The U.S. Federal PKI, 2004:
Report to EDUCAUSE
Peter Alterman, Ph.D.
Assistant CIO for E-Authentication
National Institutes of Health
The Federal Bridge CA is Now the Federal
PKI Architecture (SuperSize Me)
• Components include:
– US Federal Bridge CA
– Common Policy Framework CA
– E-Authentication CA
– Citizen and Commerce Class CA
1
FPKI Architecture
ACES
T
w
o
Other Bridge CAs
w
a
y
Agencies (Legacy
FBCA
Certificate Policy
Citizen & Commerce
Class Common (C4) Certificate Policy
Federal Bridge
Certification Authority
C4 Policy
Certification Authority
Agency CA policy)
(Included in browser list of CAs)
Private Sector
Foreign Entities
Two Way Cross-certified
Two way Cross-certified
(FBCA High & FBCA Medium)
FPKI Common Policy Framework
(FCPF) Certificate Policy
ied
States
FCPF Policy
Certification Authority
Cro
sscer
tif
C
r
o
s
s
c
e
r
t
i
f
i
e
d
Tw
oW
ay
(Trust anchor for Common FPKI
Policy hierarchical PKI subscribers)
way
Cro
ss- c
erti
fi
Assurance
Level 1
One
Assurance
Level 2
AOL
Other “PKI Lite”
ed
E-Governance
Certification Authority
(Mutual authentication of
SAML/SSL Certificates only)
PEPCO
Op
tion
ally
E-Governance
Certificate Policies
Two way Cross-certified
Qualified Shared Service Provider
USDA/NCF
Verisign
New
Agency
New
Agency
New
Agency
DST
Key Points
• Main connection between US Federal PKI and external
•
•
•
•
PKIs (including other Bridges) continues to be the
Federal Bridge CA.
Common Policy Framework CA issues crosscertificates to SSP primary CAs.
Common Policy Framework CA cross-certified with FBCA
E-Authentication CA - Two other CAs service EAuthentication levels one and two CSP SSL/TLS server
cert issuance
C4 CA services alternative PKIs (ultra lights)
Cross-Certified with the US
FBCA
•
•
•
•
•
•
•
•
•
•
•
Department of Defense (one way)
DOD Key Management Infrastructure
NASA
USDA/National Finance Center
Treasury
State
Energy
Labor
State of Illinois
DST/Identrus ACES (and HHS)
ORC ACES
Pending/In Process
• U.S. Patent and Trade
• Wells Fargo Bank / Identrus
• Government of Canada
• Boeing
• HEBCA
• Government of Australia
• UK Ministry of Defence
Approved Shared Service Providers
• VeriSign
• CyberTrust
• National Finance Center/USDA
• Others pending
Other Bridges Emerging: A Global
Trust Infrastructure
• Aerospace Industry (CertiPath)
• Pharmaceutical Industry (SAFE)\
• Unofficially, and really not a bridge, but
might as well be: Crimson Logic Pacific
Rim Import/Export Application (9
economies)
And Now A Graphic
• Showing how the Federal PKI fits into the
overall U.S. E-Authentication Architecture 
Figure : FPKI
The US Federal PKI &
The E-Authentication
Federated Approach
Step #1: User goes to Portal
to select the AA and ECP
Portal
Step #2: The user
is passed directly
to the AA
©p
Assurance
Level 1
Federal PKI
T
w
o
ACES
Other Bridge CAs
Agencies (Legacy
Agency CA policy)
States
Private Sector
Foreign Entities
FBCA
Certificate Policy
w
a
y
FBCA
Certification Authority
C
r
o
s
s
c
e
r
t
i
f
i
e
d
E-Governance
Certificate Policy
E-Governance
Certification Authority
eAuth
Trust
List
AA
Assurance
Level 2
Step #3: The user authenticates to
the AA directly using SSL or TLS.
(Mutual authentication of
SAML/SSL Certificates only)
Step #4: The AA
uses the validation
service to validate
the certificate
Two way Cross-certified
(FBCA High & FBCA Medium)
Validation
Service
XKMS
OCSP
CAM
SOAP
Others
Federal PKI
FPKI Common Policy Framework
(FCPF) Certificate Policy
FCPF Policy
Certification Authority
Community 2
CA 2
CA 3
(Trust anchor for Common FPKI
Policy hierarchical PKI subscribers)
Two Way Cross
CA 1
Bridge
Community 3
CA 4
Citizen & Commerce
Class Common (C4) Certificate Policy
FPKI
Qualified Shared Service Provider
C4 Policy
Certification Authority
Community 1
USDA/NCF
(Included in browser list ofCAs)
Verisign
-certified
DST
New
Agency
CA 4a
CA 4b
Federal PKI
Two way Cross-certified
PEPCO
AOL
Wells Fargo
Note: Red lines indicate technical areas to resolve. Working Groups
are formed to address these areas by 1st week of March 2004.
Other Federal/Higher Ed Initiatives,
or Places We Meet: (In Hoc Signo
Vinces)
• NIH-EDUCAUSE PKI Interoperability
Project, Phase 4
• E-Authentication-Shibboleth
Interoperability Initiative
• E-Authentication Partnership
• International Collaborative Identity
Management Forum (ICIDM)
Issues Being Pursued Actively
• Path Discovery / Path Validation
– CAM works
• Bridge-Bridge Interoperability Procedures,
including Bridge Operations Issues –
Citizenship, etc.
• FIPS 201 and HSPD-12
Path Discovery / Path Validation
• CAM 4 RC7 Ready for Prime Time and
•
•
•
•
Configurable to map LOA
CAM 4 RC8 due January, 2005 (GUI interface for
configuration)
Validation Service/Tool Requirements Document
about ready for release
No COTS service/tool yet a reality
Betting on SCVP for next generation validation
checking protocol.
Bridge-to-Bridge Interoperability
• Policy and Procedures – FPKI Policy
Authority Leads the Pack
• Technical Implementation Issues –
Architecture and Trust
• Politics and Money
• Current sticking point is citizenship
requirements for trusted operators
HSPD-12, The Black Hole:
Background
• Requires NIST to promulgate technical and procedural
•
•
•
standards for electronic identity authentication for Feds
and contractors (PIV = Personal Identity Verification)
Encompasses physical and logical access to government
resources
Ultra short timeframe: Standards done in Spring, Agency
implementation plans due late June, Agency
implementation begins October.
Means Medium Assurance Digital Certificates on
SmartCards, but next generation crypto being pushed.
HSPD-12, The Black Hole: Status
• Current action is with three documents: FIPS
201, SP 800-73 and the Implementation Guide
• Current Draft of FIPS 201 being heavily revised,
•
•
•
final version due mid-February
Revision to SP 800-73 (Smart Card Standards)
under way, IAB hard at work revising to
accommodate industry input, due late January
Implementation in two phases to accommodate
installed base and vendor community
WILL AFFECT EVERYONE
Reminder: PKI R&D Workshop
• April 19 – 21, 2005
• NIST Gaithersburg, MD
• www.middleware.internet2.edu/pki05
• This year, the workshop has a particular
interest in how emergent trust
mechanisms will interact with each other
at technical, policy and user levels.