Title: The EAuthentication Initiative PKI and the U.S. Federal eAuthentication Architecture Peter Alterman,
1The E-Authentication Initiative PKI and the
U.S. Federal e-Authentication ArchitecturePeter
Alterman, Ph.D.Assistant CIO for
e-Authentication, NIH andChair, Federal PKI
Policy Authority
The E-Authentication Initiative
2Purpose and Function of the E-Authentication
Initiative
- To provide a single source of identity
authentication services for Federal Agency
Applications - To develop and promulgate policies and procedures
to sustain a common identity federation for the
Federal Government in support of e-Gov and HSPD-12
3Summary of E-Authentication Approach
- Four Levels of Assurance of Identity (LOA) from
Policy - LOA 1 and 2 are assertion-based Userid/password,
SAML, Shibboleth, etc. - LOA 3 and 4 are cryptographically-based PKI,
etc. - LOA required based on standard Risk Assessment
- Agency Applications (AAs) autonomous for
authorization decisions - AAs rely on credentials issued by external
Credential Service Providers who submit to an
assessment based on a Credential Assessment
Framework - Principle of reusable credentials
4Why Does PKI Fit into the e-Authentication
Architecture?
- While the bulk of the early phase rollouts of
e-Gov applications are web-enabled applications.. - 2003 OASIS survey identified signed electronic
forms as the highest priority use for PKI (1) - Does anybody want to estimate how many Government
forms are in use? - (1) OASIS Public Key Infrastructure Technical
Committee, Analysis of June 2003 Survey on
Obstacles to PKI Deployment and Usage, August 8,
2003 http//www.oasis-open.org/committees/pki/pkio
bstaclesjune2003surveyreport.pdf
5What Role Does PKI Play in the e-Authentication
Architecture?
- Reliably satisfies identity assurance levels 3
4 (OMB M-04-04) - Reliably satisfies risk levels 3 4 (FIPS 199,
SP 800-63) - Mandated for HSPD-12 on SmartCards
- In Hoc Signo Wences PKI with Bridge
interoperability is a great example of federated
identity management - PKI integrates well with emerging technologies
that link authentication and authorization, e.g.,
SAML
6Therefore..
- PKI is the prime candidate technology for
satisfying electronic forms signing business
processes - PKI is the prime candidate for satisfying the
authentication needs of business transactions
that require levels 3 and 4 identity assurance - PKI is an excellent technology match for
e-Authentication authentication and authorization
implementations
7Status of PKI in the Federal e-Authentication
Architecture
- HSPD-12 and derivative documents mandate medium
assurance PKI for logical and physical access to
resources for Feds and contractors - Operational PKIs in defense and civilian agencies
now DOD and State Department PKIs are
hardware-based - Federal Bridge is operational and linked to all
currently operational Federal PKIs, State of
Illinois PKI and prototype Higher Ed Bridge
links to Canada, Australia, UK and EU under way - Other Federal Agencies rolling out PKIs in near
future, either self-managed or acquired from
approved service providers under ACES or Common
Policy Shared Service Provider Program. - Higher Education Bridge, Pharmaceutical Industry
Bridge, Aerospace Industry Bridge
8How PKIs Link to the e-Authentication Architecture
- Existing Federal Agencies cross-certify and
interoperate through the Federal Bridge - New Federal Agencies use the Common Policy
Framework and shared service providers (SSPs) - External PKIs (governments, corporations,
colleges and universities, etc.) cross-certify
and interoperate with the Federal Bridge - Other bridges cross-certify and interoperate with
the Federal Bridge
9Interfederation Interoperability
- Assertion-level trust transactions require
federation-to-federation policy and technology
interoperability initiatives - Under way with inCommon (Internet2)
- Crypto-level trust transactions mediated by
Federal Bridge - Under way with Higher Education Bridge,
Pharmaceutical Industry Bridge, Aerospace Bridge
10Figure FPKI
The Federal PKI The E-AuthenticationFederated
Approach
Step 2 The user is passed directly to the AA
AA
Federal PKI
T
FBCACertificate Policy
ACES
w
o
E-GovernanceCertificate Policy
Step 3 The user authenticates to the AA
directly using SSL or TLS.
FBCACertification Authority
Other Bridge
CAs
w
XKMS OCSP CAM SOAP Others
a
E-GovernanceCertification Authority
y
Agencies
(Legacy
C
Agency CA policy)
r
(Mutual authentication of
o
Step 4 The AA uses the validation service to
validate the certificate
SAML/SSL Certificates only)
s
Validation Service
States
s
-
c
e
Private Sector
Two way Cross-certified
r
t
(FBCA High FBCA Medium)
i
Federal PKI
f
Foreign Entities
FPKI Common Policy Framework
i
e
(FCPF) Certificate Policy
d
FCPF Policy
certified
Certification Authority
-
(Trust anchor for Common FPKI
Policy hierarchical PKI subscribers)
Two Way Cross
Optionally Two Way Cross
Citizen Commerce
Class Common (C4) Certificate Policy
certified
Qualified Shared Service Provider
C4 Policy
-
Certification Authority
USDA/NCF
(Included in browser list of
CAs
)
One way Cross
Verisign
-
certified
DST
Federal PKI
Two way Cross
-
certified
Wells Fargo
AOL
PEPCO
11More PKI Information
- peter.alterman_at_nih.gov
- http//csrc.nist.gov/pki
- http//www.cio.gov/fbca
- http//pki.od.nih.gov
- http//www.middleware.internet2.edu/pki04