federal initiatives in idm
DESCRIPTION
Federal Initiatives in IdM. Dr. Peter Alterman Chair, Federal PKI Policy Authority. HSPD-12. Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05 - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/1.jpg)
Federal Initiatives in IdM
Dr. Peter Alterman
Chair, Federal PKI Policy Authority
![Page 2: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/2.jpg)
Wilmington, NC November 2005 2
HSPD-12
• Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05
• Mandates all Federal Agencies begin issuing SmartCards with medium assurance digital certs by 10/06
• Authorization remains a local prerogative
![Page 3: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/3.jpg)
Wilmington, NC November 2005 3
E-Authentication
• Initiatives– Assessment Framework for Credentials:
evaluating the level of assurance (LOA) of identity of credential service providers
– Membership in Liberty Alliance– Frequent meetings with Microsoft– Interfederation Interoperability Project with
Cybertrust and Internet2/Shibboleth team
![Page 4: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/4.jpg)
Wilmington, NC November 2005 4
E-Authentication: CAF
• Credential Assessment Framework consists of the following:– A structured methodology and procedures for
evaluating the LOA of a CSP’s credentials– An assessment team that goes out and
evaluates CSPs– A process for conflict resolution – Posting CSPs and their credential LOAs to a
trust list (unfortunate term) on the website
![Page 5: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/5.jpg)
Wilmington, NC November 2005 5
E-Authentication: Interfed Interop
• inCommon Higher Education Identity Federation– Using Shibboleth middleware technical
protocols – Policy-light
• E-Authentication US Identity Federation– Using a variety of technical protocols– Policy intensive
![Page 6: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/6.jpg)
Wilmington, NC November 2005 6
What Are Electronic Identity Federations?
• Associations of electronic identity credential providers and credential consumers (electronic service providers) who:– Agree to trust each others’ credentials;– Agree to hold credential providers authoritative for the
validity of their credentials;– Agree to use common communications protocols and
procedures to enable interoperability– Agree to common business rules
![Page 7: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/7.jpg)
Wilmington, NC November 2005 7
Purpose of Electronic Identity Federations
• To enable trusted electronic business transactions between end users and service providers where the service provider does not have to issue and manage identity credentials, including attributes.
• It’s all a matter of scaling..• No, it’s also a matter of control
![Page 8: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/8.jpg)
Wilmington, NC November 2005 8
Characteristics of Identity Federations
• Credential providers• Service providers• Standards and protocols for technical
interoperability among credential providers, services providers, end users and infrastructure utilities
• A governance mechanism to assert common business rules, ensure credentials can be used and trusted by all members of the federation and a central control point for entry and exit of members
![Page 9: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/9.jpg)
Wilmington, NC November 2005 9
Accomplishments to Date
• Demonstration of proof of concept for technical interoperability of identity credentials and utilities: E-Authentication SAML 1.0 and Shibboleth 1.2
• Production-level interoperability built into Shibboleth 1.3 (in beta)
• Extensive groundwork done on identifying policy and procedure mapping/treaty requirements
• Credential Assessment of 3 Universities, fourth scheduled
![Page 10: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/10.jpg)
Wilmington, NC November 2005 10
Work in Progress
• Development of common SAML 2.0 schemes• Development of common USPerson profile and
profile management infrastructure• Development of production-quality scheme
translator• Ongoing work to enable cross-federation trust
and interoperability• NSF FastLane to accept 3 universities’
Shibboleth-based identity and attribute credentials on or before December, 2005 (slippage)
![Page 11: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/11.jpg)
Wilmington, NC November 2005 11
Unresolved Issues
• Mapping null attributes• Ensuring privacy of attribute information in a
variety of instances• Portal integration• Scaling issues for listing credential providers• Issues of transitivity across federations• Multiple authoritative sources/conflicting
authoritative sources• Vocabulary and “data dictionary” issues• Liability and indemnification issues
![Page 12: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/12.jpg)
Wilmington, NC November 2005 12
Federal PKI Architecture
• Agency and other government PKIs required to cross-certify with the Federal Bridge CA
• As of 12/05 no new agency PKIs; agencies procure PKI services from vendors participating in the Shared Service Provider (SSP) program
• Architecture issues TLS/SSL certs to credential service providers who CAF, to provide mutual authentication
• Federal Bridge CA serves as “point of insertion” for external PKIs and other bridges.
![Page 13: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/13.jpg)
Wilmington, NC November 2005 13
Simplified Diagram of Federal PKISimplified Diagram of Federal PKI
Federal BridgeCA
C4 CAE-Gov
CAs (3)
Common PolicyCA
Cross-Certified
govPKIs
Cross-CertifiedExternal
PKIs
eAuthCSPs
SharedServiceProvider
PKIs
(CommonPolicy OIDAnd root
Cert)
![Page 14: Federal Initiatives in IdM](https://reader036.vdocuments.net/reader036/viewer/2022062516/56812c50550346895d90d95b/html5/thumbnails/14.jpg)
Wilmington, NC November 2005 14
LOA Mapping: E-Auth to Fed PKI
E-Auth Level 1
E-Auth Level 2
E-Auth Level 3
E-Auth Level 4
FPKI Rudimentary,C4
FPKI Medium/HW &Medium/HW-cbp
FPKI Basic
FPKI Medium & Medium-cbp
FPKI High (government only)