Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal PKI Architecture Update

Published byEfren Hesley Modified over 9 years ago

Similar presentations

Presentation on theme: "Federal PKI Architecture Update"— Presentation transcript:

1 Federal PKI Architecture Update
Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority

2 View from 20,000 km FBCA SAFE CertiPath C4 Common Policy CA SSPs
Serving all other Agencies FBCA CertiPath SSP SAFE Industry PKIs CertiPath C4 Industry PKIs eGCA (3) OASIS PKI

3 View from 20,000 km FBCA SAFE CertiPath C4 Common Policy CA
DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO Treasury Wells Fargo MIT LL UTexasSx Common Policy CA Total: 12 – 15M users SSPs VeriSign Cybertrust ORC Treasury GPO? Exostar Entrust IdenTrusT? Serving all other Agencies FBCA CertiPath SSP SAFE Industry PKIs CertiPath C4 USHER? Industry PKIs Abbott Labs AstraZeneca Bristol-Myers Squibb Genzyme GlaxoSmithKline INC Research Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals eGCA (3) Boeing Raytheon Lockheed Martin EAF member CSPs TLS certs OASIS PKI

4 Simplified Diagram of U.S. Federal PKI
Cross- Certified gov PKIs Federal Bridge CA Common Policy CA Shared Service Provider PKIs (Common Policy OID And root Cert) C4 CA E-Gov CAs (3) Cross- Certified External PKIs eAuth CSPs ? OASIS PKI

5 LOA Mapping E-Auth Level 1 E-Auth Level 2 E-Auth Level 3
FPKI Rudimentary; C4 FPKI Medium/HW & Medium/HW-cbp FPKI Basic FPKI Medium & Medium-cbp FPKI High (governments only) OASIS PKI

6 Federal Bridge Works FBCA Issues Routinely Issues Cross- CRL/ARL
Cross-Certification Process Completes FBCA Issues Cross- certificates Routinely Issues CRL/ARL Populates Directories LDAP & X.500 OCSP Responder Cert Profile: AIA/SIA Extensions Cert Profile: PolicyMapping, Excluded Subtrees OASIS PKI

7 Federal Bridge Info FIPS 1540-2 Level 3 HSM
Online CAs on double-firewalled, one way, discrete network with backup T-1 connections ISODE M-Vault directories Tepid Backup Site Disaster Recovery Site 24x7 help desk, architected for 99.5% uptime Evolving monitoring architecture Vendor operations transfer in process OASIS PKI

8 Notional FBCA Directory Implementation*
This diagram shows: LDAP Access from clients to support address lookup. LDAP Access from an application, to provide user authentication. Directory management using Isode's Enterprise Directory Management tool. Data management using Isode's Isode's Directory Data Management tool. A Certification Authority, such as Entrust, accessing and managing data in M-Vault. X.500 chaining using X.500 Directory System Protocol (DSP) to access data in a peer departmental X.500 capable directory. LDAP chaining to access data in a peer departmental LDAP directory. Data replication using X.500 Directory Information Shadowing Protocol (DISP) to share data with other departments to increase performance and resilience. *From ISODE website OASIS PKI

9 FBCA Cross Certification Process
Application - LOA? Policy Mapping Mapping Matrices online Cert Policy WG mapping review Collegial back and forth discussions Technical Interoperability Testing With Prototype instance of FBCA Testing Protocol online Directory and profiles tested (LDAP and X.500) Review of summary of independent audit results Map CP – CPS and CPS to PKI Operations Independent auditors, not FPKI auditors Whole process laid out in “Criteria & Methodology” document online OASIS PKI

10 Path Discovery and Validation
Trust Lists can work but: Don’t scale, are rigid and don’t give level of assurance Bridges can work but: Aren’t supported in native OSs, so require add-on PD/Val tools NIST and FPKI developed test suite for PD/Val products/services 4 products, 2 services passed so far (see the website) Deploy on website, desktop, within enterprise or outsource… OASIS PKI

11 Grids and Enterprise PKIs
Different from the administration and architecture perspectives Overlap from the end user perspective Cross-certification and interoperability solve the problem Grid PKI CP Institution PKI CP End User: single cert. Grid ID for Project(s) Institution ID For AuthN OASIS PKI

12 Business Case For XCert
Simplify trust and control decisions Extend value of issued credentials Scalable trust at known LOA Rely on trusted CSPs instead of managing issued credentials OASIS PKI

13 Resources www.cio.gov/fpkipa http://csrc.nist.gov/pki www.cio.gov/ficc
OASIS PKI

Download ppt "Federal PKI Architecture Update"

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
PKI deployment in the Aerospace Industry

PKI deployment in the Aerospace Industry
Launching Egyptian Root CA and Inaugurating E-Signature Dr. Sherif Hazem Nour El-Din Information Security Systems Consultant Root CA Manager, ITIDA.

Launching Egyptian Root CA and Inaugurating E-Signature Dr. Sherif Hazem Nour El-Din Information Security Systems Consultant Root CA Manager, ITIDA.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Program Managers Forum

Program Managers Forum
The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council 202-622-1552.

The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council
Ongoing Efforts to Build The US Federal PKI Bridge

Ongoing Efforts to Build The US Federal PKI Bridge
Stanley J. Choffrey (202) 708-7943 The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.

Stanley J. Choffrey (202) The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.
Paul D. Grant Special Assistant, Federated Identity Management and External Partnering Office of the DoD CIO Co-Chair, Identity, Credential.

Paul D. Grant Special Assistant, Federated Identity Management and External Partnering Office of the DoD CIO Co-Chair, Identity, Credential.
Certificate Interoperability S&I Framework Initiative Final Report August 17, 2011.

Certificate Interoperability S&I Framework Initiative Final Report August 17, 2011.
The 4BF The Four Bridges Forum Federated PACS A Physical Access Use Case for Bridges FIPS 201/PIV-I PACS Interoperability April 28 th, 2009.

The 4BF The Four Bridges Forum Federated PACS A Physical Access Use Case for Bridges FIPS 201/PIV-I PACS Interoperability April 28 th, 2009.
SAFE-BioPharma Association NSTIC Day How does industry drive forward.

SAFE-BioPharma Association NSTIC Day How does industry drive forward.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication,

Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication,
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

Similar presentations

Ads by Google