The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

Slides:

Advertisements

Similar presentations

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

Advertisements

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

Federal PKI Architecture Update

Ongoing Efforts to Build The US Federal PKI Bridge

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication,

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

The U.S. Federal PKI and the Federal Bridge Certification Authority

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Emergence of Identity Management: A Federal Perspective Dr. Peter Alterman Chair, Federal PKI Policy Authority.

Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,

NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.

Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.

The E-Authentication Initiative: A Status Report Presented at Educause Meeting June 16, 2004 The E-Authentication Initiative.

Shibboleth Update a.k.a. “shibble-ware”

The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health.

Bridge-to-Bridge Working Group (BBWG) Debb Blanchard, Cybertrust EDUCAUSE Federal and Higher Education PKI Coordination Meeting June 16, 2005 The Fairmont.

E-Authentication: The Need for Open-Standards in Implementing E-Government October 6, 2004 The E-Authentication Initiative.

The InCommon Federation The U.S. Access and Identity Management Federation

Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

E-Authentication: The Need for Public and Private Sector Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

E-Authentication: Enabling E-Government Presented to PESC May 2, 2005 The E  Authentication Initiative.

E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.

Federal e-Authentication Initiative: Federated Identity and Interoperability David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide.

PKI and the U.S. Federal E- Authentication Architecture Peter Alterman, Ph.D. Assistant CIO for e-Authentication National Institutes of Health Internet2.

Government-University Identity Management Opportunities Peter Alterman, Ph.D. Chair, U.S. Federal PKI Policy Authority and Assistant CIO/E-Authentication,

The Federal Bridge A Brief Overview 1. 4BF Industry Forum April Fed PKI: View from 20,000 km FBCA C4 Common Policy CA (HSPD-12) CertiPath SSPs.

I-CIDM Bridge to Bridge Working Group (BBWG) Purpose and Activities Fed-Ed Meeting The Fairmont Hotel Washington, DC December 14, 2004 Debb Blanchard Enspier.

Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.

Federated Authentication at NIH: Trusting External Credentials at Known Levels of Assurance Debbie Bucci and Peter Alterman November, 2009.

The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.

PKI Summit August 2004 Technical Issues to Deploying PKI on Campuses.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

The Feds and Shibboleth Peter Alterman, Ph.D. Asst. CIO, E-Authentication National Institutes of Health.

Identity Federations and the U.S. E-Authentication Architecture Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health.

1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Identity Federations: Here and Now David L. Wasley Thomas Lenggenhager Peter Alterman John Krienke.

Overview of US PKI Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council

Federal PKI Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Federal PKI Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

National Institutes of Health Interfederation Initiatives Peter Alterman, Ph.D. Assistant CIO for e-Authentication.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority Meet FedFed.

Federal Identity Management Overview and Current Status Dr. Peter Alterman, Chair Federal PKI Policy Authority.

Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session.

EAuthentication – Update on Federal Initiative Jacqueline Craig IR&C September 27, 2005.

Cross-sector and user-centric AAI

Privacy, Security, and Identity Management Update

U.S. Federal e-Authentication Initiative

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

Technical Approach Chris Louden Enspier

HIMSS National Conference New Orleans Convention Center

Appropriate Access InCommon Identity Assurance Profiles

Presentation transcript:

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication Initiative

2 E-Gov Program Management Office HSPD-12  Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05  Mandates all Federal Agencies begin issuing SmartCards with medium assurance digital certs by 10/06  Authorization remains a local prerogative

3 The E-Authentication Initiative E-Gov Program Management Office Purpose and Function of the E- Authentication Program  To provide a single source of identity authentication services for Federal Agency Applications  To develop and promulgate policies and procedures to sustain a common identity federation for the Federal Government in support of e-Gov and HSPD- 12  To partner with Credential Service Providers and other Identity Federations to enable the broadest access to e-Gov services.

