Presentation on theme: "Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH."— Presentation transcript:
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH
2 Federal Initiatives eAuthentication –Focus on eCommerce, services, etc. HSPD-12 –Focus on security
3 Federal View of Electronic ID A validated, proofed identity using breeder documents and databases (FIPS 201) A scheme for adding a name, biometrics (photo, fingerprints), numeric codes (CHUID, etc.) and substantial assurance digital certificates to a next- generation SmartCard Attributes are extensions not required by HSPD-12, but optionally consumed by Applications –SAML assertions and/or database entries for attribute storage –USPerson profile being developed to standardize attribute representation
4 eAuthentication Initiative Provide electronic identity authentication services for online government applications Manage the Federal Federation – extends services to private sector credential providers and online services Set standards for assertion-based authentication tools Offers standard risk assessment tool Standard Architecture and Policy foundations
5 Summary of Architecture and Policy/Procedures Based on NIST SP Architecture –SAML assertions for LOA 1, 2 (encapsulate userid/passwords) Vendor interoperability required for addition to approved vendor list SAML 1.0 currently supported; SAML 2.0 specs being developed –PKI or OTP for LOA 3 –PKI for LOA 4 –Scheme translator available Policy/Procedures –Credential assessments for all CSPs, CAF for assertion-based credentials; cross certification with Federal PKI for crypto-based credentials –Federal PKI Policies define requirements for digital certificate trustworthiness –EAF defines service requirements for all LOA Now included in Federal PKI policy requirements
6 The Federal Federation Credential Service Providers Covers 4 LOA –Assertion-based identity credentials for L 1, 2 –Crypto-based identity credentials for L 3, 4 Service Requirements –Related to uptime, user support, etc. Interfederation Arrangements Encouraged Agency Applications Federal Agency Applications and Services Mandated by Administration Service Requirements –Related to uptime, user support, etc.
7 Homeland Security Presidential Directive 12 A Presidential Mandate for Federal Agencies to issue medium hardware assurance (or better) identity credentials for access to physical and logical government resources - inside-the- firewall contractors, too –Medium Hardware or High Assurance digital certificates on PIV-2 cards (nextgen SmartCards) Fast-tracked for implementation starting 10/2006 Led to new government standards for identity proofing and vetting (FIPS 201) and for PKI hardware tokens (NIST SP x series)
8 Interoperability Initiatives CertiPathCertiPath – Federal Bridge cross-certification complete SAFESAFE PKI Bridge and services – supporting digitally-signed electronic forms and document management – cross-certification under way inCommon/Federal Federation – interfederation efforts currently (9/06) on hold
9 Technology Implications US Government LOA, standardized risk analysis, standards for PIV cards and identity proofing and vetting are here and INEVITABLY will migrate everywhere –Pickup already noted in aerospace contractor space, homeland security Feds will have to deal with attributes eventually!
10 Security and Online Services Implications for Higher Ed DHS first responders, DEA PKIs and CMS initiatives to enable online services and payments management will drive medical schools, hospitals and insurance chains to adopt Federal models for electronic identity authentication –Financial services firms under SEC regulation are already falling in line, both within and outside the eAuthentication federation participation –DEA issuing digital certs to pharmaceutical supply chain entities and plans to do so to service providers (MDs, PAs, NPs, etc.) Availability of online government apps drive schools to federate to take advantage of services/apps
11 What About Privacy? No single database of identity credentials No requirement for only one identity credential The old tradeoff still exists: convenience vs. security Are there forces out there that want to know who you are at all times? –Of course; worry about RFID first.