Transcript Slide 1
Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority HSPD-12 • Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05 • Mandates all Federal Agencies begin issuing SmartCards with medium assurance digital certs by 10/06 • Authorization remains a local prerogative Wilmington, NC November 2005 2 E-Authentication • Initiatives – Assessment Framework for Credentials: evaluating the level of assurance (LOA) of identity of credential service providers – Membership in Liberty Alliance – Frequent meetings with Microsoft – Interfederation Interoperability Project with Cybertrust and Internet2/Shibboleth team Wilmington, NC November 2005 3 E-Authentication: CAF • Credential Assessment Framework consists of the following: – A structured methodology and procedures for evaluating the LOA of a CSP’s credentials – An assessment team that goes out and evaluates CSPs – A process for conflict resolution – Posting CSPs and their credential LOAs to a trust list (unfortunate term) on the website Wilmington, NC November 2005 4 E-Authentication: Interfed Interop • inCommon Higher Education Identity Federation – Using Shibboleth middleware technical protocols – Policy-light • E-Authentication US Identity Federation – Using a variety of technical protocols – Policy intensive Wilmington, NC November 2005 5 What Are Electronic Identity Federations? • Associations of electronic identity credential providers and credential consumers (electronic service providers) who: – Agree to trust each others’ credentials; – Agree to hold credential providers authoritative for the validity of their credentials; – Agree to use common communications protocols and procedures to enable interoperability – Agree to common business rules Wilmington, NC November 2005 6 Purpose of Electronic Identity Federations • To enable trusted electronic business transactions between end users and service providers where the service provider does not have to issue and manage identity credentials, including attributes. • It’s all a matter of scaling.. • No, it’s also a matter of control Wilmington, NC November 2005 7 Characteristics of Identity Federations • Credential providers • Service providers • Standards and protocols for technical interoperability among credential providers, services providers, end users and infrastructure utilities • A governance mechanism to assert common business rules, ensure credentials can be used and trusted by all members of the federation and a central control point for entry and exit of members Wilmington, NC November 2005 8 Accomplishments to Date • Demonstration of proof of concept for technical interoperability of identity credentials and utilities: E-Authentication SAML 1.0 and Shibboleth 1.2 • Production-level interoperability built into Shibboleth 1.3 (in beta) • Extensive groundwork done on identifying policy and procedure mapping/treaty requirements • Credential Assessment of 3 Universities, fourth scheduled Wilmington, NC November 2005 9 Work in Progress • Development of common SAML 2.0 schemes • Development of common USPerson profile and profile management infrastructure • Development of production-quality scheme translator • Ongoing work to enable cross-federation trust and interoperability • NSF FastLane to accept 3 universities’ Shibboleth-based identity and attribute credentials on or before December, 2005 (slippage) Wilmington, NC November 2005 10 Unresolved Issues • Mapping null attributes • Ensuring privacy of attribute information in a variety of instances • Portal integration • Scaling issues for listing credential providers • Issues of transitivity across federations • Multiple authoritative sources/conflicting authoritative sources • Vocabulary and “data dictionary” issues • Liability and indemnification issues Wilmington, NC November 2005 11 Federal PKI Architecture • Agency and other government PKIs required to cross-certify with the Federal Bridge CA • As of 12/05 no new agency PKIs; agencies procure PKI services from vendors participating in the Shared Service Provider (SSP) program • Architecture issues TLS/SSL certs to credential service providers who CAF, to provide mutual authentication • Federal Bridge CA serves as “point of insertion” for external PKIs and other bridges. Wilmington, NC November 2005 12 Simplified Diagram of Federal PKI CrossCertified gov PKIs Federal Bridge CA C4 CA CrossCertified External PKIs Common Policy CA E-Gov CAs (3) Shared Service Provider PKIs (Common Policy OID And root Cert) eAuth CSPs Wilmington, NC November 2005 13 LOA Mapping: E-Auth to Fed PKI FPKI Rudimentary, C4 E-Auth Level 1 FPKI Basic E-Auth Level 2 FPKI Medium & Medium-cbp E-Auth Level 3 E-Auth Level 4 FPKI Medium/HW & Medium/HW-cbp FPKI High (government only) Wilmington, NC November 2005 14 Discussion • [email protected] Wilmington, NC November 2005 15