The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health.

Slides:

Advertisements

Similar presentations

Launching Egyptian Root CA and Inaugurating E-Signature Dr. Sherif Hazem Nour El-Din Information Security Systems Consultant Root CA Manager, ITIDA.

Advertisements

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

Federal PKI Architecture Update

The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council

Ongoing Efforts to Build The US Federal PKI Bridge

Stanley J. Choffrey (202) The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.

Certificate Interoperability S&I Framework Initiative Final Report August 17, 2011.

The 4BF The Four Bridges Forum Federated PACS A Physical Access Use Case for Bridges FIPS 201/PIV-I PACS Interoperability April 28 th, 2009.

SAFE-BioPharma Association NSTIC Day How does industry drive forward.

15June’061 NASA’s PKI Migration to Treasury 13th Fed-Ed Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

Federal Electronic Identity Initiatives – Current Status Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO for E-Authentication,

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,

US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

The U.S. Federal PKI and the Federal Bridge Certification Authority

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

Emergence of Identity Management: A Federal Perspective Dr. Peter Alterman Chair, Federal PKI Policy Authority.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.

NIH iTrust Peter Alterman/Debbie Bucci National Institutes of Health October 2010.

Single Sign-On, Federated Authentication and Beyond at NIH Dr. Peter Alterman National Institutes of Health.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee.

NASA Personal Identity Verification (PIV) NASA Personal Identity Verification (PIV) High Level System Overview Tice F. DeYoung, PhD 14th Fed/Ed Workshop.

Bridge-to-Bridge Working Group (BBWG) Debb Blanchard, Cybertrust EDUCAUSE Federal and Higher Education PKI Coordination Meeting June 16, 2005 The Fairmont.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education.

The Evolving U.S. Federal PKI Richard Guida Chair, Federal PKI Steering Committee Federal Chief Information Officers Council

1 June Richard Guida Stephanie Evans Johnson & Johnson Director, WWIS WWIS SAFE Infrastructure Overview.

The NIH PKI Pilots Peter Alterman, Ph.D. … again.

E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.

Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000.

PKI and the U.S. Federal E- Authentication Architecture Peter Alterman, Ph.D. Assistant CIO for e-Authentication National Institutes of Health Internet2.

The Federal Bridge A Brief Overview 1. 4BF Industry Forum April Fed PKI: View from 20,000 km FBCA C4 Common Policy CA (HSPD-12) CertiPath SSPs.

I-CIDM Bridge to Bridge Working Group (BBWG) Purpose and Activities Fed-Ed Meeting The Fairmont Hotel Washington, DC December 14, 2004 Debb Blanchard Enspier.

Federated Authentication at NIH: Trusting External Credentials at Known Levels of Assurance Debbie Bucci and Peter Alterman November, 2009.

The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.

PKI Summit August 2004 Technical Issues to Deploying PKI on Campuses.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

The Evolving Federal PKI Gary Moore Entrust Technologies Richard Guida Chair, Federal PKI Steering Committee.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

The Feds and Shibboleth Peter Alterman, Ph.D. Asst. CIO, E-Authentication National Institutes of Health.

Identity Federations and the U.S. E-Authentication Architecture Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health.

1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.

Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Overview of US PKI Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council

Federal PKI Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Federal PKI Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

National Institutes of Health Interfederation Initiatives Peter Alterman, Ph.D. Assistant CIO for e-Authentication.

Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority Meet FedFed.

Interoperability and the Evolving Federal PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering.

Federal Identity Management Overview and Current Status Dr. Peter Alterman, Chair Federal PKI Policy Authority.

Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

EAuthentication – Update on Federal Initiative Jacqueline Craig IR&C September 27, 2005.

U.S. Federal e-Authentication Initiative

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

Overview of US PKI Peter Alterman, Ph.D.

