Federal PKI
PUBLIC KEY INFRASTRUCTURES - FEDERAL PKI
Federal PKI
NIST plays a leading role in the deployment of the Federal PKI, serving as an advisor for architectural issues and leading the development, evaluation, and maintenance of certificate policies for the Federal PKI. The Federal PKI architecture features the Federal Bridge Certification Authority (FBCA), which supports interoperability among PKI domains with disparate policies in a peer to peer fashion, and the Common Policy Root CA, which manages a hierarchical PKI.
FPKI Architecture
The FBCA operates under the FBCA Certificate Policy, which specifies five levels of assurance. The FBCA issues certificates to the Principal CA of a PKI domain after the Federal PKI Policy Authority: (1) determines which FBCA levels of assurance are satisfied by the policies supported in that PKI domain; (2) determines that the PKI domain fulfills its responsibilities under those policies; and (3) establishes a legal agreement between the FBCA and the PKI domain. The NIST managed Federal Certificate Policy Working Group (CPWG) leads (1) and (2). For an overview of the operations of the Federal PKI Policy Authority, see the Criteria and Methodology For Cross-Certification With the U.S. Federal Bridge Certification Authority (FBCA) or Citizen and Commerce Class Common Certification Authority (C4CA).
Hierarchical Federal PKI
The Common Policy Root CA operates under the Common Policy Framework, which specifies three policies with a relatively uniform level of assurance. The Common Policy Root CA will issue a certificate to a subordinate CA operated by or on behalf of a federal agency after determining that the CAs operations satisfies the requirements of the Common Policy. The FPKI PA has delegated this responsibility to the CPWG and the Shared Service Provider (SSP) Subcommittee. The CPWG evaluates CAs operated by an agency for internal operations; the SSP Subcommittee evaluates CAs that offer PKI services to federal agencies based on the Common Policy.
- SP 800-32: Introduction to PKI and the FPKI
- Federal Identity Credentialing Committee
- Computer Security Objects Registry (CSOR)
http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/index.html
-----------------------------------------------------------------------------------------------------------------------------------------------------
PKI Research, Standards & Guidance
PKI Architectures
A Public Key Infrastructure (PKI) is the key management environment for public key information of a public key cryptographic system. In general, there are three basic PKI architectures based on the number of Certificate Authorities (CAs) in the PKI, where users of the PKI place their trust (known as a user’s trust point), and the trust relationships between CAs within a multi-CA PKI.
The most basic PKI architecture is one that contains a single CA that provides the PKI services (certificates, certificate status information, etc.) for all the users of the PKI. Multiple CA PKIs can be constructed using one of two architectures based on the trust relationship between the CAs. A PKI constructed with superior-subordinate CA relationships is called a hierarchical PKI architecture. Alternatively, a PKI constructed of peer-to-peer CA relationships is called a mesh PKI architecture.
Directory Architectures
Early PKI development was conducted under the assumption a directory infrastructure – specifically a global X.500 directory - would be used to distribute certificates and certificate revocation lists (CRL). Unfortunately, the global X.500 directory did not emerge resulting in PKIs being deployed using various directory architectures based on how directory requests are serviced. If the initial directory cannot service a request, the directory can forward the request to other known directories using directory chaining. Another way a directory can resolve an unserviceable request is to return a referral to the initiator of the request indicating a different directory that might be able to service the request. If the directories cannot provide directory chaining or referrals, pointers to directory servers can be embedded in a PKI certificate using the Authority Information Access (AIA) and Subject Information Access (SIA) extensions.
In general, all PKI users interface to the directory infrastructure using the Lightweight Directory Access Protocol (LDAP) irregardless of how the directory infrastructure is navigated.
To help enhance interoperability of the directory infrastructures that support PKI, NIST has help develop the Federal PKI Directory Profile Version 2 and theShared Service Provider (SSP) Repository Requirements documents.
Bridge CAs
Bridge Certification Authorities (BCAs) provide the means to leverage the capabilities of existing corporate PKIs as well as Federal PKIs. "Bridge Certification Authorities: Connecting B2B Public Key Infrastructures" describes different PKI architectures, difficulties in connecting the architectures, and how a BCA addresses these issues. This article also describes the BCA concept, BCA deployment in the U.S. federal government, and how the BCA enables B2B electronic commerce.
