Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.
Post on 04-Jan-2016
216 Views
Preview:
Transcript
Wilmington, NC November 2005 2
HSPD-12
• Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05
• Mandates all Federal Agencies begin issuing SmartCards with medium assurance digital certs by 10/06
• Authorization remains a local prerogative
Wilmington, NC November 2005 3
E-Authentication
• Initiatives– Assessment Framework for Credentials:
evaluating the level of assurance (LOA) of identity of credential service providers
– Membership in Liberty Alliance– Frequent meetings with Microsoft– Interfederation Interoperability Project with
Cybertrust and Internet2/Shibboleth team
Wilmington, NC November 2005 4
E-Authentication: CAF
• Credential Assessment Framework consists of the following:– A structured methodology and procedures for
evaluating the LOA of a CSP’s credentials– An assessment team that goes out and
evaluates CSPs– A process for conflict resolution – Posting CSPs and their credential LOAs to a
trust list (unfortunate term) on the website
Wilmington, NC November 2005 5
E-Authentication: Interfed Interop
• inCommon Higher Education Identity Federation– Using Shibboleth middleware technical
protocols – Policy-light
• E-Authentication US Identity Federation– Using a variety of technical protocols– Policy intensive
Wilmington, NC November 2005 6
What Are Electronic Identity Federations?
• Associations of electronic identity credential providers and credential consumers (electronic service providers) who:– Agree to trust each others’ credentials;– Agree to hold credential providers authoritative for the
validity of their credentials;– Agree to use common communications protocols and
procedures to enable interoperability– Agree to common business rules
Wilmington, NC November 2005 7
Purpose of Electronic Identity Federations
• To enable trusted electronic business transactions between end users and service providers where the service provider does not have to issue and manage identity credentials, including attributes.
• It’s all a matter of scaling..• No, it’s also a matter of control
Wilmington, NC November 2005 8
Characteristics of Identity Federations
• Credential providers• Service providers• Standards and protocols for technical
interoperability among credential providers, services providers, end users and infrastructure utilities
• A governance mechanism to assert common business rules, ensure credentials can be used and trusted by all members of the federation and a central control point for entry and exit of members
Wilmington, NC November 2005 9
Accomplishments to Date
• Demonstration of proof of concept for technical interoperability of identity credentials and utilities: E-Authentication SAML 1.0 and Shibboleth 1.2
• Production-level interoperability built into Shibboleth 1.3 (in beta)
• Extensive groundwork done on identifying policy and procedure mapping/treaty requirements
• Credential Assessment of 3 Universities, fourth scheduled
Wilmington, NC November 2005 10
Work in Progress
• Development of common SAML 2.0 schemes• Development of common USPerson profile and
profile management infrastructure• Development of production-quality scheme
translator• Ongoing work to enable cross-federation trust
and interoperability• NSF FastLane to accept 3 universities’
Shibboleth-based identity and attribute credentials on or before December, 2005 (slippage)
Wilmington, NC November 2005 11
Unresolved Issues
• Mapping null attributes• Ensuring privacy of attribute information in a
variety of instances• Portal integration• Scaling issues for listing credential providers• Issues of transitivity across federations• Multiple authoritative sources/conflicting
authoritative sources• Vocabulary and “data dictionary” issues• Liability and indemnification issues
Wilmington, NC November 2005 12
Federal PKI Architecture
• Agency and other government PKIs required to cross-certify with the Federal Bridge CA
• As of 12/05 no new agency PKIs; agencies procure PKI services from vendors participating in the Shared Service Provider (SSP) program
• Architecture issues TLS/SSL certs to credential service providers who CAF, to provide mutual authentication
• Federal Bridge CA serves as “point of insertion” for external PKIs and other bridges.
Wilmington, NC November 2005 13
Simplified Diagram of Federal PKISimplified Diagram of Federal PKI
Federal BridgeCA
C4 CAE-Gov
CAs (3)
Common PolicyCA
Cross-Certified
govPKIs
Cross-CertifiedExternal
PKIs
eAuthCSPs
SharedServiceProvider
PKIs
(CommonPolicy OIDAnd root
Cert)
Wilmington, NC November 2005 14
LOA Mapping: E-Auth to Fed PKI
E-Auth Level 1
E-Auth Level 2
E-Auth Level 3
E-Auth Level 4
FPKI Rudimentary,C4
FPKI Medium/HW &Medium/HW-cbp
FPKI Basic
FPKI Medium & Medium-cbp
FPKI High (government only)
top related