Technical Approach Chris Louden Enspier

HIMSS National Conference New Orleans Convention Center

Presentation transcript:

The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health

The Federal Bridge CA is Now the Federal PKI Architecture (SuperSize Me) Components include: Components include: –US Federal Bridge CA –Common Policy Framework CA –E-Authentication CA –Citizen and Commerce Class CA

Key Points Main connection between US Federal PKI and external PKIs (including other Bridges) continues to be the Federal Bridge CA. Main connection between US Federal PKI and external PKIs (including other Bridges) continues to be the Federal Bridge CA. Common Policy Framework CA issues cross- certificates to SSP primary CAs. Common Policy Framework CA issues cross- certificates to SSP primary CAs. Common Policy Framework CA cross-certified with FBCA Common Policy Framework CA cross-certified with FBCA E-Authentication CA - Two other CAs service E- Authentication levels one and two CSP SSL/TLS server cert issuance E-Authentication CA - Two other CAs service E- Authentication levels one and two CSP SSL/TLS server cert issuance C4 CA services alternative PKIs (ultra lights) C4 CA services alternative PKIs (ultra lights)

Cross-Certified with the US FBCA Department of Defense (one way) Department of Defense (one way) DOD Key Management Infrastructure DOD Key Management Infrastructure NASA NASA USDA/National Finance Center USDA/National Finance Center Treasury Treasury State State Energy Energy Labor Labor State of Illinois State of Illinois DST/Identrus ACES (and HHS) DST/Identrus ACES (and HHS) ORC ACES ORC ACES

Pending/In Process U.S. Patent and Trade U.S. Patent and Trade Wells Fargo Bank / Identrus Wells Fargo Bank / Identrus Government of Canada Government of Canada Boeing Boeing HEBCA HEBCA Government of Australia Government of Australia UK Ministry of Defence UK Ministry of Defence

Approved Shared Service Providers VeriSign VeriSign CyberTrust CyberTrust National Finance Center/USDA National Finance Center/USDA Others pending Others pending

Other Bridges Emerging: A Global Trust Infrastructure Aerospace Industry (CertiPath) Aerospace Industry (CertiPath) Pharmaceutical Industry (SAFE)\ Pharmaceutical Industry (SAFE)\ Unofficially, and really not a bridge, but might as well be: Crimson Logic Pacific Rim Import/Export Application (9 economies) Unofficially, and really not a bridge, but might as well be: Crimson Logic Pacific Rim Import/Export Application (9 economies)

And Now A Graphic Showing how the Federal PKI fits into the overall U.S. E-Authentication Architecture -  Showing how the Federal PKI fits into the overall U.S. E-Authentication Architecture - 

FBCA Certification Authority Two way Cross-certified (FBCA High & FBCA Medium) Agencies (Legacy Agency CA policy) States Foreign Entities Citizen & Commerce Class Common (C4) Certificate Policy -certified Wells FargoAOLPEPCO Private Sector FPKI Common Policy Framework (FCPF) Certificate Policy C4 Policy Certification Authority (Included in browser list ofCAs) FCPF Policy Certification Authority (Trust anchor for Common FPKI Policy hierarchical PKI subscribers) E-Governance Certification Authority (Mutual authentication of SAML/SSL Certificates only) Qualified Shared Service Provider USDA/NCF Verisign DST Two way Cross-certified One way Cross - certified Federal PKI Assurance Level 1 Assurance Level 2 E-Governance Certificate Policy Other BridgeCAs ACES New Agency Optionally Two Way Cross - certified Two Way Cross Federal PKI The US Federal PKI & The E-Authentication Federated Approach Note: Red lines indicate technical areas to resolve. Working Groups are formed to address these areas by 1 st week of March T w o w a y C r o s s - c e r t i f i e d XKMS OCSP CAM SOAP Others ©p©p Step #1: User goes to Portal to select the AA and ECP Portal Step #3: The user authenticates to the AA directly using SSL or TLS. Figure : FPKI Validation Service AA CA 1 Community 1 CA 4 CA 4bCA 4a CA 2 Community 2 Bridge CA 3 Community 3 FPKI Step #4: The AA uses the validation service to validate the certificate Step #2: The user is passed directly to the AA eAuth Trust List FBCA Certificate Policy

