1 / 15

The U.S. Federal PKI

The U.S. Federal PKI. Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council. Richard.Guida@cio.treas.gov; 202-622-1552 (Steering Committee web page: http://gits-sec.treas.gov). E-Transaction Landscape. Intra-agency personnel matters, agency management

dragon
Download Presentation

The U.S. Federal PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council Richard.Guida@cio.treas.gov; 202-622-1552 (Steering Committee web page: http://gits-sec.treas.gov)

  2. E-Transaction Landscape • Intra-agency • personnel matters, agency management • Interagency • payments, account reconciliation, litigation • Agency to trading partner • procurement, regulation • Agency to the public

  3. Federal PKI Approach • Establish Federal PKI Policy Authority (for policy interoperability) • Implement Federal Bridge CA using Commercial Off The Shelf software (for technical interoperability) • Deal with directory interoperability issues • Use ACES for public transactions

  4. Federal PKI Policy Authority • Voluntary interagency group - NOT an “agency” • Governing body for interoperability with FBCA • Agency/FBCA cert policy mappings • Oversees operation of FBCA, authorizes issuance of FBCA certificates • Six agency charter members (DOD, DOJ, DOC, Treasury, GSA, OMB)

  5. Federal Bridge CA • Non-hierarchical hub (“peer to peer”) • Maps levels of assurance in disparate certificate policies (“policyMapping”) • Issue: assurance level vs. usage policy • Ultimate bridge to CAs external to Federal government • Directory initially contains only FBCA-issued certificates and ARLs

  6. Current Status • Prototype FBCA: Entrust, Cybertrust (replaced with Baltimore Unicert) • Initial operation 2/8/00, tested 4/00 • Production FBCA: add other CAs • Operational by late 00 • FBCA Operational Authority is General Services Administration • FBCA Cert Policy by late-00 • FPKIPA operational 7/00

  7. FBCA Prototype Test Structure • Six disparate PKI domains cross-certified with FBCA • Five different CA products • Four different X.500 directory products • Interoperability demonstrated via signed S/MIME messages (Eudora, Outlook) • X.500 directory framework - chaining between directories, client access via LDAP

  8. Federal Bridge CA Canada Cybertrust CA Entrust CA GSA/FTS NIST 2 PCA PCA NSA CYGNACOM DoD Bridge CA CYBERTRUST Entrust PCA PCA PCA PCA SFL Client Entrust Client CA CA CA CA NIST 1 NASA GTRI PCA PCA PCA CA CA CA CA Entrust Entrust Motorola Spyrus Entrust Entrust Entrust Entrust Client Entrust Client SFL Client Entrust Client SFL Client Entrust Client Entrust Client

  9. Government of Canada NSA/DOD NIST NASA GSA Georgia Tech Research Institute CA products: Entrust; Cybertrust; CygnaCom; Spyrus; Motorola Directories: PeerLogic; ICL; Nexor; CDS; Chromatix Integrators: Mitretek; JGVanDyke; GNS; Booz Allen; CygnaCom; A&N Associates Participants

  10. Test Results

  11. Agency Production PKI Examples • DOD (>300K certs => >>4M by 2002; high assurance with smartcards) • FAA (>1K certs => 20K+ in 2000; software now, migrating to smartcards) • FDIC (>7K certs => 20K+ in 2000) • NASA (>1K certs => 25K+ in 2000) • USPTO (>1K certs => 15K+ in2000)

  12. Access Certs for Electronic Services • “No-cost” certificates for the public • For business with Federal agencies only (but agencies may allow other uses on case basis) • On-line registration, vetting with legacy data; information protected under Privacy Act • Agencies billed per-use and/or per-certificate • Three contractor consortia (DST, ORC, AT&T) • President used ACES cert for E-sign Bill

  13. Statutory Bases: E-Signatures • Gov’t Paperwork Elimination Act (98) • Technology neutral - select based on risk • But full recognition of dig sig strengths • Gives electronic signature full legal effect • Focus: transactions with Federal agencies • E-Sign in Global/Nat’l Commerce Act (00) • Covers B2B and B2C • Full legal effect if requirements are met

  14. Organization

  15. U.S./European/Asian Issues • Certificate Policy usage - assurance levels vs. application limitations • Certificate Profiles - differences such as key usage extension conflicts • Models for policy, technical interoperability - prescriptive vs. market-based • Client software configuration - trust path creation vs. browser model

More Related