The FBCA Architecture: Lessons Learned

1
The FBCA ArchitectureLessons Learned

• Tim Polk, NIST
• March 9, 2001

2
FBCA Goals

• Leverage emerging agency PKIs to create a unified
  federal PKI
• Limit workload agency CA staff
• Support agency use of
• Any FIPS-approved cryptographic algorithm
• A broad range of commercial CA products
• Propagate policy information to certificate users
  in different agencies

3
EMA Challenge Architecture
4
Multiple CAs in FBCA Membrane

• Support multiple cryptographic algorithms
• Support for multiple certificate management
  protocols

5
FBCA architecture

• FBCA CAs
• Offline
• No network connectivity
• FBCA directory online

6
An Alternative Bridge Architecture

• Bridge CAs offline but have network connectivity
• Internal directory
• Firewall (strict)
• Border Directory

7
FBCA Directory Architecture

• Chained X.500 directories
• Dual-rooted FBCA directory is hub
• dcgov
• oU.S. Government, cUS

8
(No Transcript)
9
Lessons Learned

• Bridge CAs can unite PKIs with
• Different architectures
• Different cryptographic algorithms
• Different DITs
• Heterogeneous commercial products can be used
  inside the bridge
• Client software is the limiting factor
• X.500 chaining simplifies certificate retrieval
• Offline bridge architecture is secure but
  inefficient