The Federal Bridge Certification Authority
Download
Report
Transcript The Federal Bridge Certification Authority
The Federal Bridge
Certification Authority –
Description and Current
Status
Peter Alterman, Ph.D.
Senior Advisor to the Chair, Federal PKI
Steering Committee
and
Acting Director, Federal Bridge Certification
Authority
The FBCA Architecture
CA, Directory,
End users
Bridge CA
And Directory
Trust paths
Bridge CA
And Directory
Trust paths
CA, Directory,
End users
Trust paths
CA,Directory,
End users
FBCA Overview
Designed for the purpose of creating trust paths
between among PKI domains
Issues cross-certificates to Member CAs only
Employs a distributed, NOT a hierarchical, model
Commercial products participate within the
membrane of the Bridge OR interoperate with
products within the membrane
Develops cross certificates within the membrane to
bridge the gap among dissimilar products
FBCA Goals
Leverage emerging Federal Agency PKIs to create a
unified Federal PKI
Limit workload on Agency CA staff
Support Agency use of:
Any FIPS-approved cryptographic algorithm
A broad range of commercial CA products
Propagate policy information to certificate users in
different Agencies
FBCA Operation
Issues Cross-Certificates to Participating CAs only
FPKI Steering Committee oversees FBCA
development and operations
Documentation
Enhancements
Client-side software
Operates in accordance with Policy Authority and
FPKISC direction
FBCA Management Hierarchy
Steering Committee oversees FBCA development and
operations
Direct Operational Authority
Bridge Documentation
Enhancements
Policy Authority determines participants and levels of crosscertification
Administers Certificate Policy
Approves requests to cross-certify
Enforces compliance by member organizations
GSA named Operational Authority
Operates in accordance with Policy Authority and Steering
Committee direction
Current Status - August 10, 2001
Policy Authority approved final documentation on June 18, 2001
Certificate Policy
Certification Practices Statement
Independent Compliance Analysis
FBCA “open and ready for business” at the GSA/FTS
WillowWoods facility operated by Mitretek Systems on June 7,
2001
Prototyping/Compatibility lab continues operational off-site
Hot backup site nearing completion
C & A Audit under way by KPMG
Three federal agencies and one state government preparing
documentation for application for interoperability with Bridge:
NASA, NFC, FDIC, Illinois
What Will It Take to Use the FBCA?
Policy mapping of certificate policies
Sharing annual audits
Careful management of cross-certificates to
limit transitive trust (exclusion trees)
Directory interoperability and synchronization
Client software for certificate path discovery
and processing
Next Steps
Continue to bring federal agencies into interoperability
Bring additional products into Bridge membrane
and/or verify interoperability with products in
membrane: working with RSA, Cylink, Spyrus and
talking with VeriSign and Microsoft
Pursue interoperability with State PKIs
Pursue interoperability with Nation of Canada
Pursue interoperability with non-government sector
bridges
References
Federal PKI Steering Committee Website:
http://www.cio.gov/fpkisc
FBCA Page:
http://www.cio.gov/fpkisc/fbca/index.htm
NIST PKI Website: http://csrc.nist.gov/pki