www.cio.gov/fbca OASIS PKI

More Related