I-CIDM Bridge to Bridge Working Group (BBWG)

Purpose and ActivitiesFed-Ed MeetingThe Fairmont HotelWashington, DCDecember 14, 2004Debb BlanchardEnspier Technologies, Inc.

Agenda

Origins of the BBWG Purpose of the BBWG Bridge Certification Authority Participants Organization Participants Identification of Working Groups Areas of Investigation Decisions to Date Work Accomplishments to Date Future Plans

Origins of the BBWG

Group started its foundation to identify issues as they pertain to and impact the Federal Bridge Certification Authority (FBCA)

As issues were uncovered, it was noticed that the issues for the FBCA were not necessarily unique to the FBCA

Group evolved to include representatives from four Bridge Certification Authority (BCA) environments and expanded to include international representation

Purpose of the BBWG

To address the implications of Bridge-to-Bridge cross-certification in the collaborative cross-organizational space

International focusPKI-centric

BBWG will not delve into corporate business models and

practices that may be considered proprietary.

Bridge Certification Authority (BCA) Participants

Federal Bridge Certification Authority (FBCA - US Government agencies, state governments, foreign governments)

Higher Education Certification Authority (HEBCA – US higher education community with plans to include research institutions and higher education facilities from the EU)

Secure Access for Everyone (SAFE – Pharmaceutical community led by Johnson&Johnson)

Certipath (Exostar, Arinc, SITA with additional representation from Boeing, Lockheed Martin, Northrup Grumman, EADS/Airbus, tScheme, TSCP, EDS/Rolls-Royce)

Organization Participants

Arinc/Certipath Betrusted Boeing Corporation Dartmouth College Duke University Department of Defense EADS/Rolls-Royce EDUCAUSE Enspier Technologies Evincible/Certipath Exostar/Certipath

General Services Administration IBM Johnson&Johnson Lockheed Martin National Institutes of Health National Institutes for Standards

and Technology Northrop Grumman Orion Security tScheme UKCEB TF/TSCP

Identification of Working Groups

Each issue will be addressed by members of the following BCA communities:

Higher Education Bridge community SAFE (Pharmaceutical) bridge community FBCA and bridge government community

(includes NIST and DOD) Commercial Aerospace (Certipath,

Boeing, Lockheed Martin, Northrop Grumman)

Areas of Investigation (per the Charter)

Institutionalization of standards and what would be the suitable body/ies to own and maintain them

Role of governments in governance and management of the intra-bridge environment

Stimulate the development of commercial products that are “bridge aware”

Need for a governance structure between cross-certified BCAs and, if so, what should it be

Legal implications and shaping a legal framework that satisfies trust requirements and meets business needs, including liability

Areas of Investigation (per the group)

Policy Mapping to determine levels of assurance (LOA)

Must have a common lexicon, terminology and documents mapping for the Charter and all the documents

Compliance with open standards Audit standards for BCA operations and

certifications needed for the Auditors Liability and legal issues BCA Operations

Policy Mapping

Issue: Develop a mutually agreed-upon methodology for cross-certifying BCAs to allow them to interoperate Identify the framework of documents and requirements (similar to the

CP/CPS RFC) that are needed by a Bridge entity to qualify for cross certification.  For example the Bridge has to specify the Cross certification criterion and methodology document. 

What is this document supposed to contain (rationale-- not example)? 

What other documents does the Bridge Operator have to develop in addition to the standard CP/CPS.  Is there a standard set?

What about the charter and structure of the Bridge Operators – Policy Authority, Operational Authority – and organization of these organizations?

Status: For the initial submission, this will be only identification of the issues. Subsequent submissions will identify the guidelines for BCA cross-certification and their implementation.

Common Lexicon and Terminology

Issue: Need for a common criteria and a lexicon (Common language of business) for grammar, syntax, etc. Includes the definition and contents of documents as well. Includes liability Needs to map international terms, grammar, syntax, etc as well

Status: Begin with the definitions used by the Electronic Authentication Partnership (EAP); These need to be expanded to include international community as well as specialty definitions for the communities of interest

A first draft has been provided to a sub-group of the BBWG, which includes US standards, however international definitions need to be incorporated.

Compliance with Open Standards

Issue: Standards for BCA must rely upon open standards and not proprietary standards Must include international standards Since PKI-centric in nature, standards should apply to PKI standards.

However, other standards may be included (or created.)

Status: Verify that the bridges are working with open standards. The framework should show how these standards fit together via a mapping between US standards and international standards as well as to perform a gap analysis on these standards. This activity is linked to technical working group.

A first draft has been provided to a sub-group of the BBWG, which includes US standards, however, international standards need to be incorporated.

Audit Standards

Issue: How do we know that a BCA is operating at a level that can be trusted? What are the audit standards for Bridge-to-Bridge? What is examined and to what degree of rigueur? What documents are needed to support the auditors and what does

the auditor give to the BCA operations, e.g., certificate of approval?

Status: Begin with the documents provided by tScheme. Include auditors from KPMG, Deloitte and Touche, Price Waterhouse Cooper, et al to define these standards

Audit requirements from representative CPs as well as a representative matrix of CPS auditable items were sent to a sub-group to determine if these audit requirements for Bridge-to-Bridge interoperability and cross-certification were sufficient.

Liability and Legal Issues

Issue: What are the liability and legal implications for: Operating a BCA? The contractual mechanism between BCAs? Indemnification? Limits on liability? Others?

Status: The American Bar Association has been invited to provide guidance as well as documentation and white papers that they have already created. Once these documents are obtained, these need to be reviewed and comments provided from the BCAs. Additionally, international comments need to be obtained and considered.

White paper is close and should be provided to the sub-group shortly.

BCA Operations

Issue: Requirements of some of the BCA CPs have internal requirements in order to cross-certify with other BCAs, e.g., in order for the FBCA to cross-certify with other BCAs, the FBCA requires operators of those BCAs to be operated by citizens of the country in which that BCA is operated.

Status: Drafts have been started to address requirements for BCA operators, including definitions of: Trustworthiness Loyalty Integrity

Decisions to Date

Dependencies and assumptions of other groups to be addressed, e.g., requirements for identity proofing/vetting will not be addressed by this group.

BBWG will only address policy as it pertains to PKI and Bridge-to-Bridge policy issues; other decisions made are:

Business Drivers – for the BBWG the I-CIDM is the business driver for this group

Identity Proofing and Vetting – These issues need to be addressed, but not by this group. We recommend that the I-CIDM create another working group to address these issues.

CIDM Policy Development and Management – These decisions are outside of the scope of this group.

Implementation Challenges – these are to be addressed by the Technical Working Group. First meeting for this group was on August 5, 2004.

Roadmap - We will work in tandem with the Technical Working Group to identify the policy and technical requirements for vendor products to ensure interoperability

Path Discovery – this will be addressed by the Technical Working Group Vendor Involvement – This will be primarily addressed by the Technical Working

Group; however, BBWG will assist as needed

Future

Monitoring and providing comments for a new FIPS as it pertains to requirements for physical and logical access to US Government facilities, systems, and applications. (In response to HSPD-12)

Working with BBWG member organizations to provide a web-hosting facility for meeting notices, document library, work-in-progress, presentations, etc

Draft documentation for all BBWG issues are due at the end of the January, 2005

Questions?

Judith Spencer, Chair of the Federal Credentialing Committee (FICC) and FBCA

judith.spencer@gsa.gov

Office: 202-208-6576

Debb Blanchard, Chair of the BBWG

dblanchard@enspier.com

Office: 410-871-0836