Federal PKI Architecture Update

1
Federal PKI Architecture Update

• Peter Alterman, Ph.D.
• Chair, Federal PKI Policy Authority

2
View from 20,000 km

Common Policy CA
SSPs
Serving all other Agencies

CertiPath SSP
FBCA
CertiPath
C4
Industry PKIs
eGCA (3)
3
View from 20,000 km
DOD DHS NASA Commerce USPS
USPTO HHS DOE IL DOJ
State DOD/ECA GPO Treasury Wells Fargo MIT
LL UTexasSx
Common Policy CA
Total 12 15M users
SSPs
VeriSign Cybertrust ORC Treasury GPO? Exostar Entr
ust IdenTrusT?
Serving all other Agencies
CertiPath SSP
FBCA
CertiPath
C4
USHER?
Industry PKIs
Johnson Johnson Merck Pfizer Procter
Gamble Sanofi-Aventis TAP Pharmaceuticals
Abbott Labs AstraZeneca Bristol-Myers
Squibb Genzyme GlaxoSmithKline INC Research
Boeing Raytheon Lockheed Martin
eGCA (3)
EAF member CSPs TLS certs
4
Simplified Diagram of U.S. Federal PKI
Federal Bridge CA
Common Policy CA
Cross- Certified gov PKIs
Shared Service Provider PKIs (Common Policy
OID And root Cert)
C4 CA
E-Gov CAs (3)
Cross- Certified External PKIs
eAuth CSPs
?
5
LOA Mapping
6
Federal Bridge Works
Cross-Certification Process Completes
FBCA Issues Cross- certificates
Routinely Issues CRL/ARL

Populates Directories LDAP X.500
OCSP Responder
Cert Profile AIA/SIA Extensions
Cert Profile PolicyMapping, Excluded Subtrees
7
Federal Bridge Info

• FIPS 1540-2 Level 3 HSM
• Online CAs on double-firewalled, one way,
  discrete network with backup T-1 connections
• ISODE M-Vault directories
• Tepid Backup Site
• Disaster Recovery Site
• 24x7 help desk, architected for 99.5 uptime
• Evolving monitoring architecture
• Vendor operations transfer in process

8
Notional FBCA Directory Implementation
This diagram shows LDAP Access from email
clients to support address lookup. LDAP Access
from an application, to provide user
authentication. Directory management using
Isode's Enterprise Directory Management tool.
Data management using Isode's Isode's Directory
Data Management tool. A Certification Authority,
such as Entrust, accessing and managing data in
M-Vault. X.500 chaining using X.500 Directory
System Protocol (DSP) to access data in a peer
departmental X.500 capable directory. LDAP
chaining to access data in a peer departmental
LDAP directory. Data replication using X.500
Directory Information Shadowing Protocol (DISP)
to share data with other departments to increase
performance and resilience.
From ISODE website
9
FBCA Cross Certification Process

• Application - LOA?
• Policy Mapping
• Mapping Matrices online
• Cert Policy WG mapping review
• Collegial back and forth discussions
• Technical Interoperability Testing
• With Prototype instance of FBCA
• Testing Protocol online
• Directory and profiles tested (LDAP and X.500)
• Review of summary of independent audit results
• Map CP CPS and CPS to PKI Operations
• Independent auditors, not FPKI auditors
• Whole process laid out in Criteria
  Methodology document online

10
Path Discovery and Validation

• Trust Lists can work but
• Dont scale, are rigid and dont give level of
  assurance
• Bridges can work but
• Arent supported in native OSs, so require add-on
  PD/Val tools
• NIST and FPKI developed test suite for PD/Val
  products/services
• 4 products, 2 services passed so far (see the
  website)
• Deploy on website, desktop, within enterprise or
  outsource

11
Grids and Enterprise PKIs

• Different from the administration and
  architecture perspectives
• Overlap from the end user perspective
• Cross-certification and interoperability solve
  the problem

Grid PKI CP
Institution PKI CP
End User single cert.
Grid ID for Project(s)
Institution ID For AuthN
12
Business CaseFor XCert

• Simplify trust and control decisions
• Extend value of issued credentials
• Scalable trust at known LOA
• Rely on trusted CSPs instead of managing issued
  credentials

13
Resources

• www.cio.gov/fpkipa
• http//csrc.nist.gov/pki
• www.cio.gov/ficc
• www.cio.gov/fbca