Embed Size (px)
DESCRIPTION
The NIH PKI Pilots. Peter Alterman, Ph.D. … again. NIH publishes RFAs and other announcements of research topics and training opportunities Researchers submit applications for funding under a number of mechanisms Applications are reviewed by independent study sections 3 – 4X/year - PowerPoint PPT Presentation
Citation preview
The NIH PKI The NIH PKI PilotsPilots
Peter Alterman, Ph.D.Peter Alterman, Ph.D.
… … againagain
A Simplified Description of the NIH A Simplified Description of the NIH Extramural Research Business Extramural Research Business ProcessProcess
NIH publishes RFAs and other announcements of NIH publishes RFAs and other announcements of research topics and training opportunitiesresearch topics and training opportunities
Researchers submit applications for funding under a Researchers submit applications for funding under a number of mechanismsnumber of mechanisms
Applications are reviewed by independent study Applications are reviewed by independent study sections 3 – 4X/yearsections 3 – 4X/year
Approved applications are rankedApproved applications are ranked Grants are funded by score and mission relevanceGrants are funded by score and mission relevance Annual reports submittedAnnual reports submitted Noncompeting renewals make up bulk of ~40k grants Noncompeting renewals make up bulk of ~40k grants
issued annually (about $13B!)issued annually (about $13B!)
Currently, NIH Extramural Business Currently, NIH Extramural Business Process is ALL PAPERProcess is ALL PAPER
Phase I: PKI-enable an Adobe I-form Phase I: PKI-enable an Adobe I-form Version of a PHS-398, Application for Version of a PHS-398, Application for Research GrantResearch Grant
Allergy Institute created an electronic version of the Allergy Institute created an electronic version of the application formapplication form
NIH and Digital Signature Trust working to allow attachment NIH and Digital Signature Trust working to allow attachment of two TrustID digital signatures to the completed I-formof two TrustID digital signatures to the completed I-form
Institutions will acquire TrustID digsigs courtesy of NIH, Institutions will acquire TrustID digsigs courtesy of NIH, download I-form, complete dummy application, sign (PI and download I-form, complete dummy application, sign (PI and AOR) and return to NIH as email attachmentAOR) and return to NIH as email attachment
NIH will transfer attachment to local hard disk, then NIH will transfer attachment to local hard disk, then validate signatures using E-lock Assured Office clientvalidate signatures using E-lock Assured Office client
Some platform and process constraints understood in pilotSome platform and process constraints understood in pilot Outcomes: Outcomes:
demonstration of successful creation, signing and validating of demonstration of successful creation, signing and validating of I-form 398I-form 398
Identification of areas requiring further developmentIdentification of areas requiring further development
What it Looks LikeWhat it Looks Like
NIH CA And Directory
University 3End users
University 1 end-users
University 2 end-users
trust pathtrust paths
ActuallyActuallyDST CA for DST CA for Pilot Pilot
NIH test user
Phase II: Replace NIH-supplied Phase II: Replace NIH-supplied Digital Certificate with Institution’s Digital Certificate with Institution’s Digital Certificate (in multiple Digital Certificate (in multiple flavors)flavors)
UAB, UW-M and UCOPUAB, UW-M and UCOP TrustID cert (no-brainer, already done in Phase I)TrustID cert (no-brainer, already done in Phase I) VeriSign certVeriSign cert Netscape IPlanet certNetscape IPlanet cert
NIH cross-certifies with the Fed Bridge at the test level of NIH cross-certifies with the Fed Bridge at the test level of assuranceassurance
Educause sets up the HE BridgeEducause sets up the HE Bridge Fed Bridge and HE Bridge cross-certify at the test level of Fed Bridge and HE Bridge cross-certify at the test level of
assuranceassurance Institutions cross-certify with the HE Bridge at the test levelInstitutions cross-certify with the HE Bridge at the test level NIH validates certs using modified E-Lock productNIH validates certs using modified E-Lock product Validation path runs through Fed Bridge toValidation path runs through Fed Bridge to HE Bridge to HE Bridge to
Institutions’ CRLs Institutions’ CRLs
Remember This? Slightly Remember This? Slightly Modified…Modified…
Fed Bridge CA And Directory
HE Bridge CAAnd Directory
NIH CA, Directory,End user
CA, Directory,CRL, end users
CA,Directory,CRL, end users
Validation pathValidation pathsActuallyActually
DST CA for DST CA for Pilot Pilot
The Federal Bridge The Federal Bridge Certification Authority – Certification Authority – Description and Current Description and Current StatusStatus
Peter Alterman, Ph.D.Peter Alterman, Ph.D.
