1. 15June’061 NASA’s PKI Migration to Treasury 13th Fed-Ed Meeting 15 June ‘06 Presenter: Tice DeYoung

2. 15June’062 NASA’s PKI Migration to Treasury Decision History  January ‘04 –NASA PKI operations costs were high –NASA wanted to investigate outsourcing PKI operations  April-May ‘04 - NASA updated our PKI requirements – Extant requirements developed in ‘97 –Need to update for changing NASA PKI environment in order to accurately represent our needs to outsourcing providers  September ‘04 - NASA decides to continue using Entrust as its PKI – Two possible sources »Department of Agriculture’s National Finance Center »Department of the Treasury’s Bureau of Public Debt  October ‘04 - NASA Chooses Treasury Based on Cost  December ‘04 - OMB 05-05 required agencies to use a Shared Service Provider (SSP) –NASA told Treasury that they would have to become an SSP for NASA to outsource our PKI operations to them –Treasury agrees and in April ‘05 they apply for SSP status –Treasury completes the process and becomes an SSP in June ‘06

3. 15June’063 NASA’s PKI Migration to Treasury First Steps to Migrate the NASA PKI  NASA and Treasury Develop a Transition Plan and Costs  NASA Asks Treasury to Also Host the Current NASA CA –Treasury must update plan and costs to include moving and hosting the extant NASA Backup CA  Treasury Moves the NASA Backup CA September ‘05 –Auditable event with NASA personnel present at both ends –Successfully brought up CA and updated data from Primary CA  NASA & Treasury Perform Two Disaster Recovery Tests –First test 10 December ‘05 works one way, but firewall & network issues delay completing the test –Second test 19 February ‘06 totally successful  NASA Makes Backup CA at Treasury Prime CA - 25 February ‘06 –CA at ARC becomes backup –Data successfully transferred from primary CA to backup CA

4. 15June’064 NASA’s PKI Migration to Treasury What’s Next?  Treasury Stands up a New CA for NASA –NASA Operational CA (NOCA) under Treasury root CA –Successfully installed Solaris OS an auditable event –Entrust PKI CA Key Generation Ceremony - mid-August ‘06 »NASA personnel will be present for auditable event –Cross-certify current CA with NOCA - late September ‘06 »NASA personnel may be present for this auditable event –Begin issuing credentials to new users - October ‘06  Migrate Current Users from Old NASA CA to NOCA –Use trust between CAs arising from cross-certification –Create step-by-step process for moving users –Transition small number of users first to test process »Begin testing with test certificates and test CAs at both ends –Complete the migration to NOCA  C’est Fini? –Welllll…not quite!

5. 15June’065 NASA’s PKI Migration to Treasury As Always, the Devil Is In the Details*  Little or No Impact on the Users... If We Are Lucky –Exported users shouldn’t notice that they have been exported »They can continue logging into the old CA and keep working –However … »The old CA will suspend any key update functions »If the users certificate is expired before the export or expires after they are exported, then they will not continue to work »Security Officers Once they have been exported, they will not be able to login to the old CA to perform work. RA’s will still be able to work »Web users/certificates cannot be moved between CAs »Roaming users will have to be changed to Desktop users before they can be exported Once they have been imported to the new CA, they can be returned to Roaming users again * This & the next few slides were taken liberally (stolen) from a Treasury presentation at the NASA PKI Workshop 6-8 June ‘06

6. 15June’066 NASA’s PKI Migration to Treasury Other Things to Consider  A New Entrust.ini File is Required –New DNS –New Certificate Authority –New CRL distribution point –New directory location for public encryption certificats –How will this be distributed to current users? »Require manual update to.ini file? »Special Entrust Toolkit code to ‘push’ the changes? »Include updated.ini file in next release/update to standard desktop configuration?  Migrated Users Will Automagically Recover Their Keys –How to indicate that a user has been successfully migrated?

7. 15June’067 NASA’s PKI Migration to Treasury Other Things to Consider, cont.  Who Has to Be Manually Recovered? –Anyone using Entrust/Entelligence or Entelligence Security Provider (ESP) whose recent certificate is not valid –Users of any release of Entrust/Entelligence prior to version 5.0 –Anyone using a product other than Entrust/Entelligence or ESP  What Happens if Something Goes Wrong (and something always goes wrong for some) –There is a way to recover once an export has occurred. –The export can be cancelled and the users will return back to their original state on the old CA. –However, if ESP is being used, then the export has to be finalized or “completed” on the originating CA before the user can login to the new CA. This removes the ability to fall back in case of an error (YIKES!) »Users could find themselves unable to use either CA »Users in this situation might have to be recovered on the old CA »Users in this situation might lose their encryption key history

8. 15June’068 NASA’s PKI Migration to Treasury Recommendations/Lessons Learned  You Need to Know PKI Applications and Uses –NASA is still finding out who is using PKI and for what »Despite repeated calls for this information –Specializations for specific applications can be troublesome »Customized.inis with different CRL distribution points »Customized applications with hard coded ip addresses »Hard coded PKI public key directory and/or CRL locations  NASA has Decided to Delay Rolling Out ESP Until the User Has Been Migrated –Avoids errors in migration up front  It Always Takes Longer Than You Think It Will  It Always Costs More Than You Think It Will  Stuff Happens

9. 15June’069 NASA’s PKI Migration to Treasury Backup Slides

10. 15June’0610 NASA’s PKI Migration to Treasury NASA’s Relationship to the FBCA & Common Policy CA Sub Authorized [Sub ordinate reference] Sub Authorized [Sub ordinate reference] Cross Certification [mutual or two-way reference] Common Policy CA Federal Bridge CA Treasury Root CA (TRCA) NASA Operational CA (NOCA) Cross Certification [mutual or two-way reference]

11. 15June’0611 NASA’s PKI Migration to Treasury NASA’s Original PKI Architecture RA Operation CA Operation PKI Directory FBCA Cross Certification Policy Tech Support User & RA Software Testing & Distribution Training Documentation SuperRA Service PK Enabled Services NASA

12. 15June’0612 NASA’s PKI Migration to Treasury NASA’s SSP PKI Architecture Treasury RA Operation CA Operation PKI Directory FBCA Cross Certification Policy Tech Support User & RA Software Testing & Distribution Training Documentation SuperRA Service PK Enabled Services NASA