Initially, demonstrated at the Electronic Messaging Association (EMA) Challenge 2000 (see Report of Federal Bridge Certification Authority Initiative and Demonstration), the Federal Bridge CA has been operational since 2001. More information on the Federal Bridge CA is available athttps://www.idmanagement.gov/fbca-certificate-policy-page/.
Current NIST research and standardization for BCAs is focused on developing test suites for X.509 certification path building and validation to provide a sanity check for performance and scalability measures.
Certificate Status
Revocation Modeling
Public key infrastructures (PKIs) are being fielded in increasing size and numbers, but our operational experience to date has been limited to a relatively small number of environments. As a result, there are still many unanswered questions about the ways in which PKIs will be organized and operated in large scale systems. Some of these questions involve the ways in which individual certification authorities (CAs) will be interconnected. Others involve the ways in which revocation information will be distributed. In a 1994 report, the MITRE Corporation suggested that the distribution of revocation information has the potential to be the most costly aspect of running a large scale PKI [2].
The MITRE report assumed that each CA would periodically issue a certificate revocation list (CRL) that listed all of the unexpired certificates that it had revoked. Since the MITRE report was published, several alternative revocation distribution mechanisms have been proposed. Each of these mechanisms has its own relative advantages and disadvantages in comparison to the other schemes. The National Institute of Standards and Technology (NIST) has created mathematical models of some of the proposed revocation distribution mechanisms. These models were used in order to determine under what circumstances each of the mechanisms is most efficient.
Most of the proposed revocation distribution mechanisms have involved variations of the original CRL scheme. Examples include the use of segmented CRLs and delta-CRLs. However, some schemes do not involve the use of any type of CRL (e.g., on-line certificate status protocols and hash chains [5]).
"A model of certificate revocation" presents a mathematical model for describing the timings of validations by relying parties. The model is used to determine how request rates for traditional CRLs change over time. This model is then extended to show how request rates are affected when CRLs are segmented. This paper also presents a new technique for distributing revocation information, over-issued CRLs. Over-issued CRLs are identical to traditional CRLs but are issued more frequently. The result of over-issuing CRLs is to spread out requests from relying parties and thus to reduce the peak load on the repository.
"A more efficient use of delta-CRLs" uses the model described in "A model of certificate revocation" to analyze various methods of issuing delta-CRLs. It begins with an analysis of the "traditional" method of issuing delta-CRLs and shows that, in some circumstances, issuing delta-CRLs in this manner fails to provide the efficiency gains for which delta-CRLs were designed. A new method of issuing delta-CRLs, sliding window delta-CRLs, is then presented. Sliding window delta-CRLs are similar to traditional delta-CRLs but provide a constant amount of historical information. While this does not affect the request rate for delta-CRLs, it can significantly reduce the peak request rate for base CRLs. The paper provides an analysis of sliding window delta-CRLs along with advice on how to select the optimal window size to use when issuing delta-CRLs.
Papers
David A. Cooper. A model of certificate revocation. In Proceedings of the Fifteenth Annual Computer Security Applications Conference, pages 256-264, December 1999.
David A. Cooper. A more efficient use of delta-CRLs. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, pages 190-202, May 2000.
David A. Cooper. A more efficient use of delta-CRLs. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, pages 190-202, May 2000.
References
- Carlisle Adams and Robert Zuccherato. A general, flexible approach to certificate revocation. Entrust Technologies White Paper, June 10, 1998.
- Shimshon Berkovits, Santosh Chokhani, Judith A. Furlong, Jisoo A. Geiter, and Jonathan C. Guild. Public Key Infrastructure Study: Final Report. Produced by the MITRE Corporation for NIST, April 1994.
- Ueli Maurer. Modelling a public-key infrastructure. Fourth European Symposium on Research in Computer Security (ESORICS 96), pages 324-350, September 1996.
- Silvio Micali. Efficient certificate revocation. Technical Memo MIT/LCS/TM-542b, Massachusetts Institute of Technology, Laboratory for Computer Science, March 1996.
