Stanley J' Choffrey - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Stanley J' Choffrey

Description:

The Federal Bridge Certification Authority(FBCA) will be the unifying element to ... Federal Bridge Certification Authority EMA Challenge Overview. c=US; o ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 11
Provided by: chof9
Category:

less

Transcript and Presenter's Notes

Title: Stanley J' Choffrey


1
The Federal Bridge Certification Authority
Evolving Issues in Electronic Data
Collection January 10, 2000
Stanley J. Choffrey stanley.choffrey_at_gsa.gov (202)
708-7943
2
The Federal Bridge Certification Authority
The Federal Bridge Certification Authority(FBCA)
will be the unifying element to link otherwise
unconnected agency Certification Authoritys
(CAs) into a systematic overall Federal PKI. The
FBCA functions as a non-hierarchical hub allowing
relying party agencies to create a certificate
trust path from its domain back to the domain of
the agency that issued the certificate so that
the levels of assurance honored by disparate PKIs
can be reconciled.
3
Federal Bridge Certification Authority
Cross Certified CAs
FIP 140-1 L3 Crypto
FIP 140-1 L3 Crypto
  • Cross certificates
  • CRL
  • Cross certificates
  • CRL

Trust Domain 1
Trust Domain 2
  • Cross certificates
  • ARL

Directory System Agent
S/MIME EMAIL
Path Discovery
Cert Retrieval Verification
Cert Validation
4
FBCA EMA Challenge Configuration
  • Eudora E-mail (S/MIME v3)
  • Entrust Application with Certificate Path
    Validation
  • CyberTrust Certificate
  • Gemplus v1 or DataKey SmartCard

Entrust CA
LunaCA3 Crypto Module
FBCA Directory System
  • Dell PowerEdge 2300
  • NT 4.0 Server
  • 256MB RAM
  • 9GB Hard Drives (2)
  • Tape Backup
  • PeerLogic i500 Directory

CyberTrust Client
Mitretek Border Router
  • Bay ASN.1 Router
  • CheckPoint Firewall

CyberTrust Enterprise CA
  • Dell PowerEdge 2300
  • NT 4.0 Server
  • 128 MB RAM
  • 9GB Hard Drives (2)
  • 10BaseT Ethernet NIC
  • Tape Backup
  • PeerLogic i500 Directory
  • UPS

CyberTrust CA
SafeKeyper Crypto Module
  • Sun Ultra 10
  • Solaris OS
  • 512 MB RAM
  • 9.1 GB Hard Drives (2)
  • Tape Backup
  • Oracle DB

Internet
  • Eudora E-mail (S/MIME v3)
  • Entrust Application with Certificate Path
    Validation
  • Entrust Certificate
  • Spyrus Lynks Card

DOD Bridge Demo CA
Entrust Client
5
Federal Bridge Certification Authority EMA
Challenge Overview
GSA
6
Directory Configuration
Federal Bridge Certification Authority (Peerlogic)
cUS oU.S. GovernmentouFBCA IP
address 198.76.35.155 DSP port 102 LDAP
port 389 TSEL TCP/IP
Chaining
cnFBCA_Directory
GTRI (Peerlogic)
Chaining
cUS oPKIL cUS oGeorgia cUS oCISA IP
address 130.207.204.30 DSP port 17003 LDAP
port 389 TCP/IP
cnPKIL-DSA
NASA (CDS)
cnNASA5
NIST (Peerlogic)
GSA/FTS (Peerlogic)
cUS oNASA5 cnNASA5 cUS oNASA5
cnEntrustCA IP address 128.102.84.79 DSP
port 17019 LDAP port 389 TSEL TCP/IP
DoD Bridge Certification Authority (Chromatix)
cnNIST
cUS oU.S. Government ouNIST ou Experimental
CA1 IP address 129.6.20.33 DSP port 102 LDAP
port 389 TSEL 0x5000 TCP/IP
cnBCAP BCA Server
cUS oTest BCA cUS oEntrust
ouFederal cUS oU.S. National cUS oU.S.
Government ouDoD IP address 216.4.247.66 DSP
port 20006 LDAP port 406 TCP/IP
cUS oU.S. Government ouNIST ou Experimental
CA2 IP address 129.6.20.33 DSP port 102 LDAP
port 389 TSEL 0x5000 TCP/IP
cnBCAP Spyrus NSA CA-TBR cUS oU.S.
Government, ouDoD, ouNSA
7
Federal Organization
8
Federal PKI Policy Authority
  • Voluntary interagency group - NOT agency
  • Six charter members DOJ, DOD, OMB, GSA,
    Treasury, DOC
  • Governing body for FBCA interoperability
  • Responsible for Certificate Policy
  • Agency/FBCA certificate policy mappings
  • Oversees operation of FBCA
  • authorizes issuance of FBCA certificates
  • Responsible for Certificate Practices Statement
  • Under Federal CIO Council

9
What will it take to use the FBCA?
  • Policy mapping of certificate policies
  • Careful management of cross-certs to limit
    transitive trust
  • Directory interoperability
  • Client software that does cert path discovery and
    processing
  • Appropriate liability language for
    interoperability with non-govt parties

10
The current version of this CP does not provide
for interoperability through the FBCA between
Federal Agency PKI domains and those of parties
who are external to the Federal government and
who have no regulatory or contractual
relationship with the Federal government. Such
interoperability will be established when
directed by the FPKIPA and will require changes
to this CP to address issues associated with
liability and other matters. Nonetheless, it is
the ultimate intent of the FPKIPA to make the
FBCA available to support interoperability
between Federal and non-Federal entities.
Moreover, interoperability with entities external
to the Federal government for purposes of
technical testing may be performed when directed
by, and in a fashion determined by, the FPKIPA,
employing the "Test" level of assurance.
Additionally, certificates issued by the FBCA
will ensure that appropriate controls are placed
on the acceptance of certificates issued by CAs
external to the Federal government, for example
through the use of the nameConstraints extension.
X.509 Certificate Policy For The Federal Bridge
Certification Authority (FBCA)
1.1.4
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Stanley J' Choffrey" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!