Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal PKI Architecture Update

Similar presentations

Presentation on theme: "Federal PKI Architecture Update"— Presentation transcript:

1 Federal PKI Architecture Update
Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority

2 View from 20,000 km FBCA SAFE CertiPath C4 Common Policy CA SSPs
Serving all other Agencies FBCA CertiPath SSP SAFE Industry PKIs CertiPath C4 Industry PKIs eGCA (3) OASIS PKI

3 View from 20,000 km FBCA SAFE CertiPath C4 Common Policy CA
DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO Treasury Wells Fargo MIT LL UTexasSx Common Policy CA Total: 12 – 15M users SSPs VeriSign Cybertrust ORC Treasury GPO? Exostar Entrust IdenTrusT? Serving all other Agencies FBCA CertiPath SSP SAFE Industry PKIs CertiPath C4 USHER? Industry PKIs Abbott Labs AstraZeneca Bristol-Myers Squibb Genzyme GlaxoSmithKline INC Research Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals eGCA (3) Boeing Raytheon Lockheed Martin EAF member CSPs TLS certs OASIS PKI

4 Simplified Diagram of U.S. Federal PKI
Cross- Certified gov PKIs Federal Bridge CA Common Policy CA Shared Service Provider PKIs (Common Policy OID And root Cert) C4 CA E-Gov CAs (3) Cross- Certified External PKIs eAuth CSPs ? OASIS PKI

5 LOA Mapping E-Auth Level 1 E-Auth Level 2 E-Auth Level 3
FPKI Rudimentary; C4 FPKI Medium/HW & Medium/HW-cbp FPKI Basic FPKI Medium & Medium-cbp FPKI High (governments only) OASIS PKI

6 Federal Bridge Works FBCA Issues Routinely Issues Cross- CRL/ARL
Cross-Certification Process Completes FBCA Issues Cross- certificates Routinely Issues CRL/ARL Populates Directories LDAP & X.500 OCSP Responder Cert Profile: AIA/SIA Extensions Cert Profile: PolicyMapping, Excluded Subtrees OASIS PKI

7 Federal Bridge Info FIPS 1540-2 Level 3 HSM
Online CAs on double-firewalled, one way, discrete network with backup T-1 connections ISODE M-Vault directories Tepid Backup Site Disaster Recovery Site 24x7 help desk, architected for 99.5% uptime Evolving monitoring architecture Vendor operations transfer in process OASIS PKI

8 Notional FBCA Directory Implementation*
This diagram shows: LDAP Access from clients to support address lookup. LDAP Access from an application, to provide user authentication. Directory management using Isode's Enterprise Directory Management tool. Data management using Isode's Isode's Directory Data Management tool. A Certification Authority, such as Entrust, accessing and managing data in M-Vault. X.500 chaining using X.500 Directory System Protocol (DSP) to access data in a peer departmental X.500 capable directory. LDAP chaining to access data in a peer departmental LDAP directory. Data replication using X.500 Directory Information Shadowing Protocol (DISP) to share data with other departments to increase performance and resilience. *From ISODE website OASIS PKI

9 FBCA Cross Certification Process
Application - LOA? Policy Mapping Mapping Matrices online Cert Policy WG mapping review Collegial back and forth discussions Technical Interoperability Testing With Prototype instance of FBCA Testing Protocol online Directory and profiles tested (LDAP and X.500) Review of summary of independent audit results Map CP – CPS and CPS to PKI Operations Independent auditors, not FPKI auditors Whole process laid out in “Criteria & Methodology” document online OASIS PKI

10 Path Discovery and Validation
Trust Lists can work but: Don’t scale, are rigid and don’t give level of assurance Bridges can work but: Aren’t supported in native OSs, so require add-on PD/Val tools NIST and FPKI developed test suite for PD/Val products/services 4 products, 2 services passed so far (see the website) Deploy on website, desktop, within enterprise or outsource… OASIS PKI

11 Grids and Enterprise PKIs
Different from the administration and architecture perspectives Overlap from the end user perspective Cross-certification and interoperability solve the problem Grid PKI CP Institution PKI CP End User: single cert. Grid ID for Project(s) Institution ID For AuthN OASIS PKI

12 Business Case For XCert
Simplify trust and control decisions Extend value of issued credentials Scalable trust at known LOA Rely on trusted CSPs instead of managing issued credentials OASIS PKI

13 Resources

Download ppt "Federal PKI Architecture Update"

Similar presentations

Ads by Google