NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the PromiseDartmouth PKI Implementation Workshop

Peter Alterman, Ph.D.

Assistant CIO for E-Authentication

National Institutes of Health

Topics

Introduction and Background

Certificate Path Discovery and Validation

Automated Receipt Server

Automated Archive Log

Questions

Project Motivators

Government Paperwork Elimination Act (GPEA)

Move paperwork-based transactions to electronic applications through the Internet

Quicksilver ProjectsList of applications for e-Government services, including e-Authentication and e-formsE-Authentication focuses on authenticating electronic identity credentials to authenticate citizens or business access

NIH-EDUCAUSE PKI Interoperability Project

Funded by the Federal PKI Steering Committee to develop models and technology to allow locally-issued digital certificates to be used to sign digital versions of government forms

Benefits to Higher Education

Universities and colleges are adopting digital signature technology for many reasons. It is vital that electronic credentials be reusable.The project enables secure electronic forms-based transactions among diverse, unaffiliated business partners (including, but not limited to, the Federal Government)Project is universally applicable for all forms-based business transactions requiring one or more signatures

Accomplishments

Certificate path discovery and validation infrastructure

Operational PKI bridge pathway between prototype of the FBCA and prototype of the HEBCA, which is funded and operated by EDUCAUSE

Resolution of multiple certificate configuration and directory interoperability issues

Ability for faculty and staff at academic institutions to download, complete, digital signing (two digital signatures), and send XML forms to US Government

Automated receipt to submitter

NARA requirements for audit logs

Concept of Operations

Internalworkflow

DigitallySigned

App.HEBCA

UN VERS TY

CA - Research Institution

IBM

Agency Backend

Internet

ReceiptServer

DigitallySigned

App.

DigitallySigned

App.

Federal Government

Applicant orCo-Signer

Agency Server

AuditLog

(NARA)

DigitallySigned

App.

FBCA

CAM Server

UNIVERSITY

Applicant or Business

ACLDatabase

FBCA

X.500 Based Directory

Directories Interconnect via Chaining (X.500 DSP)

FBCA PA and CP oversite

FBCA Infrastructure CA

RootCert

FBCADirectory

CrossCertPair

CrossCertPair

CrossCertPair

CrossCertPair

RootCert

CrossCertPair

CA

CRLs

RootCert

CrossCertPair

CA

CRLs

DST ACES PKIOther CrossCertified PKI

Border Dir Border Dir

X.500 DSP Protocol(ChainingAgreements) betweenFBCA and CrossCertified PKI provider

RootCert

CrossCertPair

CA

CRLs

Border Dir

HEBCA PKIOther CrossCertified PKIs

CRLs

RootCert

HEBCA

LDAP Based Directory

Utilizing the Registry of Directories

Utilizing LDAP Referrals

HEBCA PA and CP oversite

HEBCAInfrastructure

CA

RootCert

HEBCADirectory

CrossCertPair

CrossCertPair

CrossCertPair

CrossCertPair

RootCert

CrossCertPair

CA

CRLs

RootCert

CrossCertPair

CA

CRLs

University 1 PKI University 2 PKI

Border Dir Border Dir

RootCert

CrossCertPair

CA

CRLs

Border Dir

FBCA PKIOther CrossCertified PKIs

RODFBCAReferral

University 1Referral

University 2Referral

CRLs

RootCert

Path Discovery and Validation1. Certificate submitted

to CAM 2. Based on Trust

Anchor CAM accesses the FBCA

3. At FBCA find a Cross Certificate to HEBCA

4. Cross Certificate points to the HEBCA

5. At HEBCA find a Cross Certificate to University 2 PKI

6. Return LDAP referral to the CAM

7. CAM directly follow the referral to University 2 information

NIH CAM

CRL cache

CRL

CARL

CRL CARL

Path cache

Path 1Path 3

Validation cache

Trans 1Trans 2Trans 3

CARL

CRL

crosscert pr

University 1

CARL

CRL

crosscert pr

University 2

CARL

CRL

crosscert pr

University 3

RoDFBCAReferraal

University 1Referral

University 2Referral

University 3Referral

.....

NIH Application

1

2

7

University 2SignedSF424

c

c

CARL

FBCAHEBCA

CRL

crosscert pr

crosscert pr

NIH

crosscert pr

crosscert pr

crosscert pr

crosscert pr

others

3

4

HEBCA

CRL

CARL

crosscert pr

FBCA

crosscert pr

crosscert pr

crosscert pr

crosscert pr

crosscert pr

crosscert pr

othersUniversity 1 University 2 University 3

56 NIH Submission App

c

Trusted CAs

Path Discovery / Path Validation Lessons

Publish all CA certificates within the directory using subjectDN found in the certificate

Consistently populate Certificate Extensions wherever possible

Minimize mixing of LDAP, HTTP, and X.500 methods

Get the SKID and AKID correctly populated

During cross certification, verify that policyMapping and nameConstraints are correctly defined

Path Discovery/Path Validation as well as Tools are still evolving. (Ongoing work)

Automated Receipt Server

ACLACLDatabaseDatabase

SSL/WEBSSL/WEBServerServer

CAMCAM

OCSPOCSP

PublicPublic DMZDMZ SecureSecure

DirectoryDirectory

Remote CARemote CA

Application Flow

ArchiveArchiveDatabaseDatabase

Email ServerEmail Server

Co-signer

Applicant

Automated Archive LogTrustworthiness of electronically signed XML forms and associated transactions was ensured by:

Storing the original digitally signed electronic form received in the NARA archive XML documentDigital signature on NARA archive XML document included authenticated timestamp as part of the signatureNARA Archive XML document included digital certificate for verification purposes for each signatory on the original digitally signed XML form NARA Archive XML document provided for signature verification at any time for each signatory on the original digitally signed electronic formNARA Archive XML document included a certificate validation result (from CAM) for each signatory on the original digitally signed electronic form, the receipt signer’s own certificate validation result and an authenticated attribute of its signatureLong-term integral storage of all of the above items will be achieved by optical media back-up of the archive database.

Schools Completing Successful Interoperability Testing

Dartmouth College

University of Alabama-Birmingham

University of Wisconsin-Madison

University of California

Participating Organizations

Questions?