I-CIDM Bridge to Bridge Interoperations

1
I-CIDM Bridge to Bridge Interoperations

• April 6, 2006
• Debb Blanchard
• Cybertrust

2
Agenda

• Origins of the BBWG
• Purpose of the BBWG
• Bridge Certification Authority Participants
• Organization Participants
• Identification of Working Groups
• Top 10 Issues

3
Origins of the BBWG

• BCAs knew (kinda) how to bring other CAs within
  their own community of interest into the fold
  or cross-certify them
• Policy mapping
• Criteria and Methodology
• User base
• Business case
• Operational and technical interoperability
• BBWG started its foundation to identify issues as
  they pertained and impacted the Federal Bridge
  Certification Authority (FBCA) and attempted
  cross-certification with other BCAs, e.g., HEBCA,
  SAFE, etc.
• As issues were uncovered, it was noticed that the
  issues for the FBCA were not necessarily unique
  to the FBCA
• Group evolved to include representatives from
  four Bridge Certification Authority (BCA)
  environments and expanded to include
  international representation

4
Purpose of the BBWG

• To address the implications of Bridge-to-Bridge
  cross-certification in the collaborative
  cross-organizational space
• International focus
• PKI-centric
• BBWG would not delve into corporate business
  models and practices that may be considered
  proprietary.

5
Bridge Certification Authority (BCA) Participants

• Federal Bridge Certification Authority (FBCA - US
  Government agencies, state governments, foreign
  governments)
• Higher Education Certification Authority (HEBCA
  US higher education community with plans to
  include research institutions and higher
  education facilities from the EU)
• Secure Access for Everyone (SAFE Pharmaceutical
  community led by JohnsonJohnson)
• Certipath (Exostar, Arinc, SITA with additional
  representation from Boeing, Lockheed Martin,
  Northrup Grumman, EADS/Airbus, tScheme, TSCP,
  EDS/Rolls-Royce)

6
Organization Participants

• Arinc/Certipath
• Cybertrust
• Boeing Corporation
• Dartmouth College
• Duke University
• Department of Defense
• EADS/Rolls-Royce
• EDUCAUSE
• Enspier Technologies
• Evincible/Certipath
• Exostar/Certipath
• General Services Administration
• IBM

• Internet2
• JohnsonJohnson
• KPMG
• Lockheed Martin
• National Institutes of Health
• National Institutes for Standards and Technology
• Northrop Grumman
• Orion Security
• SITA
• tScheme
• UKCEB TF/TSCP

7
Areas of Investigation (per the Charter)

• Institutionalization of standards and the
  suitable body/ies to own and maintain them
• Role of governments in governance and management
  of the intra-bridge environment
• Stimulate the development of commercial products
  that are bridge aware
• Need for a governance structure between
  cross-certified BCAs and, if so, what should it
  be
• Legal implications and shaping a legal framework
  that satisfies trust requirements and meets
  business needs, including liability

8
Areas of Investigation (per the group)

• Policy Mapping to determine levels of assurance
  (LOA)
• Must have a common lexicon, terminology and
  documents mapping for the Charter and all the
  documents
• Compliance with open standards
• Audit standards for BCA operations and
  certifications needed for the Auditors
• Liability and legal issues
• BCA Operations

9
Work Scope of the Group

• BCA interoperability vs Federation
  interoperability
• Arent these the same under a different language?
• BCA PKI
• Federation multiple schemes, including PKI
• Current Federation interoperability guidelines
  using BCA cross-certification as its basis
• Dependencies and assumptions of other groups
  mentioned but not to be addressed within the
  confines of the BBWG, e.g., requirements for
  identity proofing/vetting and technical issues
  will not be addressed by this group.
• BBWG will only address policy as it pertains to
  PKI and Bridge-to-Bridge policy issues other
  decisions made are
• Identity Proofing and Vetting These issues need
  to be addressed, but not by this group. We
  recommended that the I-CIDM create another
  working group to address these issues.
• Implementation Challenges to be addressed by
  the Technical Working Group.

10
Identification of Working Groups

• Each issue will be addressed by members of the
  following BCA communities
• Higher Education Bridge community
• SAFE (Pharmaceutical) bridge community
• FBCA and bridge government community (includes
  NIST and DoD)
• Commercial Aerospace (Certipath, Boeing, Lockheed
  Martin, Northrop Grumman)

11
Top 10 Issues

1. Policy Mapping
2. Common lexicon, terminology and documents
3. Compliance with open standards
4. Audit standards for BCA operations and
   certifications needed for the Auditors
5. Liability and legal issues
6. BCA Operations
7. Identity vetting gt moved to a Identity Proofing
   Vetting workgroup
8. Path discovery validation gt moved to Technical
   workgroup
9. Distinguished names and name space gt moved to
   Technical workgroup
10. Directory services gt moved to Technical workgroup

12
Policy Mapping and Methodology

• Issue A mutually agreed-upon methodology for
  cross-certifying BCAs to allow them to
  interoperate
• Identify the framework of documents and
  requirements (similar to the CP/CPS RFC) that are
  needed by a Bridge entity to qualify for cross
  certification.  For example the Bridge has to
  specify the Cross certification criterion and
  methodology document. 
• What is this document supposed to contain
  (rationale-- not example)? 
• What other documents does the Bridge Operator
  have to develop in addition to the standard
  CP/CPS?  Is there a standard set?
• What about the charter and structure of the
  Bridge Operators Policy Authority, Operational
  Authority and organization of these
  organizations?

