240 likes | 419 Views
IdenTrust: NCMS Presentation JPAS Logon changes requiring PKI credentials Richard Jensen, October 19 th 2011. Agenda . Summary of PKI requirement What is PKI What are these things called Digital Certificates Who’s behind this Types of Certificates What’s the difference
E N D
IdenTrust: NCMS Presentation JPAS Logon changes requiring PKI credentials Richard Jensen, October 19th 2011
Agenda • Summary of PKI requirement • What is PKI • What are these things called Digital Certificates • Who’s behind this • Types of Certificates • What’s the difference • Getting a Certificate • Where do you begin • What’s required • Documentation and forms • Trusted Correspondent Program • Questions
Policy Digital Certificates Applications CA So what is PKI? • In broad terms, Public Key Infrastructure (PKI) refers to the methods, technologies and techniques that together provide a secure infrastructure that enables users of a basically unsecured public network (the Internet) to securely and privately exchange information • A systemic approach where every participant agrees to abide by a specific set of rules (the Policy) regarding Identity Management • Application owners want to ensure that the people trying to access their sites really are who they say they are • End Users have someone verify their identity so they can be issued a Digital Certificate to use in online transactions or to access protected sites • Certificate Authorities (like IdenTrust) issue Digital Certificates to individuals once they are certain of a person’s identity, based on a set of rules (the Policy) Policy Digital Certificates CA
Who is in charge of this program? • The DoD established the External Certificate Authority (ECA) program to accommodate the issuance of DoD approved PKI certificates to individuals that do not have or qualify for a Common Access Card (CAC). DoD is the ‘owner’ of the ECA Policy • DISA Manages the ECA Program. ECA is just the name of the Certificate Policy under which the credentials are issued. DISA certifies Certificate Authorities (like IdenTrust) after the CA goes through a rigorous set of testing to meet ECA Policy requirements: Security, System Architecture, Fulfillment, Processes, Revocation, etc. • DMDC decided to accept ECA certificates for use in the JPAS system. JPAS is simply an application that relies on the integrity of ECA certificates
PKI’s ‘product’ is a Digital Certificate • a PKI Digital Certificate is a Digital Identity issued to an individual so they can: • Authenticate your identity to an online system. For JPAS this augments the username and password currently in use • Digitally sign documents. You can use your Digital Certificate to replace your wet ink signature; and • Encrypt documents and transactions. Digital Certificates allow you to send encrypted email so that only the intended recipient can view your message and attachments
What type of certificate does JPAS require? • Both certificate types are hardware based certificates and must be stored on a FIPS 140-2 level 2 or higher Key Storage Mechanism (KSM) per DoD policy • KSM’s available are either Smart Cards (similar to CAC Cards) or USB devices • JPAS strongly recommends the KSM be in a Smart Card format. DoD facilities may not let you bring a USB token on site 1. ECA Medium Hardware Assurance; or 2. ECA Medium Token Assurance
What’s the difference? • Both ECA certificate types are hardware based certificates • One key difference is who performs the Identity Vetting • The hardware devices are exactly the same • However, there is a ‘mapping’ difference • ECA Medium Hardware is a higher assurance certificate than Medium Token • Some DoD applications require Medium Hardware In either case, you must meet face to face with the person performing the identity vetting
Choose one of the three (you’d better choose correctly!)
IdenTrust has a customized approach for JPAS www.identrust.com/jpas
All you have to do is click on the “buy” button www.identrust.com/jpas
What is required? There are identity documents to show to the Trusted Agent or Notary
Then you both get to sign(this example is Medium Hardware) Once for the applicant… And once for the Trusted Correspondent…
Then you both get to sign(this example is Medium Token) Once for the applicant… And once for the Notary…
There is also a Subscribing Organization Agreement • Requires the signature of someone within the company who can agree to the conditions of the ECA contract for the applicant • Company is acknowledging that the associate is getting a certificate as a representative of the company and that they agree to allow the associate to use the certificate on their behalf
? Both forms are sent to the Registration department • The Registration team conducts an investigation into the probability of the identity • They assign a “confidence score” based on a comprehensive criteria • Once they decide, they send an email to the applicant informing of the decision • If favorable, they send certificate retrieval instructions • If un-favorable, they send information regarding rejection
If successful, you’ll receive… • An email from the Registration department telling you you’ve been approved • A package with a letter on retrieval instructions and your hardware • Guidance on protecting your device • A CD with Drivers and middle-ware for your computer to understand your certificate • Instructions on how to: • Load the drivers • Prepare the KSM • Load the private keys • Certificate test • Once your certificate test is complete • Go to JPAS and register your certificate
Who, What, Where, When, How: Trusted Correspondent Who: Typically in HR or Security What: Internal associate who perform identity vetting on company’s own employees Where: In person appointments When: Whenever an employee needs a certificate How: Company ‘officer’ signs a separate agreement accepting terms/conditions for the actions of their employee to act as a Trusted Correspondent. • Your company becomes liable for the truthfulness of the identity • Agrees to rules regarding documentation and identity checking • Must follow the “letter of the law” just like we do • No short cuts, just because they’re your employees
Benefits of having your own Trusted Correspondent • No need to wait for an appointment with the CA • Allows ‘bulk loading’ for multiple users • Eliminates the need for individual users to go through the entire application process • Minimum of five per submission • All supporting documents must be included together • Streamlines processing • CA does not have to do some of the usual steps (VoE) • Reduces costs • Enhanced control • Upon termination of an employee, a TC can immediately revoke certificate • New employees can be added quicker • May be able to resolve basic certificate issuance quicker than relying on CA • The only cost is for the certificate of the TC candidate • The TC is required to have their own Medium Hardware certificate so they can send encrypted emails back and forth to the CA
TC Addendum to Subscribing Organization Agreement Company officer signs this agreement: https://secure.identrust.com/certificates/policy/eca/eca-tc-addend.pdf
And begin ‘bulk loading’ your associates TC sends completed spreadsheet via signed and encrypted email to Registration Department
? Questions? Contact Info: Richard JensenDirector of Government Sales ECA Program Manager Associate Member NCMS 256-303-9412 richard.jensen@identrust.com
NCMS Members qualify for a 20% Discount www.identrust.com/ncms