Other Federal/Higher Ed Initiatives, or Places We Meet: (In Hoc Signo Vinces) NIH-EDUCAUSE PKI Interoperability Project, Phase 4 NIH-EDUCAUSE PKI Interoperability Project, Phase 4 E-Authentication-Shibboleth Interoperability Initiative E-Authentication-Shibboleth Interoperability Initiative E-Authentication Partnership E-Authentication Partnership International Collaborative Identity Management Forum (ICIDM) International Collaborative Identity Management Forum (ICIDM)

Issues Being Pursued Actively Path Discovery / Path Validation Path Discovery / Path Validation –CAM works Bridge-Bridge Interoperability Procedures, including Bridge Operations Issues – Citizenship, etc. Bridge-Bridge Interoperability Procedures, including Bridge Operations Issues – Citizenship, etc. FIPS 201 and HSPD-12 FIPS 201 and HSPD-12

Path Discovery / Path Validation CAM 4 RC7 Ready for Prime Time and Configurable to map LOA CAM 4 RC7 Ready for Prime Time and Configurable to map LOA CAM 4 RC8 due January, 2005 (GUI interface for configuration) CAM 4 RC8 due January, 2005 (GUI interface for configuration) Validation Service/Tool Requirements Document about ready for release Validation Service/Tool Requirements Document about ready for release No COTS service/tool yet a reality No COTS service/tool yet a reality Betting on SCVP for next generation validation checking protocol. Betting on SCVP for next generation validation checking protocol.

Bridge-to-Bridge Interoperability Policy and Procedures – FPKI Policy Authority Leads the Pack Policy and Procedures – FPKI Policy Authority Leads the Pack Technical Implementation Issues – Architecture and Trust Technical Implementation Issues – Architecture and Trust Politics and Money Politics and Money Current sticking point is citizenship requirements for trusted operators Current sticking point is citizenship requirements for trusted operators

HSPD-12, The Black Hole: Background Requires NIST to promulgate technical and procedural standards for electronic identity authentication for Feds and contractors (PIV = Personal Identity Verification) Requires NIST to promulgate technical and procedural standards for electronic identity authentication for Feds and contractors (PIV = Personal Identity Verification) Encompasses physical and logical access to government resources Encompasses physical and logical access to government resources Ultra short timeframe: Standards done in Spring, Agency implementation plans due late June, Agency implementation begins October. Ultra short timeframe: Standards done in Spring, Agency implementation plans due late June, Agency implementation begins October. Means Medium Assurance Digital Certificates on SmartCards, but next generation crypto being pushed. Means Medium Assurance Digital Certificates on SmartCards, but next generation crypto being pushed.

HSPD-12, The Black Hole: Status Current action is with three documents: FIPS 201, SP and the Implementation Guide Current action is with three documents: FIPS 201, SP and the Implementation Guide Current Draft of FIPS 201 being heavily revised, final version due mid-February Current Draft of FIPS 201 being heavily revised, final version due mid-February Revision to SP (Smart Card Standards) under way, IAB hard at work revising to accommodate industry input, due late January Revision to SP (Smart Card Standards) under way, IAB hard at work revising to accommodate industry input, due late January Implementation in two phases to accommodate installed base and vendor community Implementation in two phases to accommodate installed base and vendor community WILL AFFECT EVERYONE WILL AFFECT EVERYONE

Reminder: PKI R&D Workshop April 19 – 21, 2005 April 19 – 21, 2005 NIST Gaithersburg, MD NIST Gaithersburg, MD This year, the workshop has a particular interest in how emergent trust mechanisms will interact with each other at technical, policy and user levels. This year, the workshop has a particular interest in how emergent trust mechanisms will interact with each other at technical, policy and user levels.