U.S. Environmental Protection AgencyCentral Data Exchange

EPA E-Authentication Pilot

NOLA Network Node Workshop

February 28, 2005

January 19, 2005

2

E-Authentication Background - 1

• What is E-Authentication?– E-Authentication is the process of confirming the identity of

individuals who:

• want to access a computer system or network, or

• Create an electronic signature.

– E-Authentication involves issuing/managing credentials (PIN, password, digital certificate, etc.) and validating them when they are presented by an individual for sign-on or signature

January 19, 2005

3

E-Authentication Background - 2

• What is the Federal E-Authentication Initiative?– Vision: credential re-use across computer systems

– Goal: minimize need for multiple credentials, reducing burden on anyone who uses government systems –• federal employees

• businesses

• ordinary citizens

• state and local government officials

– Other Benefits:• Private/public sector interoperability

• Single sign-on

• Economies of scale – shared infrastructure for issuing, managing and validating credentials

January 19, 2005

4

E-Authentication Background - 3

• What is the Federal E-Authentication Architecture?– Design to allow computer systems to accept credentials that they

did not issue

– General Services Administration (GSA) lead

– Key components include:• E-Authentication Portal

• GSA Step-Down Translator

• Federal Bridge

• Accredited Certificate Authorities

– Two approaches• PKI – Federal Bridge for Certificate Authority (CA) interoperability

• PINs/Passwords – Security Assertion Mark-up Language (SAML) architecture to protect secrecy of PIN or password

January 19, 2005

5

E-Authentication Background - 4

• GSA’s Federal Bridge

– An “authority” that establishes that a CA’s certificates can be “trusted”

– A hardware / software system that helps users access CA information needed to validate a certificate

• GSA’s SAML Approach– Establishes “trust circles” between CA’s that issue PINs/Passwords (e.g.

financial institutions) and government agencies that can rely on them

– Provides architecture for E-Authentication based on SAML assertion from CA to relying government agency

– Architecture includes E-Authentication Portal and Step-Down Translator

January 19, 2005

6

Network E-Authentication Pilot Overview

• An EPA/GSA partnership to show how States can use the Network to participate in E-Authentication architecture.

• Approach involves:– Integrating the Network with the GSA architecture;

– Leveraging the Network’s E-Authentication interface to provide credential validation services to any State partner that can access the network;

– States using the Network services to accept either PKI certificates or SAML assertions – for either system access or signature.

• The Pilot is currently in the planning and design phase.

• Completion is scheduled for October, 2005

January 19, 2005

7

Goals

• Show that the Network can:

– Bring credential inter-operability to our State partners

– Provide credential validation services to States that don’t want to invest in their own PKI or SAML functionality

– Offer enormous economies of scale for E-Authentication

• Help States meet Cross-Media Electronic Reporting and Record-keeping Rule (CROMERRR) standards, by

– Providing access to credentials that satisfy identity-proofing requirements, that States don’t have to issue/manage

– Allowing use of digital signatures without States having to acquire their own PKI capabilities.

January 19, 2005

8

Requirements of States to Participate

• Ideally, participating States would have:

– A Web browser-based application that requires user authentication, and would benefit by upgrading to SAML- or interoperable PKI-based authentication

– 2 hours/week (Mar 05 – Oct 05) to invest in weekly work sessions

– Up to 40-80 hours to upgrade their systems to interface with E-Authentication components

• Participants start by filling in a questionnaire to determine how well their application would fit into the Pilot

• EPA’s Office of Environmental Information (OEI) will provide participating States with all the software, credentials, and technical support they need for the Pilot

January 19, 2005

9

Benefits to Pilot Participants

1. Experience using CDX/E-Authentication services, with GSA-subsidized technical support, including access to designers of the E-Authentication infrastructure.

2. The chance to help shape how EPA/GSA offer E-Authentication services to States -- so that they take account of any special participant needs.

3. Information to help make better long-term system investment decisions, with a better understanding of the available E-Authentication options.

January 19, 2005

10

For more information, contact:

David Schwarz

202-566-1704

Schwarz.david@epa.gov