Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000.

Published byMerilyn Patricia Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000."— Presentation transcript:

1 Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000

2 Shirley Payne UVa Security Director Tim Sigmon UVa Advanced Technology Director Chip German UVa Policy/Planning Director Rich Guida Federal PKI Steering Committee Chair

3 Agenda Federal PKI Approach –Elements of Interoperability –Bridge Approach –Current Status –Critical Interoperability Issues Commonwealth of Virginia PKI Approach –Context –Early Conclusions –Final Design Decisions –Lessons Learned

4 Federal PKI Approach

5 Elements of Interoperability Technical –Mesh (cross-certification) –Bridge (cross-certification with central hub) –Hierarchy (one-way certification) –Trust list (browser model) Policy –Levels of assurance for certificates –X.509 policy processing framework

6 Federal PKI Approach Establish Federal PKI Policy Authority (for policy interoperability) Implement Federal Bridge CA using COTS (for technical interoperability) Deal with directory issues in parallel –Border directory concept Use ACES for public transactions

7 Federal PKI Policy Authority Voluntary interagency group - NOT “agency” Governing body for interoperability through FBCA – Agency/FBCA certificate policy mappings Oversees operation of FBCA, authorizes issuance of FBCA certificates Six charter agency members - DOJ, DOC, Treasury, DOD, OMB, GSA

8 Federal Bridge CA Non-hierarchical hub (“peer to peer”) Maps levels of assurance in disparate certificate policies (“policyMapping”) Ultimate bridge to CAs external to Federal government Directory initially contains only FBCA- issued certificates and CARLs Use NOT mandatory Concept successfully tested - EMA 4/00

9 FBCA Architecture Multiple CAs inside membrane, cross certified –Adding CAs straightforward albeit not necessarily easy Solves inter-product interoperability issues within membrane - which is good Single consolidated X.500 directory (but also support LDAP access) Not susceptible to DOS or intrusive attack

10 Current Status Prototype FBCA: Entrust, Cybertrust –Initial operation 2/8/00 –Replacing Cybertrust with Unicert Production FBCA: add other CAs –Operation by late 00 (funding permitting) FBCA Operational Authority is GSA (Mitretek technical lead and host site) FBCA Certificate Policy by late-00 FPKIPA stood up 7/00

11 Internal Directory Infrastructure PCA 2 FBCA DSA Internal Directory Infrastructure Border DSA 2 X.500 DSA Border DSA 1 LDAP Server Internal Directory Infrastructure PCA 1 PCA 3 Agency 1 Agency 2 Agency 3 FBCA LDAP Query-Response X.500 - DSP chaining Border Directory Concept

12 Access Certs for Electronic Services “No-cost” certificates for the public For business with Federal agencies only (but agencies may allow other uses on case basis) On-line registration, vetting with legacy data; information protected under Privacy Act Regular mail one-time PIN to get certificate Agencies billed per-use and/or per-certificate

13 Access Certs for Electronic Services RFP 1/99; bids received 4/99; first award 9/99 (DST), second award 10/99 (ORC), third award 10/99 (AT&T) Provisions for ACES-enabling applications, and developing customized PKIs Agencies do interagency agreement with GSA 500K “free” certs (no issuance cost) President used ACES in signing E-sign Act 6/00

14 Critical Interoperability Issues Directory interoperability Namespace control Client ability to create and process trust paths to X.509 standard Policy mapping of certificate assurance levels Legal liability

15 Commonwealth of Virginia PKI Approach

16 Context Political environment Project genesis State agency and local government pilot projects University of Virginia’s role

17 Early Conclusions No single hierarchy Multiple PKIs Focus on identity, not authorization, certificates Storage of encrypted documents discouraged

18 Final Decisions Simplicity in early implementation phase Virginia Online Transaction (VOLT) Certificates for citizens Mechanism to expand trust, e.g. bridge architecture Interoperability promoted through open standards Attraction, not compulsion

19 Lessons Learned Models are important, especially ones that help decide when to use digital signatures Uses should add value Process reengineering is essential Policy content should be deferred in favor of concept Best help comes from a few experts Auditors should be involved early on

20 Lessons Learned - cont’d Legal and/or political questions still surround most obvious best uses, e.g. online voting Successful implementation requires range of options, such as: –autonomy for state agencies & local govts. –central PKI service for those who need it –open standards aimed at interoperability with flexibility

21 Lessons Learned - cont’d Most Importantly….. Get involved in state initiatives and devote sufficient resources  Provides education & help where needed  Helps protect interests of higher education

22 Further Information Sources Federal Steering Committee http://gits-sec.treas.gov Commonwealth of Virginia Digital Signatures Initiative http://www.sotech.state.va.us/cots/dsi/index.htm Commonwealth of Virginia Bridge Certification Architecture Project at the University of Virginia http://www.itc.virginia.edu/oit/technology/pki/home.html

23 Questions?

Download ppt "Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000."

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Federal PKI Architecture Update

Federal PKI Architecture Update
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council 202-622-1552.

The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council
Ongoing Efforts to Build The US Federal PKI Bridge

Ongoing Efforts to Build The US Federal PKI Bridge
Stanley J. Choffrey (202) 708-7943 The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.

Stanley J. Choffrey (202) The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.
Federal PKI Evolution Substantial bottom-up growth in agency use of PKI (report to be published shortly)Substantial bottom-up growth in agency use of PKI.

Federal PKI Evolution Substantial bottom-up growth in agency use of PKI (report to be published shortly)Substantial bottom-up growth in agency use of PKI.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,

Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,
Toward the Use of DIGITAL Signatures in the Commonwealth of Virginia Prepared for the Council on Technology Services by the Privacy, Security & Access.

Toward the Use of DIGITAL Signatures in the Commonwealth of Virginia Prepared for the Council on Technology Services by the Privacy, Security & Access.
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

Similar presentations

Ads by Google