1 / 9

The FBCA Architecture: Lessons Learned

Learn about the FBCA architecture lessons and challenges faced in implementing a unified federal PKI infrastructure. Understand the benefits of multiple CAs, cryptographic algorithms, and certificate management protocols. Discover alternative architectures for better security. Unveil key insights and lessons learned for efficient PKI implementation.

cliffordvaldez
Download Presentation

The FBCA Architecture: Lessons Learned

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The FBCA Architecture:Lessons Learned Tim Polk, NIST March 9, 2001

  2. FBCA Goals • Leverage emerging agency PKIs to create a unified federal PKI • Limit workload agency CA staff • Support agency use of • Any FIPS-approved cryptographic algorithm • A broad range of commercial CA products • Propagate policy information to certificate users in different agencies

  3. EMA Challenge Architecture

  4. Multiple CAs in FBCA Membrane • Support multiple cryptographic algorithms • Support for multiple certificate management protocols

  5. FBCA architecture • FBCA CAs • Offline • No network connectivity • FBCA directory online

  6. An Alternative Bridge Architecture • Bridge CAs offline but have network connectivity • Internal directory • Firewall (strict) • Border Directory

  7. FBCA Directory Architecture • Chained X.500 directories • Dual-rooted FBCA directory is “hub” • dc=gov • o=U.S. Government, c=US

  8. Lessons Learned • Bridge CAs can unite PKIs with • Different architectures • Different cryptographic algorithms • Different DITs • Heterogeneous commercial products can be used inside the bridge • Client software is the limiting factor • X.500 chaining simplifies certificate retrieval • Offline bridge architecture is secure but inefficient

More Related