1. NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen Neustar

2. NENA Development Conference | October 2014 | Orlando, Florida How Certificates Work  Who or what can use certificates?  Individual  Computer  Other network entities  What are they used for?  Establishing trust – Authentication and Verification  Each end involved in a transaction is who they say they are  Data Encryption  No one can intercept and read the data being sent  What do Certificates provide for information?

3. NENA Development Conference | October 2014 | Orlando, Florida Certificate Information ►Subject ►Provides the name of the computer, user, network device, or service that the CA issues the certificate to ►Serial Number ►Provides a unique identifier for each certificate that a CA issues. ►Issuer ►Provides a distinguished name for the CA that issued the certificate. ►Valid From ►Provides the date and time when the certificate becomes valid. ►Valid To ►Provides the date and time when the certificate is no longer considered valid. ►Public Key ►Contains the public key of the key pair that is associated with the certificate

4. NENA Development Conference | October 2014 | Orlando, Florida What is a Public Key?  Public key is the algorithm used to ensure that individual, computer or network entity is who they say they are as well as providing encryption.  The other side or the ‘Private Key’ is only known by the device requesting that the user (etc) certify they are who they say they are.  Encryption - key and Lock…. Decryptor (Private Key) Encryptor (Public Key)

5. NENA Development Conference | October 2014 | Orlando, Florida How do you get a public key?  From a Certificate Authority (CA)  Verisign  Microsoft  Custom (Linux etc)  Go Daddy  The CA is the “hardware store” where you get the public key ‘made’  Except the employee at the hardware store has to verify you are who you say you are through other means (questioning, other credentials etc)  Who should be the CA for NG9-1-1?  Any of the current ones?  A new one – purpose built for 9-1-1?

6. NENA Development Conference | October 2014 | Orlando, Florida Problems in dealing with Public Keys  A public key has an “identity” associated with it  Identities of agencies in NG9-1-1 are domain names, like psap.allegheny.pa.us  If you have a public key, how do you know:  What the identity associated with the key is?  That the key is the right key for that identity?  That the key is still good?

7. NENA Development Conference | October 2014 | Orlando, Florida X.509 Certificates  The standard way to distribute public keys  It’s a data format  Contains the identity and the key itself  Has an expiration date  Digitally signed by a Certificate Authority

8. NENA Development Conference | October 2014 | Orlando, Florida Public Key Infrastructure (PKI)  The way we distribute public keys, typically via X.509 certificates, in a way that provides sufficient trust in the system  Uses a tree of Certificate Authorities  A “Root” CA is the trust anchor. Everyone in the PKI agrees all trust is based in the ROOT CA  The Root CA signs its own certificate  The Root CA cert is “well known”. There is only one of them, so it’s fairly easy to distribute it reliably

9. NENA Development Conference | October 2014 | Orlando, Florida CA Hierarchy  Below the Root CA can be some number of other CAs  The certificate of the secondary CAs are signed by the root CA  The certificate of the tertiary (if any) CAs are signed by a secondary CA  The certificates of “users” are signed by secondary or tertiary CAs  This creates a tree of CAs

10. NENA Development Conference | October 2014 | Orlando, Florida A CA needs to know who it’s signing a cert for  Mechanically, you give a CA your public key and identity and ask them to issue a signed cert  The CA has to do due diligence to make sure your identity is good  Different CAs have different criteria for what it takes for them to verify your identity

11. NENA Development Conference | October 2014 | Orlando, Florida CP/CPS  A “Certificate Policy” states the rules of the road for the PKI  A “Certificate Practice Statement” states the processes used by a CA to implement the CP  Although somewhat formulaic, the CP/CPS are the key documents that provide the level of assurance needed by relying parties to distribute keys within the PKI

12. NENA Development Conference | October 2014 | Orlando, Florida Things go wrong: CRL and OSCP  Keys may need to be revoked if the private key is compromised, the identity is show to be fraudulent, or the key holder is no longer part of the PKI, etc.  CAs have formal certificate revocation processes  They maintain a “Certificate Revocation List”  They might implement a protocol called “Online Certificate Status Protocol” to query the CA in real time to determine the status of a cert

13. NENA Development Conference | October 2014 | Orlando, Florida Things go badly wrong  It happens that a CA gets its key compromised, or has some other serious problem  It can re-issue its key, but that causes it to need to re-issue all the certs it has signed  Very big deal so:  Make sure your CA is trustworthly and very careful  Be prepared to bulk-reissue keys

14. NENA Development Conference | October 2014 | Orlando, Florida Getting Specific, the PCA  The “PSAP Certificate Authority” is the root CA for the NG9- 1-1 PKI  We hope to get a National PCA established soon one way or another  We hope to have it’s cert cross signed by the “Federal Bridge CA”  The PCA is the root of trust for NG9-1-1

15. NENA Development Conference | October 2014 | Orlando, Florida PCA CPS  We have to create one, but the key issue will be what level of information is needed before the PCA will issue a cert  I think it should be VERY picky. Like it needs to do a site visit, get letters of authenticity from upper level agencies, etc.  That means only a few entities should get PCA certs

16. NENA Development Conference | October 2014 | Orlando, Florida How about all the rest of the certs?  Really do want to have a state PCA  The state does know who the PSAPs are. The National PCA won’t  But agents need certs too  And state PCAs won’t know agents  So probably some regional CA should issue agent certs

17. NENA Development Conference | October 2014 | Orlando, Florida CP/CPS for all  The CP will be fairly uniform across the PKI  CPS will be specific to the CA  Need to develop a recommended CPS for state and regional CAs  Good job for a contractor

18. NENA Development Conference | October 2014 | Orlando, Florida Paying for it  The root CA needs to be secure  That level of security costs, and needs expertise (contractor who runs existing CAs)  It probably needs to be self supporting, so it will charge for certs it issues, but someone has to cover startup costs

19. NENA Development Conference | October 2014 | Orlando, Florida  State CAs need less overall security  And probably should be using a contractor to defray the costs of the mechanical components  Could be state sponsored or could be self supporting by charging for certs issued  Regional CAs should be fairly inexpensive to run – Microsoft has CA code, and open source code exists to handle the mechanics. Mostly a manpower cost.

20. NENA Development Conference | October 2014 | Orlando, Florida NG9-1-1 CA  NENA Board Was Given Four (4) Options: 1. NENA can become a CA and issue certificates as the National PCA. 2. NENA could contract with any number of existing, third party CAs that currently exist. 3. NENA could contract with a 9-1-1 technology company (other than an existing CA) to serve as both the National and State PCAs on NENA’s behalf. 4. Do Nothing.  They Chose our Recommendation: Existing Third Party  Quick implementation.  Proven experience.  Minimal NENA staff requirements.  Potential revenue cost sharing.