13
Policy Mapping Methodology - Results

• Documentation necessary when cross-certifying
  with other BCAs
• Bona fides
• CP and CPS
• The mapping methodology used by the Policy
  Authority of the BCA to determine the
  requirements of the Primary CAs that comprise the
  BCA may include
• The rules of operation
• The requirements for membership
• Interoperability for the BCA
• Charter of Rules or Charter Disclosure Statement
• Audit results

14
Charter Disclosure Statement

• Determines the rules and business procedures
  under which a BCA operates.
• Should identify
• Purpose of the BCA
• Organizational structure of the BCA including
  separation of operational and policy
  responsibilities
• Liability framework
• Policy authority and governance structure
• Contract infrastructure, e.g., relying party
  obligations and subscriber agreements, insurance
  policy etc.
• General operational environment, i.e., the
  communities of interest in which the applicant
  BCA participates either directly or indirectly.

15
Governance and BCA Charter

• Governance of the BCA should address how it does
  business and how it is governed
• Need to identify and create a standard way of
  auditing a non-standard document, such as the
  specialized BCA charter
• New standards may be needed
• Issues to be addressed (not limited to)
• If a PCA leaves a BCA, what is the notification
  process of other BCAs and PCAs especially for
  certificate path processing
• Dispute resolution included in the MOA with
  specifics to address how a BCA does business to
  notify others
• The perceived need for entities to have
  visibility into the CPSs and audit results of
  specific PKIs beyond their BCA domain.

16
Common terminology, definitions and lexicon

• Issue Need for a common criteria and a lexicon
  (Common language of business) for grammar,
  syntax, etc.
• Includes the definition and contents of documents
  as well.
• Includes liability
• Mapped international terms, grammar, syntax, etc
  as well
• Terms were synthesized from multiple sources,
  e.g., EAP, FBCA CP, Boeing Security, ISO,
  American Bar Association, RFC, so that only one
  term was accepted by the group
• Complete as of 12/17/2004 for this living
  document
• Liability terms were not addressed in this
  document
• Contents of other documents are discussed
  separately

17
Open Standards Compliance

• Issue Standards for BCA must rely upon open
  standards and not proprietary standards
• Must include international standards
• Since PKI-centric in nature, standards should
  apply to PKI standards. However, other standards
  may be included (or created.)
• Verify that the bridges are working with open
  standards.
• The framework should show how these standards fit
  together via a mapping between US standards and
  international standards as well as to perform a
  gap analysis on these standards. This activity is
  linked to technical working group.
• A first draft has been provided to a sub-group of
  the BBWG, which includes US standards, however,
  international standards need to be incorporated.

18
Audit Standards and Certifications

• Issue How do we know that a BCA is operating at
  a level that can be trusted?
• What certifications on placed upon the auditors
  to ensure their qualifications and competence to
  perform the task? Independence of the auditors
  to the organization and CP/CPS?
• What are the audit standards for
  Bridge-to-Bridge?
• What is examined and to what degree of rigueur?
• What documents are needed to support the auditors
  and what does the auditor give to the BCA
  operations, e.g., certificate of approval?
• Documents to support the audit
• CP and CPS
• Operating Procedures
• Security Procedures
• Charter Disclosure Statement
• Business purpose of the BCA
• Contracts, MOUs, and MOAs with its community
  members
• Mapping methodology
• Documents similar to FIPS 200 and SP800-53
  (minimum security requirements and controls)

19
Audit Standards and Certifications

• The third-party evaluation of the BCA operations
• This is equivalent to the evaluation of a member
  PKIs operations during intra-domain BCA
  cross-certification.
• A key issue to address during this step is what
  attestation standard was used by the third party.
  
• American Institute of Certified Public
  Accountants (AICPA) / Canadian Institute for
  Chartered Accountants (CICA) Web Trust for
  Program Certification Authorities (WTCA) versus
  the tScheme or British Standard 17799 (or
  follow-on ISO 27001, and 27002) methodologies.
• The reviewing BCA PA will have to decide whether
  the third-party review is comparable with its own
  third-party attestation

20
Liability and Legal Issues

• Issue What are the liability and legal
  implications for
• Operating a BCA?
• The contractual mechanism between BCAs?
• Indemnification?
• Limits on liability?
• Others?

