EDUCAUSE Fed/Higher ED PKI Coordination Meeting June 12, 2008

1. Understanding the Federal PKI and Federal Identity & Access Management David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy EDUCAUSE Fed/Higher ED PKI Coordination Meeting June 12, 2008

2. Federal Identity & Access Management Key Policy Considerations • For FIAM Government-wide deployment: • No National ID • No National unique identifier • No central registry of personal information, attributes, or authorization privileges • Different authentication assurance levels are needed for different types of transactions • IDM is based on Identity Federation • Authentication – not authorization • For FIAM technical approach: • No single proprietary solution • Deploy multiple COTS products – Products must interoperate • Controls must protect privacy of personal information

3. FIAM Consists of Three Inter-Connected Initiatives HSPD-12 Multi- Factor Token Federal PKI PKI/ Digital Signature E-Authentication --SAML Very High Strong Password High PIN/User ID Medium Low Employee Applying Obtaining Access to Screening Govt. for a Loan Protected for a High Benefits Online Website Risk Job

4. Federal PKI Certificate Policies • Federal Bridge (Model) Policy • Facilitates trust among Enterprise PKI implementations • Five levels of assurance (rudimentary, basic, medium, medium hardware, high) • Common Policy Framework (Root) • Federal PKI “Root” Policy • Six policies (common, common high, common devices, common authentication, common hardware, card authentication) • Citizen and Commerce Class (C4) • Designed specifically to meet a need in E-Authentication • Provides a mechanism for commercial-grade PKI assessment and approval as credential service providers • E-Authentication Governance • Directly supports the E-authentication Architecture • Three policies (Level 1 CSP, Level 2 CSP, Agency Application)

5. Federal PKI Architecture Approved PKIs ACES E-Authentication Governance CAs Approved Apps/CSPs Federal Bridge CA Other Bridges Level 1 & 2 Applications Fed Agencies Private Sector Level 1 & 2 Credential Service Providers Foreign Gov’ts States Approved SSPs C4CA Common Policy Root CA Certified Commercial SSPs Federal Agency Federal Agency Federal Agency Treasury Federal Agency GPO Commercial PKI Solutions

6. FIAM Federated Trust Model 1. Establish & define authentication risk and assurance levels 2. Establish FIAM process and technical standards & requirements for Issuers at each assurance level 3. Establish methodology for evaluating Issuers at each assurance level 4. Perform standard assessments and maintain trust list of trusted Issuers 5. Establish common business and compliance rules for approved Issuers

7. The Starting Gate for Government-wide FIAMInteroperability • FIPS 201 and associated NIST Special Publications • PIV Interface Specifications • Federal Bridge Certificate Policy • FPKI Audit requirements • E-Authentication Architecture suite • Standard Testing Programs - Products • GSA FIPS 201 Evaluation Program • NIST • FBI • NVLAP • FPKI • E-Authentication • Standard data model • Interoperability and security standards • Standard data interface specifications • Standard Testing Programs - Products • Reference Implementations - data interface specifications • Standard Testing Program - data interface specifications

8. Federal Interoperability Labs • Test interoperability of products/Issuers for participation in FIAM architectures. • GSA FIPS 201 Evaluation Program • NIST PIV and FP MINEX testing • NVLAP • FBI • GSA FPKI Interoperability Testing • GSA E-Authentication SAML Interoperability Testing • Liberty Alliance SAML Interoperability Testing • Federal Approved Product Lists • GSA FIPS 201 APL • NIST Approved Products • NVLAP/NIST Certified products • FBI Approved Products • GSA FPKI Cross-certification • GSA FPKI Shared Service Provider • GSA E-Authentication SAML Approved Products • Liberty Certification PIV CardCryptographic Module Electronic PersonalizationOCSP Responder PIV Card Reader - Authentication KeyPIV Card Reader - BiometricPIV Card Reader - CHUID Authentication (Contact)PIV Card Reader - CHUID Authentication (Contactless)

9. FPKI Collaborative Environment Commercial CAs (e.g. Wells Fargo) Other CAs (e.g., ECA, ACES, Illinois) Other Federal Root CAs OtherBridge CAs – Certipath, SAFE DoD InteroperabilityRoot CA FederalBridge CA CommonPolicyRoot CA DoDOperational Root CA DoS Root CA DHS Root CA SharedServiceProvider CAs DoD SubordinateCAs DoS SubordinateCAs DHS SubordinateCAs

10. United States Government FEB2010 Affiliation Employee Agency/Department Department of Homeland Security Expires 2010FEB24 Doe John, H. Emergency Response Official PIV Authentication Digital Certificate Authorized Signature FIAM Trust Fed Agencies OPM/FBI Enrollment & Issuance Identity & Suitability Approved Issuers Attribute Exchange • Physical inspection • Electronic S/N Verification • Biometric Verification • Digital Credential verification Physical Access Federal PKI Architecture Logical Access Digital Credential verification

11. For More Information • Visit our Websites: http://www.idmanagement.gov http://www.cio.gov/ficc http://www.cio.gov/fpkipa http://www.csrc.nist.gov/piv-project • Or contact: David Temoshok Director, Identity Policy and Management 202-208-7655 david.temoshok@gsa.gov