Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000.

Slides:

Advertisements

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

Advertisements

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

Federal PKI Architecture Update

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council

Ongoing Efforts to Build The US Federal PKI Bridge

Stanley J. Choffrey (202) The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.

Federal PKI Evolution Substantial bottom-up growth in agency use of PKI (report to be published shortly)Substantial bottom-up growth in agency use of PKI.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,

Toward the Use of DIGITAL Signatures in the Commonwealth of Virginia Prepared for the Council on Technology Services by the Privacy, Security & Access.

The U.S. Federal PKI and the Federal Bridge Certification Authority

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.

Federal Bridge Certification Authority n Background n Overview n EMA Challenge Test structure n Participants n Results n Conclusions and lessons learned.

Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering Committee

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee.

The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health.

1 Digital Credential for Higher Education John Gardiner August 11, 2004.

EDUCAUSE PKI Working Group Where Are We and Where are We Going.

1 PKI Update September 2002 CSG Meeting Jim Jokl

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education.

Digital Signatures A Brief Overview by Tim Sigmon August, 2000.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

16 June ‘04Fed/ED1 Filling the FPKI Void Tice F. DeYoung Fed/ED 16 June ‘04.

The Evolving U.S. Federal PKI Richard Guida Chair, Federal PKI Steering Committee Federal Chief Information Officers Council

U.S. General Services Administration Federal Technology Service November 9, 1999 Judith Spencer Director, Center for Governmentwide Security Office of.

E-Authentication: The Need for Public and Private Sector Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

The NIH PKI Pilots Peter Alterman, Ph.D. … again.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

PKI and the U.S. Federal E- Authentication Architecture Peter Alterman, Ph.D. Assistant CIO for e-Authentication National Institutes of Health Internet2.

Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University

The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

The Evolving Federal PKI Gary Moore Entrust Technologies Richard Guida Chair, Federal PKI Steering Committee.

Identity Federations and the U.S. E-Authentication Architecture Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health.

1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.

The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001.

Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.

Federal Agencies and PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering Committee

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

PKI in Virginia September Commonwealth Bridge Project Time Line of Activity l COVITS Meeting - September 1999 »Commonwealth of Virginia Information.

Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council

Federal PKI Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.

Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.

Interoperability and the Evolving Federal PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering.

U.S. Federal e-Authentication Initiative

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

HIMSS National Conference New Orleans Convention Center

Inter-institutional Trust Fabric Overview and Synergies

Presentation transcript:

Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000

Shirley Payne UVa Security Director Tim Sigmon UVa Advanced Technology Director Chip German UVa Policy/Planning Director Rich Guida Federal PKI Steering Committee Chair

Agenda Federal PKI Approach –Elements of Interoperability –Bridge Approach –Current Status –Critical Interoperability Issues Commonwealth of Virginia PKI Approach –Context –Early Conclusions –Final Design Decisions –Lessons Learned

Federal PKI Approach

Elements of Interoperability Technical –Mesh (cross-certification) –Bridge (cross-certification with central hub) –Hierarchy (one-way certification) –Trust list (browser model) Policy –Levels of assurance for certificates –X.509 policy processing framework

Federal PKI Approach Establish Federal PKI Policy Authority (for policy interoperability) Implement Federal Bridge CA using COTS (for technical interoperability) Deal with directory issues in parallel –Border directory concept Use ACES for public transactions

Federal PKI Policy Authority Voluntary interagency group - NOT “agency” Governing body for interoperability through FBCA – Agency/FBCA certificate policy mappings Oversees operation of FBCA, authorizes issuance of FBCA certificates Six charter agency members - DOJ, DOC, Treasury, DOD, OMB, GSA

Federal Bridge CA Non-hierarchical hub (“peer to peer”) Maps levels of assurance in disparate certificate policies (“policyMapping”) Ultimate bridge to CAs external to Federal government Directory initially contains only FBCA- issued certificates and CARLs Use NOT mandatory Concept successfully tested - EMA 4/00

FBCA Architecture Multiple CAs inside membrane, cross certified –Adding CAs straightforward albeit not necessarily easy Solves inter-product interoperability issues within membrane - which is good Single consolidated X.500 directory (but also support LDAP access) Not susceptible to DOS or intrusive attack

Current Status Prototype FBCA: Entrust, Cybertrust –Initial operation 2/8/00 –Replacing Cybertrust with Unicert Production FBCA: add other CAs –Operation by late 00 (funding permitting) FBCA Operational Authority is GSA (Mitretek technical lead and host site) FBCA Certificate Policy by late-00 FPKIPA stood up 7/00

Internal Directory Infrastructure PCA 2 FBCA DSA Internal Directory Infrastructure Border DSA 2 X.500 DSA Border DSA 1 LDAP Server Internal Directory Infrastructure PCA 1 PCA 3 Agency 1 Agency 2 Agency 3 FBCA LDAP Query-Response X DSP chaining Border Directory Concept

Access Certs for Electronic Services “No-cost” certificates for the public For business with Federal agencies only (but agencies may allow other uses on case basis) On-line registration, vetting with legacy data; information protected under Privacy Act Regular mail one-time PIN to get certificate Agencies billed per-use and/or per-certificate

Access Certs for Electronic Services RFP 1/99; bids received 4/99; first award 9/99 (DST), second award 10/99 (ORC), third award 10/99 (AT&T) Provisions for ACES-enabling applications, and developing customized PKIs Agencies do interagency agreement with GSA 500K “free” certs (no issuance cost) President used ACES in signing E-sign Act 6/00

Critical Interoperability Issues Directory interoperability Namespace control Client ability to create and process trust paths to X.509 standard Policy mapping of certificate assurance levels Legal liability

Commonwealth of Virginia PKI Approach

Context Political environment Project genesis State agency and local government pilot projects University of Virginia’s role

Early Conclusions No single hierarchy Multiple PKIs Focus on identity, not authorization, certificates Storage of encrypted documents discouraged

Final Decisions Simplicity in early implementation phase Virginia Online Transaction (VOLT) Certificates for citizens Mechanism to expand trust, e.g. bridge architecture Interoperability promoted through open standards Attraction, not compulsion

Lessons Learned Models are important, especially ones that help decide when to use digital signatures Uses should add value Process reengineering is essential Policy content should be deferred in favor of concept Best help comes from a few experts Auditors should be involved early on

Lessons Learned - cont’d Legal and/or political questions still surround most obvious best uses, e.g. online voting Successful implementation requires range of options, such as: –autonomy for state agencies & local govts. –central PKI service for those who need it –open standards aimed at interoperability with flexibility

Lessons Learned - cont’d Most Importantly….. Get involved in state initiatives and devote sufficient resources  Provides education & help where needed  Helps protect interests of higher education

Further Information Sources Federal Steering Committee Commonwealth of Virginia Digital Signatures Initiative Commonwealth of Virginia Bridge Certification Architecture Project at the University of Virginia

Questions?