Скачать презентацию The U S Federal PKI and the Federal Скачать презентацию The U S Federal PKI and the Federal

cbc720f27cccdc805242539c6b1b0c47.ppt

  • Количество слайдов: 20

The U. S. Federal PKI and the Federal Bridge Certification Authority Peter Alterman, Ph. The U. S. Federal PKI and the Federal Bridge Certification Authority Peter Alterman, Ph. D. Senior Advisor to the Chair, Federal PKI Steering Committee and Acting Director, Federal Bridge Certification Authority

Introduction - Overview Introduction - Overview

The Goals of the U. S. Federal PKI A cross-governmental, ubiquitous, interoperable Public Key The Goals of the U. S. Federal PKI A cross-governmental, ubiquitous, interoperable Public Key Infrastructure. n The development and use of applications which employ that PKI in support of Agency business processes. n

Why A U. S. Federal PKI? Statutory mandates for e-government and implementing electronic signature Why A U. S. Federal PKI? Statutory mandates for e-government and implementing electronic signature technology n Demands for improved services at lower cost n International Competition n International Collaboration n

Why NOT a U. S. Federal PKI? n n Concerns of Privacy Advocates Agency Why NOT a U. S. Federal PKI? n n Concerns of Privacy Advocates Agency internal politics Vendor battles for market space Cost

The Approach to a U. S. Federal PKI n Agencies implement their own PKIs The Approach to a U. S. Federal PKI n Agencies implement their own PKIs n Create a Federal Bridge CA using COTS products to bind Agency PKIs together n Establish a Federal PKI Policy Authority to oversee operation of the Federal Bridge CA n Ensure directory compatibility n Use ACES for transactions with the public

A Snapshot of the U. S. Federal PKI DOD PKI Illinois PKI CANADA PKI A Snapshot of the U. S. Federal PKI DOD PKI Illinois PKI CANADA PKI Federal Bridge CA NASA PKI Higher Education Bridge CA NFC PKI University PKI

The U. S. Federal Bridge Certification Authority (FBCA) The U. S. Federal Bridge Certification Authority (FBCA)

FBCA Overview n Designed to create trust paths among individual Agency PKIs n Employs FBCA Overview n Designed to create trust paths among individual Agency PKIs n Employs a distributed - NOT a hierarchical - model n Commercial CA products participate within the membrane of the Bridge n Develops cross-certificates within the membrane to bridge the gap among dissimilar products

FBCA Goals n Leverage emerging Agency PKIs to create a unified Federal PKI n FBCA Goals n Leverage emerging Agency PKIs to create a unified Federal PKI n Limit workload on Agency CA staff n Support Agency use of: Any FIPS-approved cryptographic algorithm n A broad range of commercial CA products n n Propagate policy information to certificate users in different Agencies

FBCA Architecture n Multiple commercial CAs within a “membrane” that cross-certify and interoperate n FBCA Architecture n Multiple commercial CAs within a “membrane” that cross-certify and interoperate n CAs offline n No network connectivity (CA sneaker net to directory) n FBCA directory online 24 X 7 X 365

FBCA Directory Architecture Chained X. 500 directories n Dual-rooted FBCA directory is “hub” n FBCA Directory Architecture Chained X. 500 directories n Dual-rooted FBCA directory is “hub” n n dc=gov o=U. S. Government, c=US LDAP supported for non-X. 500 directories

Directory Model Directory Model

FBCA Operation Issues Certificates to Participating CAs only n FPKI Steering Committee oversees FBCA FBCA Operation Issues Certificates to Participating CAs only n FPKI Steering Committee oversees FBCA development and operations n Documentation n Enhancements n Client-side software n Operates in accordance with Policy Authority and FPKISC direction n

FPKI Policy Authority n Determines participants and levels of crosscertification n Participants become voting FPKI Policy Authority n Determines participants and levels of crosscertification n Participants become voting members Administers Certificate Policy n Enforces compliance by member organizations n General Services Administration serves as Operational Authority n

Policy Mapping n Candidate Certificate Policies evaluated against the FBCA CP for adequacy and Policy Mapping n Candidate Certificate Policies evaluated against the FBCA CP for adequacy and levels of assurance: Identity binding n CA security n Performed by the Federal Policy Management Authority Certificate Policy Working Group with contractor support n Requirements publicly available on NIST website n

Policy Equivalence Example ISO Banking Can High Fed PKI High Do. D 4 Can Policy Equivalence Example ISO Banking Can High Fed PKI High Do. D 4 Can Med Fed PKI Med Do. D 3 Can Basic Fed PKI Basic Do. D 2 Can Rud Fed PKI Rud

Policy Mapping Example Federal High = Do. D CLASS 4 Federal Medium = Do. Policy Mapping Example Federal High = Do. D CLASS 4 Federal Medium = Do. D CLASS 3 Do. D CA Bridge CA Do. D CLASS 4 = Federal High Do. D CLASS 3 = Federal Medium Do. D CLASS 3 Subscriber Federal High = Canadian High Federal Medium = Canadian Medium Canadian High = Federal High Canadian Medium = Federal Medium Can. HIGH Subscriber Canadian CA Can. MED Subscriber

References n Federal PKI Steering Committee Website: http: //www. cio. gov/fpkisc n NIST PKI References n Federal PKI Steering Committee Website: http: //www. cio. gov/fpkisc n NIST PKI Website: http: //csrc. nist. gov/pki n ANSI Website: http: //www. ansi. org n IETF Website: http: /www. ietf. org

Acknowledgements n Thanks to: n Judith Spencer, Chair, Federal PKI Steering Committee n Tim Acknowledgements n Thanks to: n Judith Spencer, Chair, Federal PKI Steering Committee n Tim Polk, National Institute of Standards and Technology n Dave Fillingham, National Security Agency