NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop

1
NIH-EDUCAUSE Interoperability Project, Phase 3
Fulfilling the PromiseDartmouth PKI
Implementation Workshop

• Peter Alterman, Ph.D.
• Assistant CIO for E-Authentication
• National Institutes of Health

2
Topics

• Introduction and Background
• Certificate Path Discovery and Validation
• Automated Receipt Server
• Automated Archive Log
• Questions

3
Project Motivators

• Government Paperwork Elimination Act (GPEA)
• Move paperwork-based transactions to electronic
  applications through the Internet
• Quicksilver Projects
• List of applications for e-Government services,
  including e-Authentication and e-forms
• E-Authentication focuses on authenticating
  electronic identity credentials to authenticate
  citizens or business access

4
NIH-EDUCAUSE PKI Interoperability Project

• Funded by the Federal PKI Steering Committee to
  develop models and technology to allow
  locally-issued digital certificates to be used to
  sign digital versions of government forms

5
Benefits to Higher Education

• Universities and colleges are adopting digital
  signature technology for many reasons. It is
  vital that electronic credentials be reusable.
• The project enables secure electronic forms-based
  transactions among diverse, unaffiliated business
  partners (including, but not limited to, the
  Federal Government)
• Project is universally applicable for all
  forms-based business transactions requiring one
  or more signatures

6
Accomplishments

• Certificate path discovery and validation
  infrastructure
• Operational PKI bridge pathway between prototype
  of the FBCA and prototype of the HEBCA, which is
  funded and operated by EDUCAUSE
• Resolution of multiple certificate configuration
  and directory interoperability issues
• Ability for faculty and staff at academic
  institutions to download, complete, digital
  signing (two digital signatures), and send XML
  forms to US Government
• Automated receipt to submitter
• NARA requirements for audit logs

7
Concept of Operations
8
FBCA

• X.500 Based Directory
• Directories Interconnect via Chaining (X.500 DSP)
  

9
HEBCA

• LDAP Based Directory
• Utilizing the Registry of Directories
• Utilizing LDAP Referrals

10
Path Discovery and Validation

1. Certificate submitted to CAM
2. Based on Trust Anchor CAM accesses the FBCA
3. At FBCA find a Cross Certificate to HEBCA
4. Cross Certificate points to the HEBCA
5. At HEBCA find a Cross Certificate to University 2
   PKI
6. Return LDAP referral to the CAM
7. CAM directly follow the referral to University 2
   information

11
Path Discovery / Path Validation Lessons

• Publish all CA certificates within the directory
  using subjectDN found in the certificate
• Consistently populate Certificate Extensions
  wherever possible
• Minimize mixing of LDAP, HTTP, and X.500 methods
• Get the SKID and AKID correctly populated
• During cross certification, verify that
  policyMapping and nameConstraints are correctly
  defined
• Path Discovery/Path Validation as well as Tools
  are still evolving. (Ongoing work)

12
Automated Receipt Server
Application Flow
Public
DMZ
Secure
Remote CA
Applicant
Archive Database
Co-signer
ACL Database
13
Automated Archive Log

• Trustworthiness of electronically signed XML
  forms and associated transactions was ensured by
• Storing the original digitally signed electronic
  form received in the NARA archive XML document
• Digital signature on NARA archive XML document
  included authenticated timestamp as part of the
  signature
• NARA Archive XML document included digital
  certificate for verification purposes for each
  signatory on the original digitally signed XML
  form
• NARA Archive XML document provided for signature
  verification at any time for each signatory on
  the original digitally signed electronic form
• NARA Archive XML document included a certificate
  validation result (from CAM) for each signatory
  on the original digitally signed electronic form,
  the receipt signers own certificate validation
  result and an authenticated attribute of its
  signature
• Long-term integral storage of all of the above
  items will be achieved by optical media back-up
  of the archive database.

14
Schools Completing Successful Interoperability
Testing

• Dartmouth College
• University of Alabama-Birmingham
• University of Wisconsin-Madison
• University of California

15
Participating Organizations
16
Questions?