Trusted Identities
That Drive
Global Commerce
IdenTrust: NCMS Presentation
JPAS Logon changes requiring PKI credentials
Richard Jensen, October 19th 2011
2Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
Agenda
Summary of PKI requirement
What is PKI What are these things called Digital Certificates
Who’s behind this
Types of Certificates
What’s the difference
Getting a Certificate Where do you begin
What’s required
Documentation and forms
Trusted Correspondent Program
Questions
3Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
So what is PKI?
In broad terms, Public Key Infrastructure (PKI) refers to the methods, technologies and techniques that together provide a secure infrastructure that enables users of a basically unsecured public network (the Internet) to securely and privately exchange information
A systemic approach where every participant agrees to abide by a specific set of rules (the Policy) regarding Identity Management
Application owners want to ensure that the people trying to access their sites really are who they say they are
End Users have someone verify their identity so they can be issued a Digital Certificate to use in online transactions or to access protected sites
Certificate Authorities (like IdenTrust) issue Digital Certificates to individuals once they are certain of a person’s identity, based on a set of rules (the Policy)
Policy
CA
Digital
Certificates
Policy
CA
Digital
Certificates
Applications
4Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
Who is in charge of this program?
The DoD established the External Certificate Authority (ECA) program to accommodate the issuance of DoD approved PKI certificates to individuals that do not have or qualify for a Common Access Card (CAC). DoD is the ‘owner’ of the ECA Policy
DISA Manages the ECA Program. ECA is just the name of the Certificate Policy under which the credentials are issued. DISA certifies Certificate Authorities (like IdenTrust) after the CA goes through a rigorous set of testing to meet ECA Policy requirements: Security, System Architecture, Fulfillment, Processes, Revocation, etc.
DMDC decided to accept ECA certificates for use in the JPAS system. JPAS is simply an application that relies on the integrity of ECA certificates
5Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
PKI’s ‘product’ is a Digital Certificate
a PKI Digital Certificate is a Digital Identity issued to an individual so they can:
Authenticate your identity to an online system. For JPAS this augments the username and password currently in use
Digitally sign documents. You can use your Digital Certificate to replace your wet ink signature; and
Encrypt documents and transactions. Digital Certificates allow you to send encrypted email so that only the intended recipient can view your message and attachments
6Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
What type of certificate does JPAS require?
Both certificate types are hardware based certificates and must be stored on a FIPS 140-2 level 2 or higher Key Storage Mechanism (KSM) per DoD policy
KSM’s available are either Smart Cards (similar to CAC Cards) or USB devices
JPAS strongly recommends the KSM be in a Smart Card format. DoD facilities may not let you bring a USB token on site
1. ECA Medium Hardware Assurance; or 2. ECA Medium Token Assurance
7Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
What’s the difference?
Both ECA certificate types are hardware based certificates One key difference is who performs the Identity Vetting The hardware devices are exactly the same However, there is a ‘mapping’ difference
ECA Medium Hardware is a higher assurance certificate than Medium Token Some DoD applications require Medium Hardware
In either case, you must meet face to face with the person performing the identity vetting
Certificate Type Identity Vetting Mapping
ECA Medium Hardware Assurance
IdenTrust Registration Agent
Trusted Agent
Medium High level of Federal Bridge
ECA Medium Token Assurance
IdenTrust Registration Agent
Trusted Agent
Notary Public
Authorized DoD Employee
Medium level of Federal Bridge
8Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
How do you get an ECA certificate?
9Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
Choose one of the three (you’d better choose correctly!)
10Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
IdenTrust has a customized approach for JPAS
www.identrust.com/jpas
11Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
All you have to do is click on the “buy” button
www.identrust.com/jpas
12Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
Go through the on-line application process
13Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
What is required?
There are identity documents to show to the Trusted Agent or Notary
14Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
Then you both get to sign (this example is Medium Hardware)
Once for the applicant…
And once for the Trusted Correspondent…
15Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
Then you both get to sign (this example is Medium Token)
Once for the applicant…
And once for the Notary…
16Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
There is also a Subscribing Organization Agreement
Requires the signature of someone within the company who can agree to the conditions of the ECA contract for the applicant
Company is acknowledging that the associate is getting a certificate as a representative of the company and that they agree to allow the associate to use the certificate on their behalf
17Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
Both forms are sent to the Registration department
The Registration team conducts an investigation into the probability of the identity
They assign a “confidence score” based on a comprehensive criteria
Once they decide, they send an email to the applicant informing of the decision
If favorable, they send certificate retrieval instructions
If un-favorable, they send information regarding rejection
?
18Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
If successful, you’ll receive…
An email from the Registration department telling you you’ve been approved
A package with a letter on retrieval instructions and your hardware
Guidance on protecting your device
A CD with Drivers and middle-ware for your computer to understand your certificate
Instructions on how to:
Load the drivers
Prepare the KSM
Load the private keys
Certificate test
Once your certificate test is complete
Go to JPAS and register your certificate
19Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
Who, What, Where, When, How: Trusted Correspondent
Who: Typically in HR or Security
What: Internal associate who perform identity vetting on company’s own employees
Where: In person appointments
When: Whenever an employee needs a certificate
How: Company ‘officer’ signs a separate agreement accepting terms/conditions for the actions of their employee to act as a Trusted Correspondent.
Your company becomes liable for the truthfulness of the identity Agrees to rules regarding documentation and identity checking Must follow the “letter of the law” just like we do No short cuts, just because they’re your employees
20Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
Benefits of having your own Trusted Correspondent
No need to wait for an appointment with the CA
Allows ‘bulk loading’ for multiple users Eliminates the need for individual users to go through the entire application process
Minimum of five per submission
All supporting documents must be included together
Streamlines processing CA does not have to do some of the usual steps (VoE)
Reduces costs
Enhanced control Upon termination of an employee, a TC can immediately revoke certificate
New employees can be added quicker
May be able to resolve basic certificate issuance quicker than relying on CA
The only cost is for the certificate of the TC candidate The TC is required to have their own Medium Hardware certificate so they can send
encrypted emails back and forth to the CA
21Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
TC Addendum to Subscribing Organization Agreement
Company officer signs this agreement:
https://secure.identrust.com/certificates/policy/eca/eca-tc-addend.pdf
22Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
And begin ‘bulk loading’ your associates
TC sends completed spreadsheet via signed and encrypted email to Registration Department
23Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
Questions?
Richard JensenDirector of Government Sales ECA Program Manager
Associate Member NCMS
256-303-9412
?Contact Info:
24Copyright ©2011 IdenTrust, Inc. | All Rights Reserved
NCMS Members qualify for a 20% Discount
www.identrust.com/ncms