Federal PKI Architecture Update Peter Alterman Ph D

View from 20, 000 km Common Policy CA SSPs Serving all other Agencies FBCA

View from 20, 000 km DOD DHS NASA Commerce USPS USPTO HHS DOE IL

Simplified Diagram of U. S. Federal PKI Cross. Certified gov PKIs Cross. Certified External

LOA Mapping E-Auth Level 1 FPKI Rudimentary; C 4 E-Auth Level 2 FPKI Basic

Federal Bridge Works Cross-Certification Process Completes FBCA Issues Crosscertificates Populates Directories LDAP & X.

Federal Bridge Info • FIPS 1540 -2 Level 3 HSM • Online CAs on

Notional FBCA Directory Implementation* This diagram shows: LDAP Access from email clients to support

FBCA Cross Certification Process • • • Application - LOA? Policy Mapping – Mapping

Path Discovery and Validation • Trust Lists can work but: – Don’t scale, are

Grids and Enterprise PKIs • Different from the administration and architecture perspectives • Overlap

Business Case For XCert • Simplify trust and control decisions • Extend value of

Resources • • www. cio. gov/fpkipa http: //csrc. nist. gov/pki www. cio. gov/ficc www.

Slides: 13

Download presentation

Federal PKI Architecture Update Peter Alterman, Ph. D. Chair, Federal PKI Policy Authority OASIS PKI

View from 20, 000 km Common Policy CA SSPs Serving all other Agencies FBCA Certi. Path SSP SAFE C 4 Certi. Path Industry PKIs e. GCA (3) OASIS PKI 2

View from 20, 000 km DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO Treasury Wells Fargo MIT LL UTexas. Sx Common Policy CA Total: 12 – 15 M users SSPs Veri. Sign Cybertrust ORC Treasury GPO? Exostar Entrust Iden. Trus. T? FBCA Certi. Path SSP SAFE C 4 USHER? e. GCA (3) EAF member CSPs TLS certs Serving all other Agencies Certi. Path Industry PKIs Abbott Labs Astra. Zeneca Bristol-Myers Squibb Genzyme Glaxo. Smith. Kline INC Research Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals OASIS PKI Industry PKIs Boeing Raytheon Lockheed Martin 3

Simplified Diagram of U. S. Federal PKI Cross. Certified gov PKIs Cross. Certified External PKIs Federal Bridge CA Common Policy CA C 4 CA E-Gov CAs (3) Shared Service Provider PKIs (Common Policy OID And root Cert) e. Auth CSPs ? OASIS PKI 4

LOA Mapping E-Auth Level 1 FPKI Rudimentary; C 4 E-Auth Level 2 FPKI Basic E-Auth Level 3 FPKI Medium & Medium-cbp E-Auth Level 4 FPKI Medium/HW & Medium/HW-cbp FPKI High (governments only) OASIS PKI 5

Federal Bridge Works Cross-Certification Process Completes FBCA Issues Crosscertificates Populates Directories LDAP & X. 500 Cert Profile: AIA/SIA Extensions Routinely Issues CRL/ARL OCSP Responder Cert Profile: Policy. Mapping, Excluded Subtrees OASIS PKI 6

Federal Bridge Info • FIPS 1540 -2 Level 3 HSM • Online CAs on double-firewalled, one way, discrete network with backup T-1 connections • ISODE M-Vault directories • Tepid Backup Site • Disaster Recovery Site • 24 x 7 help desk, architected for 99. 5% uptime • Evolving monitoring architecture • Vendor operations transfer in process OASIS PKI 7

Notional FBCA Directory Implementation* This diagram shows: LDAP Access from email clients to support address lookup. LDAP Access from an application, to provide user authentication. Directory management using Isode's Enterprise Directory Management tool. Data management using Isode's Directory Data Management tool. A Certification Authority, such as Entrust, accessing and managing data in M-Vault. X. 500 chaining using X. 500 Directory System Protocol (DSP) to access data in a peer departmental X. 500 capable directory. LDAP chaining to access data in a peer departmental LDAP directory. Data replication using X. 500 Directory Information Shadowing Protocol (DISP) to share data with other departments to increase performance and resilience. *From ISODE website OASIS PKI 8

FBCA Cross Certification Process • • • Application - LOA? Policy Mapping – Mapping Matrices online – Cert Policy WG mapping review – Collegial back and forth discussions Technical Interoperability Testing – With Prototype instance of FBCA – Testing Protocol online – Directory and profiles tested (LDAP and X. 500) Review of summary of independent audit results – Map CP – CPS and CPS to PKI Operations – Independent auditors, not FPKI auditors Whole process laid out in “Criteria & Methodology” document online OASIS PKI 9

Path Discovery and Validation • Trust Lists can work but: – Don’t scale, are rigid and don’t give level of assurance • Bridges can work but: – Aren’t supported in native OSs, so require add-on PD/Val tools • NIST and FPKI developed test suite for PD/Val products/services – 4 products, 2 services passed so far (see the website) – Deploy on website, desktop, within enterprise or outsource… OASIS PKI 10

Grids and Enterprise PKIs • Different from the administration and architecture perspectives • Overlap from the end user perspective • Cross-certification and interoperability solve the problem OASIS PKI Grid PKI CP Institution PKI CP End User: single cert. Grid ID for Project(s) Institution ID For Auth. N 11

Business Case For XCert • Simplify trust and control decisions • Extend value of issued credentials • Scalable trust at known LOA – Rely on trusted CSPs instead of managing issued credentials OASIS PKI 12

Resources • • www. cio. gov/fpkipa http: //csrc. nist. gov/pki www. cio. gov/ficc www. cio. gov/fbca OASIS PKI 13