Interagency Advisory Board Meeting Agenda, July 28, 2010

Transcription

1 Interagency Advisory Board Meeting Agenda, July 28, Opening Remarks 2 Research Collaboration in the Cloud: How NCI and Research Partners Are Improving Business Processes using Digital Identities (Sherry Ansher, NIH/NCI and Cindy Cullen CTO Safe Bio-Pharma) 3. Minimum Standards for Proof and Verification of Personal Identity (Graham Whitehead, NAPSO) 4. Planned Changes to the Federal PKI (Judy Spencer, FICAM Co-Chair) 5. The Status and Future Plans for the GSA Shared Service (Steve Duncan, MSO Director) 6. The ICAM Return on Investment (ROI) WG (Tim Gaines, ICAM Chair) 7. Proposed Federal Profile for SAML 2.0 for LOA 1 through 4(Tim Baldridge, FICAM AWG) 8. TSCP Implementation Pilots to demonstrate NTSIC Goals & Objectives (Keith Ward) 9. Closing Remarks

2 Federal PKI Authority SHA-256 Infrastructure Enhancement 28 July 2010 Judy Spencer Federal ICAM Subcommittee Co-Chair

3 Agenda New FPKI Root and Intermediate Certificates What are root and Intermediate certificates What is changing When is it coming What do you have to do Use of SHA-256 What is SHA-256 How is SHA-256 used How does it impact you What do you have to do Discussion 54

4 What are Root and Intermediate Certificates? A root certificate is a self-signed certificate issued by a Certification Authority (CA) Root CA A Relying Party (RP) Trusts a certificate if a valid path, which may include Intermediate Certificates, is known to a Root CA in the RP Trust Store. Federal Common Policy Framework (Common Policy) CA Root certificate used as a Public Federal PKI Trust Anchor Included in COTS products, as are other Commercial PKI Trust Anchors Intermediate certificates issued only to Federal Entity CAs Federal Bridge CA Cross-Certified with Common Policy CA Cross-Certified non-federal Entity CAs and legacy Federal CAs Not used as a Trust Anchor; used to provide policy mapping 55

5 New FPKI Certificates What is Changing? New CAs for Common Policy and the Federal Bridge New CA Directory Names (Issuer Names) Common: cn=federal Common Policy CA, ou=fpki, o=u.s. Government, c=us Bridge: cn=federal Bridge CA, ou=fpki, o=u.s. Government, c=us SHA-256 Signature Algorithm New Root and Intermediate/Cross CA certificates issued New URIs to access FPKI CA certificates and CRLs Provides real-time load balancing fpkia.gsa.gov (current) http.fpki.gov, ldap.fpki.gov, dsp.fpki.gov (new) 56

6 New FPKI Roots What is Changing? (Con t) Common root certificate in more COTS product trust stores FPKI MA applying to get it into lists ASAP e.g., Microsoft, Adobe, Java, Apple, Mozilla, Oracle TBD: Legacy Federal CAs moved from Bridge to Common FPKIPA reaching out to Legacy Federal CAs Decision by end of July

7 New FPKI Roots When is it coming? Sept 30, 2010: New Common and Bridge CAs online Q1 FY11: Reissue certificates The FPKI MA will issue new cross certificates from the new Common Policy CA to FBCA and all SSP CAs The FPKI MA will issue new Federal Bridge cross-certificates to all Affiliate CAs currently cross certified with the FBCA During September December Transition Period: There will be dual Common and Bridge roots (old and new) to allow time for relying party (client workstation) transition 58

8 New FPKI Roots What do you have to do? Review FDCC Guidance on managing PKI Trust Anchors Affiliate CAs Cross Certify with new Federal Bridge CA Push new Common Policy root and applicable Intermediate certificates to update end user trust stores Notify FPKI MA that push to users is complete FPKI MA will revoke legacy intermediate/cross-certificates 59

9 Agenda New FPKI Roots What is a root What is changing When is it coming? What do you have to do? Use of SHA-256 What is SHA-256 How is SHA-256 used? How does it impact you? What do you have to do? Discussion 60

10 Use of SHA-256 What is SHA-256? SHA-1 is a depreciated hash algorithm currently in use for certificate digital signatures SHA-256 is a stronger hash algorithm for digital signature Stronger than SHA-1 algorithm currently used in the FPKI NIST-Approved algorithm for certificate signature use NIST SP DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes 61

11 Use of SHA-256 How is SHA-256 used? SHA-256 is used for digital signing A block of data is input into the SHA-256 Hash Algorithm to obtain a fixedsized bit stream that serves as the message authentication in the digital signature for content integrity. 62

12 Use of SHA-256 How it impacts you You will need to process SHA-256 based signatures New FPKI CA certificates will be signed using SHA-256 New FPKI CA CRLs will be signed using SHA-256 Secure correspondence will be signed using SHA-256 e.g., secure s between FPKI MA and Affiliates New PIV Authentication Certificates will be signed using SHA-256 New PIV Card Auth Certificates will be signed using SHA-256 New Digital Signature Certificates will be signed using SHA-256 New Encryption Certificates will be signed using SHA-256 New Device Certificates will be signed using SHA-256 New SSL/TLS Web Certificates will be signed using SHA

13 Use of SHA-256 What do you have to do The FPKI Policy Authority recommends the following: Review NIST SPs Part 1, , Inventory existing public key enabled applications within your Agency or Organization that use FPKI PIV certificates for authentication, digital signature, and or/ encryption Evaluate your application compatibility to process SHA-256 Verify COTS Vendor/Manufacturer support of SHA-256 Verify COTS product minimum required versions for SHA-256 support Obtain SHA-256 signed test certificates Create a Test Plan and evaluate applications that may be at risk for SHA-256 support. Voluntarily report testing results to idmanagement.gov 64

14 Agenda New FPKI Roots What is a root What is changing When is it coming? What do you have to do? Use of SHA-256 What is SHA-256 How is SHA-256 used? How does it impact you? What do you have to do? Discussion 65