4 The E-Authentication Initiative E-Gov Program Management Office Summary of E-Authentication Approach  Four Levels of Assurance of Identity (LOA) from Policy LOA 1 and 2 are assertion-based: Userid/password, SAML, Shibboleth, etc. LOA 3 and 4 are cryptographically-based: PKI, etc.  LOA required based on standard Risk Assessment  Agency Applications (AAs) autonomous for authorization decisions  AAs rely on credentials issued by external Credential Service Providers who submit to an assessment based on a Credential Assessment Framework  Principle of reusable credentials

5 The E-Authentication Initiative E-Gov Program Management Office E-Authentication Initiatives  Assessment Framework for Credential evaluating the level of assurance (LOA) of identity of credential service providers  Membership in Liberty Alliance  Frequent meetings with Microsoft  Interfederation Interoperability Project with Cybertrust and Internet2/Shibboleth team (more slides later on)  Credential Assessment Framework

6 The E-Authentication Initiative E-Gov Program Management Office Credential Assessment Framework  A structured methodology and procedures for evaluating the LOA of a CSPs credentials  An assessment team that goes out and evaluates CSPs  A process for conflict resolution  Posting CSPs and their credential LOAs to a trust list (unfortunate term) on the website

7 The E-Authentication Initiative E-Gov Program Management Office FBCA Certification Authority Two way Cross-certified (FBCA High & FBCA Medium) Agencies (Legacy Agency CA policy) States Foreign Entities Citizen & Commerce Class Common (C4) Certificate Policy -certified Wells FargoAOLPEPCO Private Sector FPKI Common Policy Framework (FCPF) Certificate Policy C4 Policy Certification Authority (Included in browser list ofCAs) FCPF Policy Certification Authority (Trust anchor for Common FPKI Policy hierarchical PKI subscribers) E-Governance Certification Authority (Mutual authentication of SAML/SSL Certificates only) Qualified Shared Service Provider USDA/NCF Verisign DST Two way Cross-certified One way Cross - certified Federal PKI Assurance Level 1 Assurance Level 2 E-Governance Certificate Policy Other BridgeCAs ACES New Agency Optionally Two Way Cross - certified Two Way Cross Federal PKI The Federal PKI & The E-Authentication Federated Approach T w o w a y C r o s s - c e r t i f i e d XKMS OCSP CAM SOAP Others ©p©p Step #1: User goes to Portal to select the AA and ECP Portal Step #3: The user authenticates to the AA directly using SSL or TLS. Figure : FPKI Validation Service AA CA 1 Community 1 CA 4 CA 4bCA 4a CA 2 Community 2 Bridge CA 3 Community 3 FPKI Step #4: The AA uses the validation service to validate the certificate Step #2: The user is passed directly to the AA eAuth Trust List FBCA Certificate Policy

8 The E-Authentication Initiative E-Gov Program Management Office Interfederation Interoperability  Assertion-level trust transactions require federation- to-federation policy and technology interoperability initiatives Under way with inCommon (Internet2)  Crypto-level trust transactions mediated by Federal Bridge Under way with Higher Education Bridge, Pharmaceutical Industry Bridge, Aerospace Bridge

9 The E-Authentication Initiative E-Gov Program Management Office What Happens When Two Federations Want to Interoperate?  Enable technical interoperability between members of different federations  Develop mutually agreed-upon mappings for trusting identity credentials and elements of credentials  Develop mutually agreed-upon mappings for business rules  Develop peer-based conflict resolution mechanisms

10 The E-Authentication Initiative E-Gov Program Management Office Report: Status of Interfederation Interoperability Work Group  inCommon Higher Education Identity Federation Using Shibboleth middleware technical protocols Policy-light  E-Authentication US Identity Federation Using a variety of technical protocols Policy intensive

11 The E-Authentication Initiative E-Gov Program Management Office Accomplishments to Date  Demonstration of proof of concept for technical interoperability of identity credentials and utilities: E-Authentication SAML 1.0 and Shibboleth 1.2  Production-level interoperability built into Shibboleth 1.3 (in beta)  Extensive groundwork done on identifying policy and procedure mapping/treaty requirements  Credential Assessment of 4 Universities

12 The E-Authentication Initiative E-Gov Program Management Office Work in Progress  Development of common SAML 2.0 schemes  Development of common USPerson profile and profile management infrastructure  Development of production-quality scheme translator  Ongoing work to enable cross-federation trust and interoperability  NSF FastLane to accept 4 universities’ Shibboleth-based identity and attribute credentials

13 The E-Authentication Initiative E-Gov Program Management Office Unresolved Issues  Mapping null attributes  Ensuring privacy of attribute information in a variety of instances  Portal integration  Scaling issues for listing credential providers  Issues of transitivity across federations  Multiple authoritative sources/conflicting authoritative sources  Vocabulary and “data dictionary” issues  Liability and indemnification issues

14 The E-Authentication Initiative E-Gov Program Management Office More Information     