The Federal Bridge Certification Authority

Download Report

Transcript The Federal Bridge Certification Authority 

The Federal Bridge
Certification Authority –
Description and Current
Status
Peter Alterman, Ph.D.
Senior Advisor to the Chair, Federal PKI
Steering Committee
and
Acting Director, Federal Bridge Certification
Authority
The FBCA Architecture
CA, Directory,
End users
Bridge CA
And Directory
Trust paths
Bridge CA
And Directory
Trust paths
CA, Directory,
End users
Trust paths
CA,Directory,
End users
FBCA Overview

Designed for the purpose of creating trust paths
between among PKI domains

Issues cross-certificates to Member CAs only
Employs a distributed, NOT a hierarchical, model


Commercial products participate within the
membrane of the Bridge OR interoperate with
products within the membrane

Develops cross certificates within the membrane to
bridge the gap among dissimilar products
FBCA Goals




Leverage emerging Federal Agency PKIs to create a
unified Federal PKI
Limit workload on Agency CA staff
Support Agency use of:
 Any FIPS-approved cryptographic algorithm
 A broad range of commercial CA products
Propagate policy information to certificate users in
different Agencies
FBCA Operation


Issues Cross-Certificates to Participating CAs only
FPKI Steering Committee oversees FBCA
development and operations
 Documentation
Enhancements
 Client-side software
Operates in accordance with Policy Authority and
FPKISC direction


FBCA Management Hierarchy



Steering Committee oversees FBCA development and
operations
 Direct Operational Authority
 Bridge Documentation
 Enhancements
Policy Authority determines participants and levels of crosscertification
 Administers Certificate Policy
 Approves requests to cross-certify
 Enforces compliance by member organizations
GSA named Operational Authority
 Operates in accordance with Policy Authority and Steering
Committee direction
Current Status - August 10, 2001

Policy Authority approved final documentation on June 18, 2001
 Certificate Policy
 Certification Practices Statement
 Independent Compliance Analysis

FBCA “open and ready for business” at the GSA/FTS
WillowWoods facility operated by Mitretek Systems on June 7,
2001
Prototyping/Compatibility lab continues operational off-site
Hot backup site nearing completion
C & A Audit under way by KPMG
Three federal agencies and one state government preparing
documentation for application for interoperability with Bridge:
NASA, NFC, FDIC, Illinois




What Will It Take to Use the FBCA?





Policy mapping of certificate policies
Sharing annual audits
Careful management of cross-certificates to
limit transitive trust (exclusion trees)
Directory interoperability and synchronization
Client software for certificate path discovery
and processing
Next Steps


Continue to bring federal agencies into interoperability
Bring additional products into Bridge membrane
and/or verify interoperability with products in
membrane: working with RSA, Cylink, Spyrus and
talking with VeriSign and Microsoft

Pursue interoperability with State PKIs

Pursue interoperability with Nation of Canada

Pursue interoperability with non-government sector
bridges
References
Federal PKI Steering Committee Website:
http://www.cio.gov/fpkisc
 FBCA Page:
http://www.cio.gov/fpkisc/fbca/index.htm
 NIST PKI Website: http://csrc.nist.gov/pki
