Government PKI Factors Influencing Architecture for the Equal Employment Opportunity Commission

Transcription

1 Government PKI Factors Influencing Architecture for the Equal Employment Opportunity Commission December 14, 2000 Steve Bruck Khurram Chaudry Francis Yuan 1

2 EEOC Business Cases for PKI Citizens complaints Over 100,000 complaints are filed each year Require signature Confidential Corporate EEO-1 Filings EEOC processes over 140,000 forms each year Require signature Sensitive content Internal/Government-wide correspondence Legal opinions Confidential 2

3 Government Mandates for PKI Government Paperwork Elimination Act (GPEA) Facilitate electronic government if greater than 50,000 forms per year. Electronic Signatures in Global and National Commerce (E-Sign) Electronic signatures cannot be denied validity Technology neutral, but Agencies can set performance standards Signed Oct 2000, requires near immediate compliance! 3

4 Factors influencing approach 2,500 staff 10% of budget devoted to IT/rent Significant customer service responsibilities Geographically dispersed locations Time sensitive processes Migration away from paper-based processes 4

5 EEOC Assurance Requirements Application Annual Corporate EEO-1 Form Filings Requirements Medium Assurance Leverages commercial PKI Citizen Complaints Internal/ Intergovernmental Legal Correspondence Medium Assurance Free to Unaffiliated Individuals High Assurance 5

6 Managing Risk EEOC must manage CA for internal use Leverage out-sourced model for public correspondence Accept external certificates if risks are acceptable External CA policies must be consistent with EEOC assurance requirements Mixed PKI model for different needs 6

7 Potential PKI Solutions Access Certificates for Electronic Services (ACES) assisting the agencies' response to the Government Paperwork Elimination Act Certificates are free, validation is not free CAM Arbitration module provides transaction validation for a fee. Commercial CA Services (Verisign, GTE Cybertrust) Leveraging existing certificate installed base In-Sourced PKI EEOC Owned and Managed Cross Certified with FPKI Bridge CA 7

8 EEO-1 Form Signing Commercial CA Services User Signs the form with his private key and then encrypt using receiver s public key EEOC Validates the signature and stores the form in a database Corporate User All communication protected with SSL! EEOC 8

9 ACES Citizen Complaint System EEOC DB EEOC Online form SSL Cert Validate 3 CAM ACES DST ORC AT&T VeriSign Citizen Complaint 2 Certificate 1 SSL 9

10 Governmental Correspondence Agency CA Agency CA Cross Certified CAs FPKI Bridge CA EEOC EEOC CA Agency-N CA Messaging 10

11 Proposed Trust Architecture Bridge CA EEOC CA Federal PKI Bridge CA HIGH EEOC Industry CAs LOW Entrust Cybertrust Verisign Root Messaging EEO-1 Complaints PKI-enabled Applications GSA ACES MEDIUM CAM 11

12 Standards / Protocols / Algorithms Web security SSL - Secure Sockets Layer Authentication SSL Handshake protocol using: DSA For Government Agencies RSA For Commercial Companies Symmetric Encryption 3DES, DES, RC4 Certificates Format X.509 V3 (No use of extensions) Status Checking Certificate Revocation List Online Certificate Status Protocol OCSP (ACES) 12

13 Conclusions One size PKI may not fit all needs. Business needs and budget drive Architecture Leverage commercial PKI Services when policy permits Customized PKI system trusts multiple CAs: Technology is evolving Modify architecture to incorporate new standards, improved Infratsructure functionality 13

14 Questions? 14

15 ACES PKI for Government Related Transactions Free Certificates for Citizens/Corporations Participating Agencies are billed for validation GSA partners AT&T DST ORC 15

16 CAM Architecture Scope of CAM Agency Application AA Shim Security Envelope Subscriber Cert Billing Method Crypto Library (RSA, DSA, ECDSA) CA 1 Shim Authenticated Transaction ACES CAs Subscriber Agency Application AA Shim AA I/F CAM CA I/F... CA n Shim Validation Request Billing Method CA n Subscriber Certs Subscriber CA Certificate List Invalid Certificate List Audit Log Signature Device with Private Key 16