1 / 16

Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health

NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop. Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health. Topics. Introduction and Background Certificate Path Discovery and Validation

mircea
Download Presentation

Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the PromiseDartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health

  2. Topics • Introduction and Background • Certificate Path Discovery and Validation • Automated Receipt Server • Automated Archive Log • Questions

  3. Project Motivators • Government Paperwork Elimination Act (GPEA) • Move paperwork-based transactions to electronic applications through the Internet • Quicksilver Projects • List of applications for e-Government services, including e-Authentication and e-forms • E-Authentication focuses on authenticating electronic identity credentials to authenticate citizens or business access

  4. NIH-EDUCAUSE PKI Interoperability Project • Funded by the Federal PKI Steering Committee to develop models and technology to allow locally-issued digital certificates to be used to sign digital versions of government forms

  5. Benefits to Higher Education • Universities and colleges are adopting digital signature technology for many reasons. It is vital that electronic credentials be reusable. • The project enables secure electronic forms-based transactions among diverse, unaffiliated business partners (including, but not limited to, the Federal Government) • Project is universally applicable for all forms-based business transactions requiring one or more signatures

  6. Accomplishments • Certificate path discovery and validation infrastructure • Operational PKI bridge pathway between prototype of the FBCA and prototype of the HEBCA, which is funded and operated by EDUCAUSE • Resolution of multiple certificate configuration and directory interoperability issues • Ability for faculty and staff at academic institutions to download, complete, digital signing (two digital signatures), and send XML forms to US Government • Automated receipt to submitter • NARA requirements for audit logs

  7. U N V E R S T Y HEBCA Internet CA - Research Institution Federal Government Digitally Signed App. Digitally Signed App. Digitally Signed App. Digitally Signed App. FBCA CAM Server ACL Database Applicant or Co-Signer Internal Agency Backend workflow I B M Receipt Server Agency Server Audit U N I V E R S I T Y Log (NARA) Applicant or Business Concept of Operations

  8. FBCA • X.500 Based Directory • Directories Interconnect via Chaining (X.500 DSP)

  9. HEBCA • LDAP Based Directory • Utilizing the Registry of Directories • Utilizing LDAP Referrals

  10. Path Discovery and Validation • Certificate submitted to CAM • Based on Trust Anchor CAM accesses the FBCA • At FBCA find a Cross Certificate to HEBCA • Cross Certificate points to the HEBCA • At HEBCA find a Cross Certificate to University 2 PKI • Return LDAP referral to the CAM • CAM directly follow the referral to University 2 information

  11. Path Discovery / Path Validation Lessons • Publish all CA certificates within the directory using subjectDN found in the certificate • Consistently populate Certificate Extensions wherever possible • Minimize mixing of LDAP, HTTP, and X.500 methods • Get the SKID and AKID correctly populated • During cross certification, verify that policyMapping and nameConstraints are correctly defined • Path Discovery/Path Validation as well as Tools are still evolving. (Ongoing work)

  12. Email Server SSL/WEB Server Directory OCSP CAM Automated Receipt Server Application Flow Public DMZ Secure Remote CA Applicant Archive Database Co-signer ACL Database

  13. Automated Archive Log • Trustworthiness of electronically signed XML forms and associated transactions was ensured by: • Storing the original digitally signed electronic form received in the NARA archive XML document • Digital signature on NARA archive XML document included authenticated timestamp as part of the signature • NARA Archive XML document included digital certificate for verification purposes for each signatory on the original digitally signed XML form • NARA Archive XML document provided for signature verification at any time for each signatory on the original digitally signed electronic form • NARA Archive XML document included a certificate validation result (from CAM) for each signatory on the original digitally signed electronic form, the receipt signer’s own certificate validation result and an authenticated attribute of its signature • Long-term integral storage of all of the above items will be achieved by optical media back-up of the archive database.

  14. Schools Completing Successful Interoperability Testing • Dartmouth College • University of Alabama-Birmingham • University of Wisconsin-Madison • University of California

  15. Participating Organizations

  16. Questions?

More Related