Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stanley J. Choffrey (202) 708-7943 The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.

Similar presentations


Presentation on theme: "Stanley J. Choffrey (202) 708-7943 The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January."— Presentation transcript:

1 Stanley J. Choffrey (202) The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January 10, 2000

2 The Federal Bridge Certification Authority(FBCA) will be the unifying element to link otherwise unconnected agency Certification Authority’s (CAs) into a systematic overall Federal PKI. The FBCA functions as a non-hierarchical hub allowing relying party agencies to create a certificate trust path from its domain back to the domain of the agency that issued the certificate so that the levels of assurance honored by disparate PKIs can be reconciled. The Federal Bridge Certification Authority

3 Federal Bridge Certification Authority Cross Certified CAs Directory System Agent Cross certificates CRL FIP L3 Crypto Cross certificates CRL Cross certificates ARL Trust Domain 1Trust Domain 2 S/MIME Directory Infrastructure 2 Directory Infrastructure 1 Path DiscoveryCert Retrieval & VerificationCert Validation

4 Mitretek Border Router Internet CyberTrust CA DOD Bridge Demo CA LunaCA3 Crypto Module Entrust CA Dell PowerEdge 2300 NT 4.0 Server 256MB RAM 9GB Hard Drives (2) Tape Backup PeerLogic i500 Directory SafeKeyper Crypto Module Sun Ultra 10 Solaris OS 512 MB RAM 9.1 GB Hard Drives (2) Tape Backup Oracle DB CyberTrust Enterprise CA FBCA Directory System Dell PowerEdge 2300 NT 4.0 Server 128 MB RAM 9GB Hard Drives (2) 10BaseT Ethernet NIC Tape Backup PeerLogic i500 Directory UPS Bay ASN.1 Router CheckPoint Firewall Eudora (S/MIME v3) Entrust Application with Certificate Path Validation CyberTrust Certificate Gemplus v1 or DataKey SmartCard Entrust Client Eudora (S/MIME v3) Entrust Application with Certificate Path Validation Entrust Certificate Spyrus Lynks Card CyberTrust Client FBCA EMA Challenge Configuration

5 GSA DoD Bridge Certification Authority PCA CA Client Cybertrust CA Entrust CA Federal Bridge Certification Authority Canadian CA NIST CA1 PCA CA Client DISA PCA CA Client CA PCA CA Client PCA CA Treasury Client NIST CA2 PCA CA Client Navy PCA CA Client CA Client PCA CA Client GTRI PCA CA Client NASA MS Exch/v5 Eudora/SFL Eudora/v4 Federal Bridge Certification Authority EMA Challenge Overview

6 c=US; o=U.S. Government; ou=NIST ou= Experimental CA1 IP address: DSP port:102 LDAP port:389 TSEL:0x5000 TCP/IP NIST (Peerlogic) c=US; o=U.S. Government;ou=FBCA IP address: DSP port:102 LDAP port:389 TSEL: TCP/IP Federal Bridge Certification Authority (Peerlogic) DoD Bridge Certification Authority (Chromatix) c=US; o=Test BCA c=US; o=Entrust; ou=Federal c=US; o=U.S. National c=US; o=U.S. Government; ou=DoD IP address: DSP port:20006 LDAP port:406 TCP/IP GSA/FTS (Peerlogic) Chaining cn=FBCA_Directory Canada (Nexor) c=CA; o=GC; ou=HMCCA IP address: DAP/DSP port:19970 LDAP port:389 cn=NEXOR cn=NIST c=US; o=U.S. Government; ou=NIST ou= Experimental CA2 IP address: DSP port:102 LDAP port:389 TSEL:0x5000 TCP/IP cn=BCAP BCA Server cn=BCAP Spyrus NSA CA-TBR c=US; o=U.S. Government, ou=DoD, ou=NSA GTRI (Peerlogic) cn=PKIL-DSA c=US; o=PKIL c=US; o=Georgia c=US; o=CISA IP address: DSP port:17003 LDAP port:389 TCP/IP c=US; o=NASA5; cn=NASA5 c=US; o=NASA5; cn=EntrustCA IP address: DSP port:17019 LDAP port:389 TSEL: TCP/IP cn=NASA5 NASA (CDS) Directory Configuration

7 Federal Organization

8 Federal PKI Policy Authority Voluntary interagency group - NOT “agency” –Six charter members: DOJ, DOD, OMB, GSA, Treasury, DOC Governing body for FBCA interoperability –Responsible for Certificate Policy –Agency/FBCA certificate policy mappings Oversees operation of FBCA –authorizes issuance of FBCA certificates –Responsible for Certificate Practices Statement Under Federal CIO Council

9 What will it take to use the FBCA? Policy mapping of certificate policies Careful management of cross-certs to limit transitive trust Directory interoperability Client software that does cert path discovery and processing Appropriate liability language for interoperability with non-gov’t parties

10 The current version of this CP does not provide for interoperability through the FBCA between Federal Agency PKI domains and those of parties who are external to the Federal government and who have no regulatory or contractual relationship with the Federal government. Such interoperability will be established when directed by the FPKIPA and will require changes to this CP to address issues associated with liability and other matters. Nonetheless, it is the ultimate intent of the FPKIPA to make the FBCA available to support interoperability between Federal and non-Federal entities. Moreover, interoperability with entities external to the Federal government for purposes of technical testing may be performed when directed by, and in a fashion determined by, the FPKIPA, employing the "Test" level of assurance. Additionally, certificates issued by the FBCA will ensure that appropriate controls are placed on the acceptance of certificates issued by CAs external to the Federal government, for example through the use of the nameConstraints extension. X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA) 1.1.4


Download ppt "Stanley J. Choffrey (202) 708-7943 The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January."

Similar presentations


Ads by Google