- Moni Naor and Kobbi Nissim. Certificate revocation and certificate update. InProceedings of the 7th USENIX Security Symposium, January 1998
-------------------------------------------------------------------------------------------------------------------------------------------------
Citi Cross-Certifies with CertiPath’s Trusted PKI Bridge (Link to FPKI Graph) (What is Federal Bridge)
Customers Gain Trusted Access to A&D Business with Identity Assurance
Herndon, Va. and New York - June 18, 2009 – Citi today becomes the first bank to cross-certify with the CertiPath information-sharing bridge, giving the global bank the new ability to deliver identity credentialing services to companies seeking to do business with the aerospace and defense (A&D) industry. Citi’s Global Transaction Services -- the unit that has worked with CertiPath -- offers integrated cash management, trade, and securities and fund services to multinational corporations, financial institutions and public sector organizations around the world.
CertiPath, the identity management and secure information sharing authority for A&D, was established to address of one of the biggest challenges in business today: for partners and customers to electronically share critical information with a degree of trust, confidence and security. CertiPath’s information-sharing bridge makes it possible for organizations to do business across the street and around the world electronically with credentials that are trusted - based on uniform requirements for medium- and high-assurance certification for identity issuance.
Citi’s Managed Identity Services enables Citi clients to use digital identities and signature technologies to effectively and securely engage in digital commerce. Citi’s offerings provide the requisite security and assurance framework to confidently transact business. As part of the solution, Citi issues digital identities that can be used in a number of ways including authenticating end users to applications, encrypting and locking down data, and replacing "wet ink" with digital signatures without compromising legal enforceability. (via non-repudiation)
As a CertiPath Certified Credential Provider (3CP), Citi’s Global Transaction Services unit has invested in extensive policy, procedure and infrastructure development to meet the rigorous standards for identity management required by the global A&D industry and the U.S. Federal Government. Citi currently provides digital identities to corporate clients for performing financial and pharmaceutical transactions through its Managed Identity Services business. With this new capability, Citi’s clients will have the ability to conduct electronic business with the U.S.’s largest A&D organizations and U.S. Federal Agencies already on the CertiPath Bridge. These military-grade credentials will enable Citi clients to streamline business processes by moving transactions online and to conduct business with the Federal government electronically. It will also significantly reduce cost and risk by eliminating the need for Citi clients to create their own certified credentials.
"Issuing and maintaining digital credentials is a very technologically sophisticated process, and Citi is making it much easier for clients to do business in an increasingly complex business environment," said Gary E. Greenwald, Chief Innovation Officer for Citi’s Global Transaction Services. "Cross certification with the CertiPath bridge allows us to supply the credentials needed to do business in this industry. It’s a huge milestone for us as we expand one of our competencies."
Citi clients join CertiPath’s growing community of organizations - including Boeing, EADS, Lockheed-Martin, Northrop Grumman and Raytheon - that rely on trusted digital identities to secure document and e-mail exchanges, authenticate to applications or encrypt files and as well, to make physical access to facilities significantly more secure.
Global Transaction Services, a division of Citi’s Institutional Clients Group offers integrated cash management, trade, and securities and fund services to multinational corporations, financial institutions and public sector organizations around the world. With a network spanning over 100 countries, Citi’s Global Transaction Services supports over 65,000 clients. As of the first quarter of 2009, it held on average $278 billion in liability balances under administration, and $10.3 trillion in assets under custody and trust.
"While the need for secure, trusted digital credentials is growing across all industries, the stakes are perhaps highest in A&D, where unauthorized access to military and operational information could be detrimental to national security and public safety," said Jeff Nigriny, president of CertiPath. "We are very pleased to have Citi join us. Its global reach will help us ensure that companies can do business in this environment - securely, confidently and economically."
###
About CitiCiti, the leading global financial services company, has approximately 200 million customer accounts and does business in more than 140 countries. Through its two operating units, Citicorp and Citi Holdings, Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, and wealth management. Additional information may be found at www.citigroup.com or www.citi.com.
About CertiPath
CertiPath provides the aerospace and defense industry’s only public key infrastructure (PKI)-based communications bridge where information can be shared widely, securely, effectively and affordably between partners, suppliers and customers - regardless of the size and scope of the supply chain.
CertiPath’s disruptive solution tears down the burdensome and costly company, employee and program-centric approaches to identity assurance. Today, organizations in the U.S., U.K. and Europe including Boeing, BAE Systems, EADS, Lockheed Martin, Northrop-Grumman, Raytheon and the U.S. Federal Bridge (FBCA) are members of this fast-growing community. For more information, visit CertiPath on the web at http://www.certipath.com.
All product and company names herein may be trademarks of their registered owners.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Comments
Post a Comment