21
BCA Operations

• Issue Requirements of some of the BCA CPs have
  internal requirements in order to cross-certify
  with other CAs or BCAs, e.g., originally, the
  FBCA required operators of other CAs and by
  extension BCAs - for cross-certification to be
  operated by US citizens.
• Lots of discussion (sometimes very lively!) to
  address requirements for BCA operators, including
  definitions of
• Trustworthiness
• Loyalty
• Integrity

22
BCA Operations Citizenship Trusted Roles

• FBCA created new policies to include
• Medium Assurance HW
• Medium Assurance CBP (commercial best practice)
• Medium Assurance HW CBP (commercial best
  practice)
• Re-defined requirements for trustworthiness,
  loyalty and integrity, and all four medium
  policies will have these identical requirements. 
  
• Section 5.3.1, Background, qualifications,
  experience, and security clearance requirements,
  All persons filling trusted roles shall be
  selected on the basis of loyalty,
  trustworthiness, and integrity...
• Section 5.3.1, Background, qualifications,
  experience, and security clearance requirements,
  Entity CA personnel shall, at a minimum, pass a
  background investigation covering the following
  areas
• Employment
• Education
• Place of residence
• Law Enforcement and
• References.
• Section 5.3.1, Background, qualifications,
  experience, and security clearance requirements,
  The period of investigation must cover at least
  the last five years for each area, excepting the
  residence check which must cover at least the
  last three years. Regardless of the date of the
  award, the highest educational degree shall be
  verified.
• Practice Note for nongovernmental partners The
  qualifications of the adjudication authority and
  procedures utilized to satisfy these requirements
  must be demonstrated before cross certification
  with the FBCA

23
BCA Operations Citizenship Trusted Roles

• FBCA current medium and new medium hardware
  includes language that addresses the citizenship
  requirements for CAs run in foreign countries and
  CAs run by multinational entities.  Note this
  language will NOT be in medium-cbp or medium
  hardware-cbp, which are citizenship-blind
  policies.
• FBCA citizenship requirements for trusted roles
  are no longer required for Basic and Rudimentary
  trust levels
• No requirement for High Assurance-CBP policy
• EAuthentication initiative has defined medium
  hardware (and the proposed medium hardware-cbp)
  as satisfying the requirements for
  EAuthentication Level 4 (highest level) for all
  eGov applications. 
• In practice no external entity will ever be
  required to have a high assurance certificate to
  do business with an eGov application. 
• This decision may be revisited, and any PKI, or
  bridge, may run at high assurance without
  cross-certifying with the Federal Bridge at high
  assurance. For example, if FBCA cross-certifies
  with SAFE at medium hardware-cbp, any PKI
  cross-certified with SAFE at that LOA or better
  would see its credentials accepted by any eGov
  application, all the way up to Level 4, the
  highest
• FBCA reserve high assurance cross-certification
  for government PKIs only

24
FPKI to E-Authentication
E-Authentication
High MediumHW MediumHW-CBP Medium Medium-CBP Basic
Rudimentary
Federal Bridge CA
Federal Common Policy CA
Level 4
Level 3
Citizen and Commerce Class Policy CA
Level 2
Level 1
E-Authentication Governance CAs
(slide compliments of Judy Spencer, FICC
chairperson)
25
The World According to FBCA
(slide compliments of Judy Spencer, FICC
chairperson)
26
Current Status

• FPKI Policy Authority adopted a methodology for
  cross-certifying with another PKI Bridge
  Federal PKI Criteria and Methodology, Part
  Three
• Calls for mutual agreement on terms of
  engagement
• Recommends the following
• Mutual evaluation of bona fides (Charter, legal
  standing)
• Mutual evaluation of business operational
  processes
• Mutual CP mapping
• Mutual technical interoperability testing
• Signing of Memorandum of Understanding
• Constrains paths to include no more than two
  bridges (limits transitivity) for present
• And lists a series of questions that need to be
  answered satisfactorily.
• FBCA and CertiPath Bridge CA nearing successful
  completion of cross-certification (April 2006)

27
Summary

• BCA Cross-certification is still an evolving
  process
• As we become more adept the process will become
  more defined
• The paper trail is one part of the process.
  In-person meetings will still be important to
  understand and comprehend intent and business of
  a BCA
• Laws and regulations may restrict some goals for
  cross-certification
• Legal and liability issues will probably never be
  completely resolved due to the nature of the
  legal community
• Did the BBWG meet its goals?
• Still work to do
• Certipath is almost complete
• SAFE is beginning its process

28
For more information

• Dr. Peter Alterman, Chair, FPKI Policy Authority
  (FPKI PA)
• altermap_at_nih.gov
• 301-496-7998
• Ms. Judith Spencer, Chair, Federal Identity
  Credentialing Committee (FICC)
• Judith.spencer_at_gsa.gov
• 202-208-6576
• Ms. Deborah Debb Blanchard
• Deborah.blanchard_at_cybertrust.com
• 443-367-7011