VA PKI Decisions - PowerPoint PPT Presentation

1 / 11

About This Presentation

Title:

VA PKI Decisions

Description:

Number of Views:66

Avg rating:3.0/5.0

Slides: 12

Provided by: danmal

Category:

Tags: pki | decisions | usage

Transcript and Presenter's Notes

Title: VA PKI Decisions

1
VA PKI Decisions

2
Steering Committee

VA PKI Steering Committee will be replaced by the
VA Information Security Working Group
organizations and individuals are the identical
desire to leverage existing security
infrastructure
limit number of meetings of the same people
If representation is the same, Recommend Yes
Yes / No

3
Veteran Certificates

VA will plan to use the GSA ACES contract for
issuing certificates to veterans
the citizen should not need to have different
certificates for conducting business with
different federal agencies
GSA ACES contract is currently in place
VA can use 100,000 ACES certificates with no
issuing charge
need to monitor number of certificates and usage
charges
Recommend Yes
Yes / No

4
On Site move to Enterprise CA

VA PKI for VA staff and partners should move to
the Enterprise version of On-Site
more functionality and more ability to interface
supports pre approved lists
faster, easier certificate application and pick
up process
supports multiple key types per user
Supports key escrow
possible to place certificates in the Microsoft
Outlook user directory
Recommend Yes (previously endorsed)
Yes / No

5
2 CAs - Internal and External

VA PKI will implement separate Certificate
Authorities for internal staff and for external
partners
will allow VA to easily issue certificates to
external business partners when needed
will allow distinction between external business
partners and staff / internal contractors
no additional costs
Recommend Yes
Yes / No

6
Pre Approval Data Base

7
Number of keys and Interoperability

VA should continue to use one key for both
digital signature and encryption until more
e-mail clients support 2 keys
Interoperability is a major goal of VA PKI
The majority of e-mail clients outside the VA
only support one key set for the user
In VA, Microsoft supports 2 keys, but we would
have problems with messages exchanged with those
outside the VA
Monitor situation and move to 2 keys as soon as
reasonable
Recommend Yes (also by chair of FPKI SC)
Yes / No

8
Key Escrow

VA PKI should implement key escrow
allows the business to recover encrypted
documents if the user is unable or unwilling to
decrypt them
control of recovery process - several step
process involving multiple people needed to
recover any key
considered to be good business practice for
recovery of encrypted data
common practice even with single key usage
Recommend Yes
Yes / No

9
Activate External Partner Enterprise CA

VA PKI should place the External Partner CA in
production in the near future
Uses pre-approved data base for faster issuance
Used key escrow
Certificates do not need to be placed in
Microsoft user directory
Addressing issue of communication across the
firewall with pre approval data base
Recommend Yes
Yes / No

10
Activate VA Staff Enterprise CA

VA PKI should place the VA Staff and internal
contractor CA in production in the near future,
without certificates in MS GAL
Uses pre-approved data base for faster issuance
Used key escrow
Testing of the process of placing certificates in
Microsoft user directory will continue with a
separate test CA
Recommend Yes
Yes / No

11
Interoperability with FBCA

VA PKI will test interoperability with the
Federal Bridge Certification Authority (FBCA) and
adapt at the appropriate time
interoperability with other federal agencies can
be achieved using the FBCA
joining the FBCA requires that VA PKI be placed
under a private root CA
using the public root CA is easier for the user
at this time
testing will proceed to resolve any issues before
moving the VA PKI from a public to a private root
Recommend Yes
Yes / No