130 likes | 470 Views
Federal PKI Architecture Update. Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority. SAFE. Industry PKIs. View from 20,000 km. Common Policy CA. SSPs. Serving all other Agencies. CertiPath SSP. FBCA. CertiPath. C4. Industry PKIs. eGCA (3). SAFE. Industry PKIs.
E N D
Federal PKI Architecture Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority
SAFE Industry PKIs View from 20,000 km Common Policy CA SSPs Serving all other Agencies CertiPathSSP FBCA CertiPath C4 Industry PKIs eGCA (3) OASIS PKI
SAFE Industry PKIs View from 20,000 km DOD DHS NASA Commerce USPS USPTO HHS DOE IL DOJ State DOD/ECA GPO Treasury Wells Fargo MIT LL UTexasSx Common Policy CA Total: 12 – 15M users SSPs VeriSign Cybertrust ORC Treasury GPO? Exostar Entrust IdenTrusT? Serving all other Agencies CertiPathSSP FBCA CertiPath C4 USHER? Industry PKIs Abbott Labs AstraZeneca Bristol-Myers Squibb Genzyme GlaxoSmithKline INC Research Johnson & Johnson Merck Pfizer Procter & Gamble Sanofi-Aventis TAP Pharmaceuticals Boeing Raytheon Lockheed Martin eGCA (3) EAF member CSPs TLS certs OASIS PKI
Simplified Diagram of U.S. Federal PKI Federal Bridge CA Cross- Certified gov PKIs Common Policy CA Shared Service Provider PKIs (Common Policy OID And root Cert) C4 CA E-Gov CAs (3) Cross- Certified External PKIs eAuth CSPs ? OASIS PKI
E-Auth Level 1 FPKI Rudimentary; C4 E-Auth Level 2 FPKI Basic E-Auth Level 3 FPKI Medium & Medium-cbp E-Auth Level 4 FPKI Medium/HW & Medium/HW-cbp FPKI High (governments only) LOA Mapping OASIS PKI
Federal Bridge Works Cross-Certification Process Completes FBCA Issues Cross- certificates Routinely Issues CRL/ARL Populates Directories LDAP & X.500 OCSP Responder Cert Profile: AIA/SIA Extensions Cert Profile: PolicyMapping, Excluded Subtrees OASIS PKI
Federal Bridge Info • FIPS 1540-2 Level 3 HSM • Online CAs on double-firewalled, one way, discrete network with backup T-1 connections • ISODE M-Vault directories • Tepid Backup Site • Disaster Recovery Site • 24x7 help desk, architected for 99.5% uptime • Evolving monitoring architecture • Vendor operations transfer in process OASIS PKI
Notional FBCA Directory Implementation* This diagram shows: LDAP Access from email clients to support address lookup. LDAP Access from an application, to provide user authentication. Directory management using Isode's Enterprise Directory Management tool. Data management using Isode's Isode's Directory Data Management tool. A Certification Authority, such as Entrust, accessing and managing data in M-Vault. X.500 chaining using X.500 Directory System Protocol (DSP) to access data in a peer departmental X.500 capable directory. LDAP chaining to access data in a peer departmental LDAP directory. Data replication using X.500 Directory Information Shadowing Protocol (DISP) to share data with other departments to increase performance and resilience. *From ISODE website OASIS PKI
FBCA Cross Certification Process • Application - LOA? • Policy Mapping • Mapping Matrices online • Cert Policy WG mapping review • Collegial back and forth discussions • Technical Interoperability Testing • With Prototype instance of FBCA • Testing Protocol online • Directory and profiles tested (LDAP and X.500) • Review of summary of independent audit results • Map CP – CPS and CPS to PKI Operations • Independent auditors, not FPKI auditors • Whole process laid out in “Criteria & Methodology” document online OASIS PKI
Path Discovery and Validation • Trust Lists can work but: • Don’t scale, are rigid and don’t give level of assurance • Bridges can work but: • Aren’t supported in native OSs, so require add-on PD/Val tools • NIST and FPKI developed test suite for PD/Val products/services • 4 products, 2 services passed so far (see the website) • Deploy on website, desktop, within enterprise or outsource… OASIS PKI
Grids and Enterprise PKIs • Different from the administration and architecture perspectives • Overlap from the end user perspective • Cross-certification and interoperability solve the problem Grid PKI CP Institution PKI CP End User: single cert. Grid ID for Project(s) Institution ID For AuthN OASIS PKI
Business CaseFor XCert • Simplify trust and control decisions • Extend value of issued credentials • Scalable trust at known LOA • Rely on trusted CSPs instead of managing issued credentials OASIS PKI
Resources • www.cio.gov/fpkipa • http://csrc.nist.gov/pki • www.cio.gov/ficc • www.cio.gov/fbca OASIS PKI