Stanley J. Choffrey stanley.choffrey@gsa (202) 708-7943

1. The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January 10, 2000 Stanley J. Choffrey stanley.choffrey@gsa.gov (202) 708-7943

2. The Federal Bridge Certification Authority The Federal Bridge Certification Authority(FBCA) will be the unifying element to link otherwise unconnected agency Certification Authority’s (CAs) into a systematic overall Federal PKI. The FBCA functions as a non-hierarchical hub allowing relying party agencies to create a certificate trust path from its domain back to the domain of the agency that issued the certificate so that the levels of assurance honored by disparate PKIs can be reconciled.

3. Directory Infrastructure 2 Directory Infrastructure 1 Federal Bridge Certification Authority Cross Certified CAs FIP 140-1 L3 Crypto FIP 140-1 L3 Crypto • Cross certificates • CRL • Cross certificates • CRL Trust Domain 1 Trust Domain 2 • Cross certificates • ARL Directory System Agent S/MIME EMAIL Path Discovery Cert Retrieval & Verification Cert Validation

4. FBCA EMA Challenge Configuration • Eudora E-mail (S/MIME v3) • Entrust Application with Certificate Path Validation • CyberTrust Certificate • Gemplus v1 or DataKey SmartCard Entrust CA LunaCA3 Crypto Module FBCA Directory System • Dell PowerEdge 2300 • NT 4.0 Server • 256MB RAM • 9GB Hard Drives (2) • Tape Backup • PeerLogic i500 Directory CyberTrust Client Mitretek Border Router • Bay ASN.1 Router • CheckPoint Firewall CyberTrust Enterprise CA • Dell PowerEdge 2300 • NT 4.0 Server • 128 MB RAM • 9GB Hard Drives (2) • 10BaseT Ethernet NIC • Tape Backup • PeerLogic i500 Directory • UPS CyberTrust CA SafeKeyper Crypto Module • Sun Ultra 10 • Solaris OS • 512 MB RAM • 9.1 GB Hard Drives (2) • Tape Backup • Oracle DB Internet • Eudora E-mail (S/MIME v3) • Entrust Application with Certificate Path Validation • Entrust Certificate • Spyrus Lynks Card DOD Bridge Demo CA Entrust Client

5. Canadian CA Federal Bridge Certification Authority Entrust CA Cybertrust CA DoD Bridge Certification Authority PCA PCA PCA PCA PCA CA CA CA CA PCA PCA CA PCA MS Exch/v5 CA CA Client Client Client Client NASA GTRI PCA CA Client CA CA CA NIST CA1 CA NIST CA2 Eudora/v4 Eudora/v4 Eudora/v4 MS Exch/v5 CA Client Client Client Client Navy Treasury CA Eudora/SFL MS Exch/v5 Eudora/SFL Client DISA Federal Bridge Certification Authority EMA Challenge Overview GSA

6. Directory Configuration Canada (Nexor) cn=NEXOR c=CA; o=GC; ou=HMCCA IP address: 209.47.49.138 DAP/DSP port: 19970 LDAP port: 389 Federal Bridge Certification Authority (Peerlogic) c=US; o=U.S. Government;ou=FBCA IP address: 198.76.35.155 DSP port: 102 LDAP port: 389 TSEL: TCP/IP Chaining cn=FBCA_Directory GTRI (Peerlogic) Chaining c=US; o=PKIL c=US; o=Georgia c=US; o=CISA IP address: 130.207.204.30 DSP port: 17003 LDAP port: 389 TCP/IP cn=PKIL-DSA NASA (CDS) cn=NASA5 NIST (Peerlogic) GSA/FTS (Peerlogic) c=US; o=NASA5; cn=NASA5 c=US; o=NASA5; cn=EntrustCA IP address: 128.102.84.79 DSP port: 17019 LDAP port: 389 TSEL: TCP/IP DoD Bridge Certification Authority (Chromatix) cn=NIST c=US; o=U.S. Government; ou=NIST ou= Experimental CA1 IP address: 129.6.20.33 DSP port: 102 LDAP port: 389 TSEL: 0x5000 TCP/IP cn=BCAP BCA Server c=US; o=Test BCA c=US; o=Entrust; ou=Federal c=US; o=U.S. National c=US; o=U.S. Government; ou=DoD IP address: 216.4.247.66 DSP port: 20006 LDAP port: 406 TCP/IP c=US; o=U.S. Government; ou=NIST ou= Experimental CA2 IP address: 129.6.20.33 DSP port: 102 LDAP port: 389 TSEL: 0x5000 TCP/IP cn=BCAP Spyrus NSA CA-TBR c=US; o=U.S. Government, ou=DoD, ou=NSA

7. Federal Organization

8. Federal PKI Policy Authority • Voluntary interagency group - NOT “agency” • Six charter members: DOJ, DOD, OMB, GSA, Treasury, DOC • Governing body for FBCA interoperability • Responsible for Certificate Policy • Agency/FBCA certificate policy mappings • Oversees operation of FBCA • authorizes issuance of FBCA certificates • Responsible for Certificate Practices Statement • Under Federal CIO Council

9. What will it take to use the FBCA? • Policy mapping of certificate policies • Careful management of cross-certs to limit transitive trust • Directory interoperability • Client software that does cert path discovery and processing • Appropriate liability language for interoperability with non-gov’t parties

10. The current version of this CPdoes not provide for interoperability through the FBCA between Federal Agency PKI domains and those of parties who are external to the Federal government and who have no regulatory or contractual relationship with the Federal government. Such interoperability will be established when directed by the FPKIPA and will require changes to this CP to address issues associated with liability and other matters. Nonetheless, it is the ultimate intent of the FPKIPA to make the FBCA available to support interoperability between Federal and non-Federal entities. Moreover, interoperability with entities external to the Federal government for purposes of technical testing may be performed when directed by, and in a fashion determined by, the FPKIPA, employing the "Test" level of assurance. Additionally, certificates issued by the FBCA will ensure that appropriate controls are placed on the acceptance of certificates issued by CAs external to the Federal government, for example through the use of the nameConstraints extension. X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA) 1.1.4