Senior Advisor to the Chair, Federal PKI Senior Advisor to the Chair, Federal PKI Steering CommitteeSteering Committee
andand
Acting Director, Federal Bridge Acting Director, Federal Bridge Certification AuthorityCertification Authority
The FBCA ArchitectureThe FBCA Architecture
Bridge CA And Directory
Bridge CAAnd Directory
CA, Directory,End users
CA, Directory,End users
CA,Directory, End users
Trust pathsTrust paths
Trust paths
FBCA OverviewFBCA Overview
Designed for the purpose of creating trust paths Designed for the purpose of creating trust paths between among PKI domainsbetween among PKI domains
Issues cross-certificates Issues cross-certificates to Member CAs only to Member CAs only Employs a distributed, NOT a hierarchical, modelEmploys a distributed, NOT a hierarchical, model
Commercial products participate within the Commercial products participate within the membrane of the Bridge OR interoperate with membrane of the Bridge OR interoperate with products within the membraneproducts within the membrane
Develops cross certificates within the membrane Develops cross certificates within the membrane to bridge the gap among dissimilar productsto bridge the gap among dissimilar products
FBCA GoalsFBCA Goals
Leverage emerging Federal Agency PKIs to Leverage emerging Federal Agency PKIs to create a unified Federal PKIcreate a unified Federal PKI
Limit workload on Agency CA staffLimit workload on Agency CA staff Support Agency use of:Support Agency use of:
Any FIPS-approved cryptographic algorithmAny FIPS-approved cryptographic algorithm A broad range of commercial CA productsA broad range of commercial CA products
Propagate policy information to certificate Propagate policy information to certificate users in different Agenciesusers in different Agencies
FBCA OperationFBCA Operation
Issues Cross-Certificates Issues Cross-Certificates to Participating to Participating CAs onlyCAs only
FPKI Steering Committee oversees FBCA FPKI Steering Committee oversees FBCA development and operationsdevelopment and operations DocumentationDocumentation EnhancementsEnhancements Client-side softwareClient-side software
Operates in accordance with Policy Authority Operates in accordance with Policy Authority and FPKISC directionand FPKISC direction
FBCA Management FBCA Management HierarchyHierarchy
Steering CommitteeSteering Committee oversees FBCA development and oversees FBCA development and operationsoperations Direct Operational AuthorityDirect Operational Authority Bridge DocumentationBridge Documentation EnhancementsEnhancements
Policy AuthorityPolicy Authority determines participants and levels of determines participants and levels of cross-certificationcross-certification Administers Certificate PolicyAdministers Certificate Policy Approves requests to cross-certifyApproves requests to cross-certify Enforces compliance by member organizationsEnforces compliance by member organizations
GSAGSA named Operational Authority named Operational Authority Operates in accordance with Policy Authority and Operates in accordance with Policy Authority and
Steering Committee directionSteering Committee direction
Current Status - August 10, Current Status - August 10, 20012001
Policy Authority approved final documentation on June 18, Policy Authority approved final documentation on June 18, 20012001 Certificate PolicyCertificate Policy Certification Practices StatementCertification Practices Statement Independent Compliance AnalysisIndependent Compliance Analysis
FBCA “open and ready for business” at the GSA/FTS FBCA “open and ready for business” at the GSA/FTS WillowWoods facility operated by Mitretek Systems on June WillowWoods facility operated by Mitretek Systems on June 7, 20017, 2001
Prototyping/Compatibility lab continues operational off-sitePrototyping/Compatibility lab continues operational off-site Hot backup site nearing completionHot backup site nearing completion C & A Audit under way by KPMGC & A Audit under way by KPMG Three federal agencies and one state government preparing Three federal agencies and one state government preparing
documentation for application for interoperability with documentation for application for interoperability with Bridge: NASA, NFC, FDIC, IllinoisBridge: NASA, NFC, FDIC, Illinois
What Will It Take to Use the What Will It Take to Use the FBCA?FBCA?
Policy mapping of certificate policiesPolicy mapping of certificate policies Sharing annual auditsSharing annual audits Careful management of cross-certificates Careful management of cross-certificates
to limit transitive trust (exclusion trees)to limit transitive trust (exclusion trees) Directory interoperability and Directory interoperability and
synchronizationsynchronization Client software for certificate path Client software for certificate path
discovery and processingdiscovery and processing
Next StepsNext Steps
Continue to bring federal agencies into Continue to bring federal agencies into interoperabilityinteroperability
Bring additional products into Bridge membrane Bring additional products into Bridge membrane and/or verify interoperability with products in and/or verify interoperability with products in membrane: working with RSA, Cylink, Spyrus membrane: working with RSA, Cylink, Spyrus and talking with VeriSign and Microsoftand talking with VeriSign and Microsoft
Pursue interoperability with State PKIsPursue interoperability with State PKIs
Pursue interoperability with Nation of CanadaPursue interoperability with Nation of Canada
Pursue interoperability with non-government Pursue interoperability with non-government sector bridgessector bridges
ReferencesReferences
Federal PKI Steering Committee Federal PKI Steering Committee Website: Website: http://www.cio.gov/fpkischttp://www.cio.gov/fpkisc
FBCA Page: FBCA Page: http://www.cio.gov/fpkisc/fbca/index.hthttp://www.cio.gov/fpkisc/fbca/index.htmm
NIST PKI Website: NIST PKI Website: http://csrc.nist.gov/pkihttp://csrc.nist.gov/pki
