160 likes | 280 Views
The U.S. Federal PKI. Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council. Richard.Guida@cio.treas.gov; 202-622-1552 (Steering Committee web page: http://gits-sec.treas.gov). E-Transaction Landscape. Intra-agency personnel matters, agency management
E N D
The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council Richard.Guida@cio.treas.gov; 202-622-1552 (Steering Committee web page: http://gits-sec.treas.gov)
E-Transaction Landscape • Intra-agency • personnel matters, agency management • Interagency • payments, account reconciliation, litigation • Agency to trading partner • procurement, regulation • Agency to the public
Federal PKI Approach • Establish Federal PKI Policy Authority (for policy interoperability) • Implement Federal Bridge CA using Commercial Off The Shelf software (for technical interoperability) • Deal with directory interoperability issues • Use ACES for public transactions
Federal PKI Policy Authority • Voluntary interagency group - NOT an “agency” • Governing body for interoperability with FBCA • Agency/FBCA cert policy mappings • Oversees operation of FBCA, authorizes issuance of FBCA certificates • Six agency charter members (DOD, DOJ, DOC, Treasury, GSA, OMB)
Federal Bridge CA • Non-hierarchical hub (“peer to peer”) • Maps levels of assurance in disparate certificate policies (“policyMapping”) • Issue: assurance level vs. usage policy • Ultimate bridge to CAs external to Federal government • Directory initially contains only FBCA-issued certificates and ARLs
Current Status • Prototype FBCA: Entrust, Cybertrust (replaced with Baltimore Unicert) • Initial operation 2/8/00, tested 4/00 • Production FBCA: add other CAs • Operational by late 00 • FBCA Operational Authority is General Services Administration • FBCA Cert Policy by late-00 • FPKIPA operational 7/00
FBCA Prototype Test Structure • Six disparate PKI domains cross-certified with FBCA • Five different CA products • Four different X.500 directory products • Interoperability demonstrated via signed S/MIME messages (Eudora, Outlook) • X.500 directory framework - chaining between directories, client access via LDAP
Federal Bridge CA Canada Cybertrust CA Entrust CA GSA/FTS NIST 2 PCA PCA NSA CYGNACOM DoD Bridge CA CYBERTRUST Entrust PCA PCA PCA PCA SFL Client Entrust Client CA CA CA CA NIST 1 NASA GTRI PCA PCA PCA CA CA CA CA Entrust Entrust Motorola Spyrus Entrust Entrust Entrust Entrust Client Entrust Client SFL Client Entrust Client SFL Client Entrust Client Entrust Client
Government of Canada NSA/DOD NIST NASA GSA Georgia Tech Research Institute CA products: Entrust; Cybertrust; CygnaCom; Spyrus; Motorola Directories: PeerLogic; ICL; Nexor; CDS; Chromatix Integrators: Mitretek; JGVanDyke; GNS; Booz Allen; CygnaCom; A&N Associates Participants
Agency Production PKI Examples • DOD (>300K certs => >>4M by 2002; high assurance with smartcards) • FAA (>1K certs => 20K+ in 2000; software now, migrating to smartcards) • FDIC (>7K certs => 20K+ in 2000) • NASA (>1K certs => 25K+ in 2000) • USPTO (>1K certs => 15K+ in2000)
Access Certs for Electronic Services • “No-cost” certificates for the public • For business with Federal agencies only (but agencies may allow other uses on case basis) • On-line registration, vetting with legacy data; information protected under Privacy Act • Agencies billed per-use and/or per-certificate • Three contractor consortia (DST, ORC, AT&T) • President used ACES cert for E-sign Bill
Statutory Bases: E-Signatures • Gov’t Paperwork Elimination Act (98) • Technology neutral - select based on risk • But full recognition of dig sig strengths • Gives electronic signature full legal effect • Focus: transactions with Federal agencies • E-Sign in Global/Nat’l Commerce Act (00) • Covers B2B and B2C • Full legal effect if requirements are met
U.S./European/Asian Issues • Certificate Policy usage - assurance levels vs. application limitations • Certificate Profiles - differences such as key usage extension conflicts • Models for policy, technical interoperability - prescriptive vs. market-based • Client software configuration - trust path creation vs. browser model