Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal PKI Architecture Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Similar presentations


Presentation on theme: "Federal PKI Architecture Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority."— Presentation transcript:

1 Federal PKI Architecture Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority

2 OASIS PKI2 View from 20,000 km FBCA C4 eGCA (3) Common Policy CA CertiPath SSPs Industry PKIs CertiPath SSP SAFE Industry PKIs Serving all other Agencies

3 OASIS PKI3 View from 20,000 km FBCA C4 eGCA (3) Common Policy CA CertiPath SSPs Industry PKIs CertiPath SSP DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO Treasury Wells Fargo MIT LL UTexasSx Serving all other Agencies Boeing Raytheon Lockheed Martin VeriSign Cybertrust ORC Treasury GPO? Exostar Entrust IdenTrusT? Total: 12 – 15M users EAF member CSPs TLS certs USHER? SAFE Industry PKIs Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals Abbott Labs AstraZeneca Bristol-Myers Squibb Genzyme GlaxoSmithKline INC Research

4 OASIS PKI4 Simplified Diagram of U.S. Federal PKI Federal Bridge CA C4 CA E-Gov CAs (3) Common Policy CA Cross- Certified gov PKIs Cross- Certified External PKIs ? eAuth CSPs Shared Service Provider PKIs (Common Policy OID And root Cert)

5 OASIS PKI5 LOA Mapping E-Auth Level 1 E-Auth Level 2 E-Auth Level 3 E-Auth Level 4 FPKI Rudimentary; C4 FPKI Medium/HW & Medium/HW-cbp FPKI Basic FPKI Medium & Medium-cbp FPKI High (governments only)

6 OASIS PKI6 Federal Bridge Works Cross-Certification Process Completes FBCA Issues Cross- certificates Populates Directories LDAP & X.500 Routinely Issues CRL/ARL Cert Profile: PolicyMapping, Excluded Subtrees Cert Profile: AIA/SIA Extensions OCSP Responder

7 OASIS PKI7 Federal Bridge Info FIPS Level 3 HSM Online CAs on double-firewalled, one way, discrete network with backup T-1 connections ISODE M-Vault directories Tepid Backup Site Disaster Recovery Site 24x7 help desk, architected for 99.5% uptime Evolving monitoring architecture Vendor operations transfer in process

8 OASIS PKI8 Notional FBCA Directory Implementation* This diagram shows: LDAP Access from clients to support address lookup. LDAP Access from an application, to provide user authentication. Directory management using Isode's Enterprise Directory Management tool.Enterprise Directory Management tool Data management using Isode's Isode's Directory Data Management tool.Directory Data Management tool A Certification Authority, such as Entrust, accessing and managing data in M-Vault. X.500 chaining using X.500 Directory System Protocol (DSP) to access data in a peer departmental X.500 capable directory. LDAP chaining to access data in a peer departmental LDAP directory. Data replication using X.500 Directory Information Shadowing Protocol (DISP) to share data with other departments to increase performance and resilience. *From ISODE website

9 OASIS PKI9 FBCA Cross Certification Process Application - LOA? Policy Mapping –Mapping Matrices online –Cert Policy WG mapping review –Collegial back and forth discussions Technical Interoperability Testing –With Prototype instance of FBCA –Testing Protocol online –Directory and profiles tested (LDAP and X.500) Review of summary of independent audit results –Map CP – CPS and CPS to PKI Operations –Independent auditors, not FPKI auditors Whole process laid out in “Criteria & Methodology” document online

10 OASIS PKI10 Path Discovery and Validation Trust Lists can work but: –Don’t scale, are rigid and don’t give level of assurance Bridges can work but: –Aren’t supported in native OSs, so require add-on PD/Val tools NIST and FPKI developed test suite for PD/Val products/services –4 products, 2 services passed so far (see the website) –Deploy on website, desktop, within enterprise or outsource…

11 OASIS PKI11 Grids and Enterprise PKIs Different from the administration and architecture perspectives Overlap from the end user perspective Cross-certification and interoperability solve the problem Grid PKI CP End User: single cert. Grid ID for Project(s) Institution ID For AuthN Institution PKI CP

12 OASIS PKI12 Business Case For XCert Simplify trust and control decisions Extend value of issued credentials Scalable trust at known LOA –Rely on trusted CSPs instead of managing issued credentials

13 OASIS PKI13 Resources


Download ppt "Federal PKI Architecture Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority."

Similar presentations


Ads by Google