federal pki architecture update peter alterman, ph.d. chair, federal pki policy authority
TRANSCRIPT
Federal PKI Architecture Federal PKI Architecture UpdateUpdate
Peter Alterman, Ph.D.Peter Alterman, Ph.D.
Chair, Federal PKI Policy AuthorityChair, Federal PKI Policy Authority
OASIS PKI 2
View from 20,000 kmView from 20,000 km
FBCA
C4
eGCA (3)
Common Policy CA
CertiPath
SSPs
Industry PKIs
CertiPath SSP
SAFE
Industry PKIs
Serving all otherAgencies
OASIS PKI 3
View from 20,000 kmView from 20,000 km
FBCA
C4
eGCA (3)
Common Policy CA
CertiPath
SSPs
Industry PKIs
CertiPath SSP
DOD DHSNASA CommerceUSPS USPTOHHS DOE IL DOJ State DOD/ECAGPOTreasuryWells FargoMIT LLUTexasSx
Serving all otherAgencies
BoeingRaytheonLockheed Martin
VeriSignCybertrustORCTreasuryGPO?ExostarEntrustIdenTrusT?
Total: 12 – 15Musers
EAF member CSPsTLS certs
USHER?
SAFE
Industry PKIsJohnson & JohnsonMerckPfizerProcter & GambleSanofi-AventisTAP Pharmaceuticals
Abbott Labs AstraZenecaBristol-Myers SquibbGenzymeGlaxoSmithKlineINC Research
OASIS PKI 4
Simplified Diagram Simplified Diagram of U.S. Federal PKIof U.S. Federal PKI
Federal BridgeCA
C4 CAE-Gov
CAs (3)
Common PolicyCA
Cross-Certified
govPKIs
Cross-CertifiedExternal
PKIs ?
eAuthCSPs
SharedServiceProvider
PKIs
(CommonPolicy OIDAnd root
Cert)
OASIS PKI 5
LOA MappingLOA Mapping
E-Auth Level 1
E-Auth Level 2
E-Auth Level 3
E-Auth Level 4
FPKI Rudimentary;C4
FPKI Medium/HW &Medium/HW-cbp
FPKI Basic
FPKI Medium & Medium-cbp
FPKI High (governments only)
OASIS PKI 6
Federal Bridge WorksFederal Bridge Works
Cross-CertificationProcess
Completes
FBCA IssuesCross-
certificates
PopulatesDirectories
LDAP & X.500
Routinely IssuesCRL/ARL
Cert Profile:PolicyMapping,
Excluded Subtrees
Cert Profile:AIA/SIA
Extensions
OCSPResponder
OASIS PKI 7
Federal Bridge InfoFederal Bridge Info
• FIPS 1540-2 Level 3 HSM• Online CAs on double-firewalled, one way,
discrete network with backup T-1 connections• ISODE M-Vault directories• Tepid Backup Site• Disaster Recovery Site• 24x7 help desk, architected for 99.5% uptime• Evolving monitoring architecture• Vendor operations transfer in process
OASIS PKI 8
Notional FBCA Directory Notional FBCA Directory Implementation*Implementation*
This diagram shows:LDAP Access from email clients to support address lookup. LDAP Access from an application, to provide user authentication. Directory management using Isode's Enterprise Directory Management tool. Data management using Isode's Isode's Directory Data Management tool. A Certification Authority, such as Entrust, accessing and managing data in M-Vault. X.500 chaining using X.500 Directory System Protocol (DSP) to access data in a peer departmental X.500 capable directory. LDAP chaining to access data in a peer departmental LDAP directory. Data replication using X.500 Directory Information Shadowing Protocol (DISP) to share data with other
departments to increase performance and resilience. *From ISODE website
OASIS PKI 9
FBCA Cross Certification FBCA Cross Certification Process Process
• Application - LOA?• Policy Mapping
– Mapping Matrices online– Cert Policy WG mapping review– Collegial back and forth discussions
• Technical Interoperability Testing– With Prototype instance of FBCA– Testing Protocol online– Directory and profiles tested (LDAP and X.500)
• Review of summary of independent audit results– Map CP – CPS and CPS to PKI Operations– Independent auditors, not FPKI auditors
• Whole process laid out in “Criteria & Methodology” document online
OASIS PKI 10
Path Discovery and ValidationPath Discovery and Validation
• Trust Lists can work but:– Don’t scale, are rigid and don’t give level of assurance
• Bridges can work but:– Aren’t supported in native OSs, so require add-on
PD/Val tools
• NIST and FPKI developed test suite for PD/Val products/services– 4 products, 2 services passed so far (see the website)– Deploy on website, desktop, within enterprise or
outsource…
OASIS PKI 11
Grids and Enterprise PKIsGrids and Enterprise PKIs
• Different from the administration and architecture perspectives
• Overlap from the end user perspective
• Cross-certification and interoperability solve the problem
Grid PKICP
End User: End User: single cert.single cert.
Grid ID forProject(s)
Institution IDFor AuthN
Institution PKICP
OASIS PKI 12
Business CaseBusiness CaseFor XCertFor XCert
• Simplify trust and control decisions
• Extend value of issued credentials
• Scalable trust at known LOA– Rely on trusted CSPs instead of managing
issued credentials
OASIS PKI 13
ResourcesResources
• www.cio.gov/fpkipa
• http://csrc.nist.gov/pki
• www.cio.gov/ficc
• www.cio.gov/fbca