1 / 15

Federal Initiatives in IdM

Federal Initiatives in IdM. Dr. Peter Alterman Chair, Federal PKI Policy Authority. HSPD-12. Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05

yetta-turner
Download Presentation

Federal Initiatives in IdM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority

  2. HSPD-12 • Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05 • Mandates all Federal Agencies begin issuing SmartCards with medium assurance digital certs by 10/06 • Authorization remains a local prerogative Wilmington, NC November 2005

  3. E-Authentication • Initiatives • Assessment Framework for Credentials: evaluating the level of assurance (LOA) of identity of credential service providers • Membership in Liberty Alliance • Frequent meetings with Microsoft • Interfederation Interoperability Project with Cybertrust and Internet2/Shibboleth team Wilmington, NC November 2005

  4. E-Authentication: CAF • Credential Assessment Framework consists of the following: • A structured methodology and procedures for evaluating the LOA of a CSP’s credentials • An assessment team that goes out and evaluates CSPs • A process for conflict resolution • Posting CSPs and their credential LOAs to a trust list (unfortunate term) on the website Wilmington, NC November 2005

  5. E-Authentication: Interfed Interop • inCommon Higher Education Identity Federation • Using Shibboleth middleware technical protocols • Policy-light • E-Authentication US Identity Federation • Using a variety of technical protocols • Policy intensive Wilmington, NC November 2005

  6. What Are Electronic Identity Federations? • Associations of electronic identity credential providers and credential consumers (electronic service providers) who: • Agree to trust each others’ credentials; • Agree to hold credential providers authoritative for the validity of their credentials; • Agree to use common communications protocols and procedures to enable interoperability • Agree to common business rules Wilmington, NC November 2005

  7. Purpose of Electronic Identity Federations • To enable trusted electronic business transactions between end users and service providers where the service provider does not have to issue and manage identity credentials, including attributes. • It’s all a matter of scaling.. • No, it’s also a matter of control Wilmington, NC November 2005

  8. Characteristics of Identity Federations • Credential providers • Service providers • Standards and protocols for technical interoperability among credential providers, services providers, end users and infrastructure utilities • A governance mechanism to assert common business rules, ensure credentials can be used and trusted by all members of the federation and a central control point for entry and exit of members Wilmington, NC November 2005

  9. Accomplishments to Date • Demonstration of proof of concept for technical interoperability of identity credentials and utilities: E-Authentication SAML 1.0 and Shibboleth 1.2 • Production-level interoperability built into Shibboleth 1.3 (in beta) • Extensive groundwork done on identifying policy and procedure mapping/treaty requirements • Credential Assessment of 3 Universities, fourth scheduled Wilmington, NC November 2005

  10. Work in Progress • Development of common SAML 2.0 schemes • Development of common USPerson profile and profile management infrastructure • Development of production-quality scheme translator • Ongoing work to enable cross-federation trust and interoperability • NSF FastLane to accept 3 universities’ Shibboleth-based identity and attribute credentials on or before December, 2005 (slippage) Wilmington, NC November 2005

  11. Unresolved Issues • Mapping null attributes • Ensuring privacy of attribute information in a variety of instances • Portal integration • Scaling issues for listing credential providers • Issues of transitivity across federations • Multiple authoritative sources/conflicting authoritative sources • Vocabulary and “data dictionary” issues • Liability and indemnification issues Wilmington, NC November 2005

  12. Federal PKI Architecture • Agency and other government PKIs required to cross-certify with the Federal Bridge CA • As of 12/05 no new agency PKIs; agencies procure PKI services from vendors participating in the Shared Service Provider (SSP) program • Architecture issues TLS/SSL certs to credential service providers who CAF, to provide mutual authentication • Federal Bridge CA serves as “point of insertion” for external PKIs and other bridges. Wilmington, NC November 2005

  13. Simplified Diagram of Federal PKI Federal Bridge CA Cross- Certified gov PKIs Common Policy CA Shared Service Provider PKIs (Common Policy OID And root Cert) C4 CA E-Gov CAs (3) Cross- Certified External PKIs eAuth CSPs Wilmington, NC November 2005

  14. E-Auth Level 1 FPKI Rudimentary, C4 E-Auth Level 2 FPKIBasic E-Auth Level 3 FPKI Medium & Medium-cbp E-Auth Level 4 FPKI Medium/HW & Medium/HW-cbp FPKI High (government only) LOA Mapping: E-Auth to Fed PKI Wilmington, NC November 2005

  15. Discussion • altermap@mail.nih.gov Wilmington, NC November 2005

More Related