Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
GPO PKI and OFR eDOCS U.S. Government Printing Office September 10, 2009
Agenda • About GPO PKI and OFR eDOCS • GPO PKI Services
About GPO PKI • Shared Service Provider (SSP) certification – July 2007 • Cross-Certified with Federal Bridge Certification Authority since December 2005 • Meets all Federal PKI requirements • In operation at GPO since 2004
GPO PKI Services • End User Certificates • Medium Assurance Level (federal PKI) • Requires in-person identity proofing for Users • End user must present themselves in person to the RA or LRA • Two options: • At GPO Main Office • Agency Local Registration Authority (LRA) • Agency LRA personnel require a hardware token • LRA personnel (agency) must be identity proofed at GPO\ • Hardware token required due to sensitive nature of enrollment function performed • LRA enrolls other agency personnel at agency– record keeping requirements • Agency users must present themselves in person to LRA at agency
GPO PKI Services • Help Desk • GPO provides technical assistance to users • Email notification by users to GPO • Automatically routed to GPO PKI support • Phone number provided for emergencies • Agency IT Help Desk • Most agencies wish end users to coordinate IT problem reporting and resolution through the agency IT Help Desk • GPO will work with agencies and PKI end users • GPO will always provide technical assistance to resolve end user PKI problems • May involve IT problems at the agency and agency will need to resolve those
Certificate Uses • File signing • eDOCS, for example • File encryption • Email encryption and signing (S/MIME) • For Outlook email • Other uses are possible, in consultation with GPO PKI
OFR eDOCS PKI • Background: • OFR eDOCS application • Hosted by GPO on behalf of OFR • Allows email submission of digitally signed files • Saves time and money • Requires official agency submitter to have PKI certificate • Required Medium Assurance PKI certificate • Requires In-Person Identity Proofing • GPO PKI services for the OFR eDOCS application • In Operation since September 16, 2006 • OFR eDOCS originally used NFC PKI (pre Sept. 2006)
eDOCS Document Submission Process • Step 1: • End user logs into GPO PKI end user software (COTS client software meeting FIPS 140-2 and Federal PKI standards from Entrust, configured by GPO to interface to the FBCA cross-certified GPO PKI). User enters appropriate password (from certificate issuance process, for initial password). • Step 2: • End user locates the file to be signed using Windows operating system process. • Step 3: • End user RIGHT CLICKS on the file to be signed. • Step 4: • End User selects Entrust Advanced. • Step 5: • End User selects Sign. • Step 6: • GPO PKI software signs the file. • Step 7: • End user uses their normal agency email to send email to the Federal Register email address. User attaches file selected and signed in Step 6. • Step 8: • Process COMPLETE.
GPO PKI Services – Cost Structure • Cost Structure • End User Certificates: • $97 per user per year • NOTE: Software certificate (does not apply to smartcard certificate) • LRA Users: • $225 per LRA per year (includes hardware token) • LRA’s perform enrollment of agency users for GPO PKI • Costs documented in GPO Circular Letter 744 • URL: http://www.gpo.gov/customers/letters/744.htm • Business Enablement: • SF-1 Form executed for GPO • Printing Officers at each federal agency – liaison to GPO • Memorandum of Agreement • Spells out roles and responsibilities
GPO PKI Services – Getting Started • Step 1: Execute a Standard Form 1 (SF-1) and send to GPO • Send to: Bobbie McKoy at GPO (contact information on last slide) • Sample SF-1 shown on a later slide • Identify the Number of End Users that will have Certificates • Decide if Agency will use Local Registration Authority (LRA) function • Step 2: Execute Memorandum of Agreement and send to GPO • Spells out Roles and Responsibilities • Send to: John Hannan at GPO (contact information on last slide) • Step 3: Ensure Agency IT Support staff know about: • A: Entrust Software installation on end user computers • Agencies normally review and certify software for use on Agency computers • B: Firewall Settings Required (see next slide) • Firewall changes may be needed at some Agencies (depends on Agency controls) • C: Help Desk Notification for End User Problems • Decide how Agency End Users will request Help Desk support for PKI problems • Most common model: End Users notify Agency Help Desk (using standard agency procedures) • Agency Help Desk notifies GPO PKI Help Desk, if needed • Step 4: Install Entrust software on end user computers at Agency • Entrust software provided by GPO as part of fee per user • Available for download at URL: http://www.gpo.gov/projects/pki.htm • Step 5: Arrange a date and time for End Users to come to GPO for in-person Identity Proofing (federal PKI requirement) • Contact John Hannan at GPO for this
Contact Information • Technical • John Hannan, CISSP Chief Information Security Officer U.S. Government Printing Office 202-512-1021 firstname.lastname@example.org • Business • Bobbie McKoy Assistant Director, Agency Accounts & Marketing U.S. Government Printing Office 202-512-1675 email@example.com