Federal Initiatives in IdM

Dr. Peter Alterman

Chair, Federal PKI Policy Authority

Wilmington, NC November 2005 2

HSPD-12

• Mandates all Federal Agencies issue ID credentials using FIPS-201 identity proofing procedures beginning 10/05

• Mandates all Federal Agencies begin issuing SmartCards with medium assurance digital certs by 10/06

• Authorization remains a local prerogative

Wilmington, NC November 2005 3

E-Authentication

• Initiatives– Assessment Framework for Credentials:

evaluating the level of assurance (LOA) of identity of credential service providers

– Membership in Liberty Alliance– Frequent meetings with Microsoft– Interfederation Interoperability Project with

Cybertrust and Internet2/Shibboleth team

Wilmington, NC November 2005 4

E-Authentication: CAF

• Credential Assessment Framework consists of the following:– A structured methodology and procedures for

evaluating the LOA of a CSP’s credentials– An assessment team that goes out and

evaluates CSPs– A process for conflict resolution – Posting CSPs and their credential LOAs to a

trust list (unfortunate term) on the website

Wilmington, NC November 2005 5

E-Authentication: Interfed Interop

• inCommon Higher Education Identity Federation– Using Shibboleth middleware technical

protocols – Policy-light

• E-Authentication US Identity Federation– Using a variety of technical protocols– Policy intensive

Wilmington, NC November 2005 6

What Are Electronic Identity Federations?

• Associations of electronic identity credential providers and credential consumers (electronic service providers) who:– Agree to trust each others’ credentials;– Agree to hold credential providers authoritative for the

validity of their credentials;– Agree to use common communications protocols and

procedures to enable interoperability– Agree to common business rules

Wilmington, NC November 2005 7

Purpose of Electronic Identity Federations

• To enable trusted electronic business transactions between end users and service providers where the service provider does not have to issue and manage identity credentials, including attributes.

• It’s all a matter of scaling..• No, it’s also a matter of control

Wilmington, NC November 2005 8

Characteristics of Identity Federations

• Credential providers• Service providers• Standards and protocols for technical

interoperability among credential providers, services providers, end users and infrastructure utilities

• A governance mechanism to assert common business rules, ensure credentials can be used and trusted by all members of the federation and a central control point for entry and exit of members

Wilmington, NC November 2005 9

Accomplishments to Date

• Demonstration of proof of concept for technical interoperability of identity credentials and utilities: E-Authentication SAML 1.0 and Shibboleth 1.2

• Production-level interoperability built into Shibboleth 1.3 (in beta)

• Extensive groundwork done on identifying policy and procedure mapping/treaty requirements

• Credential Assessment of 3 Universities, fourth scheduled

Wilmington, NC November 2005 10

Work in Progress

• Development of common SAML 2.0 schemes• Development of common USPerson profile and

profile management infrastructure• Development of production-quality scheme

translator• Ongoing work to enable cross-federation trust

and interoperability• NSF FastLane to accept 3 universities’

Shibboleth-based identity and attribute credentials on or before December, 2005 (slippage)

Wilmington, NC November 2005 11

Unresolved Issues

• Mapping null attributes• Ensuring privacy of attribute information in a

variety of instances• Portal integration• Scaling issues for listing credential providers• Issues of transitivity across federations• Multiple authoritative sources/conflicting

authoritative sources• Vocabulary and “data dictionary” issues• Liability and indemnification issues

Wilmington, NC November 2005 12

Federal PKI Architecture

• Agency and other government PKIs required to cross-certify with the Federal Bridge CA

• As of 12/05 no new agency PKIs; agencies procure PKI services from vendors participating in the Shared Service Provider (SSP) program

• Architecture issues TLS/SSL certs to credential service providers who CAF, to provide mutual authentication

• Federal Bridge CA serves as “point of insertion” for external PKIs and other bridges.

Wilmington, NC November 2005 13

Simplified Diagram of Federal PKISimplified Diagram of Federal PKI

Federal BridgeCA

C4 CAE-Gov

CAs (3)

Common PolicyCA

Cross-Certified

govPKIs

Cross-CertifiedExternal

PKIs

eAuthCSPs

SharedServiceProvider

PKIs

(CommonPolicy OIDAnd root

Cert)

Wilmington, NC November 2005 14

LOA Mapping: E-Auth to Fed PKI

E-Auth Level 1

E-Auth Level 2

E-Auth Level 3

E-Auth Level 4

FPKI Rudimentary,C4

FPKI Medium/HW &Medium/HW-cbp

FPKI Basic

FPKI Medium & Medium-cbp

FPKI High (government only)

Wilmington, NC November 2005 15

Discussion

• altermap@mail.nih.gov