the e-authentication initiative an overview peter alterman, ph.d. assistant cio for...
TRANSCRIPT
The E-Authentication InitiativeAn OverviewPeter Alterman, Ph.D.
Assistant CIO for e-Authentication, NIH andChair, Federal PKI Policy Authority
The E-Authentication Initiative
2
The E-Authentication Initiative
E-Gov Program Management OfficeHSPD-12
Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05
Mandates all Federal Agencies begin issuing SmartCards with medium assurance digital certs by 10/06
Authorization remains a local prerogative
3
The E-Authentication Initiative
E-Gov Program Management OfficePurpose and Function of the E-
Authentication Program
To provide a single source of identity authentication services for Federal Agency Applications
To develop and promulgate policies and procedures to sustain a common identity federation for the Federal Government in support of e-Gov and HSPD-12
To partner with Credential Service Providers and other Identity Federations to enable the broadest access to e-Gov services.
4
The E-Authentication Initiative
E-Gov Program Management OfficeSummary of E-Authentication Approach
Four Levels of Assurance of Identity (LOA) from Policy LOA 1 and 2 are assertion-based: Userid/password, SAML, Shibboleth, etc. LOA 3 and 4 are cryptographically-based: PKI, etc.
LOA required based on standard Risk Assessment
Agency Applications (AAs) autonomous for authorization decisions
AAs rely on credentials issued by external Credential Service Providers who submit to an assessment based on a Credential Assessment Framework
Principle of reusable credentials
5
The E-Authentication Initiative
E-Gov Program Management OfficeE-Authentication Initiatives
Assessment Framework for Credential evaluating the level of assurance (LOA) of identity of credential service providers
Membership in Liberty Alliance
Frequent meetings with Microsoft
Interfederation Interoperability Project with Cybertrust and Internet2/Shibboleth team (more slides later on)
Credential Assessment Framework
6
The E-Authentication Initiative
E-Gov Program Management OfficeCredential Assessment Framework
A structured methodology and procedures for evaluating the LOA of a CSPs credentials
An assessment team that goes out and evaluates CSPs
A process for conflict resolution
Posting CSPs and their credential LOAs to a trust list (unfortunate term) on the website
7
The E-Authentication Initiative
E-Gov Program Management Office
FBCACertification Authority
Two way Cross-certified(FBCA High & FBCA Medium)
Agencies (Legacy Agency CA policy)
States
Foreign Entities
Citizen & CommerceClass Common (C4) Certificate Policy
-certified
Wells FargoAOLPEPCO
Private Sector
FPKI Common Policy Framework (FCPF) Certificate Policy
C4 Policy Certification Authority (Included in browser list of CAs)
FCPF Policy Certification Authority
(Trust anchor for Common FPKI Policy hierarchical PKI subscribers)
E-GovernanceCertification Authority
(Mutual authentication of SAML/SSL Certificates only)
Qualified Shared Service Provider
USDA/NCF
Verisign
DST
Two way Cross-certified
On
e w
ay C
ross
-cer
tifi
ed
Federal PKI
AssuranceLevel 1
AssuranceLevel 2
E-GovernanceCertificate Policy Other Bridge CAs
ACES
NewAgency
Op
tio
nal
ly T
wo
Way
Cro
ss-ce
rtif
ied
Two Way Cross
Federal PKI
Federal PKI
The Federal PKI & The E-AuthenticationFederated Approach
Two
way
Cross-certified
XKMSOCSPCAMSOAPOthers
©p
Step #1: User goes to Portal to select the AA and ECP
Portal
Step #3: The user authenticates to the AA directly using SSL or TLS.
Figure : FPKI
Validation Service
AA
CA 1
Community 1
CA 4
CA 4bCA 4a
CA 2Community 2
Bridge
CA 3
Community 3
FPKI
Step #4: The AA uses the validation service to validate the certificate
Step #2: The user is passed directly to the AA
eAuthTrust ListFBCA
Certificate Policy
8
The E-Authentication Initiative
E-Gov Program Management OfficeInterfederation Interoperability
Assertion-level trust transactions require federation-to-federation policy and technology interoperability initiatives Under way with inCommon (Internet2)
Crypto-level trust transactions mediated by Federal Bridge Under way with Higher Education Bridge, Pharmaceutical Industry
Bridge, Aerospace Bridge
9
The E-Authentication Initiative
E-Gov Program Management OfficeWhat Happens When Two Federations
Want to Interoperate?
Enable technical interoperability between members of different federations
Develop mutually agreed-upon mappings for trusting identity credentials and elements of credentials
Develop mutually agreed-upon mappings for business rules
Develop peer-based conflict resolution mechanisms
10
The E-Authentication Initiative
E-Gov Program Management OfficeReport: Status of Interfederation
Interoperability Work Group
inCommon Higher Education Identity Federation Using Shibboleth middleware technical protocols Policy-light
E-Authentication US Identity Federation Using a variety of technical protocols Policy intensive
11
The E-Authentication Initiative
E-Gov Program Management OfficeAccomplishments to Date
Demonstration of proof of concept for technical interoperability of identity credentials and utilities: E-Authentication SAML 1.0 and Shibboleth 1.2
Production-level interoperability built into Shibboleth 1.3 (in beta)
Extensive groundwork done on identifying policy and procedure mapping/treaty requirements
Credential Assessment of 4 Universities
12
The E-Authentication Initiative
E-Gov Program Management OfficeWork in Progress
Development of common SAML 2.0 schemes Development of common USPerson profile and profile
management infrastructure Development of production-quality scheme translator Ongoing work to enable cross-federation trust and
interoperability NSF FastLane to accept 4 universities’ Shibboleth-based
identity and attribute credentials
13
The E-Authentication Initiative
E-Gov Program Management OfficeUnresolved Issues
Mapping null attributes Ensuring privacy of attribute information in a variety of instances Portal integration Scaling issues for listing credential providers Issues of transitivity across federations Multiple authoritative sources/conflicting authoritative sources Vocabulary and “data dictionary” issues Liability and indemnification issues
14
The E-Authentication Initiative
E-Gov Program Management OfficeMore Information
http://csrc.nist.gov
http://www.cio.gov/fbca
http://www.cio.gov/eauthentication
http://www.cio.gov/fpkipa