The FBCA Architecture: Lessons Learned

The FBCA Architecture:Lessons Learned Tim Polk, NIST March 9, 2001

FBCA Goals • Leverage emerging agency PKIs to create a unified federal PKI • Limit workload agency CA staff • Support agency use of • Any FIPS-approved cryptographic algorithm • A broad range of commercial CA products • Propagate policy information to certificate users in different agencies

EMA Challenge Architecture

Multiple CAs in FBCA Membrane • Support multiple cryptographic algorithms • Support for multiple certificate management protocols

FBCA architecture • FBCA CAs • Offline • No network connectivity • FBCA directory online

An Alternative Bridge Architecture • Bridge CAs offline but have network connectivity • Internal directory • Firewall (strict) • Border Directory

FBCA Directory Architecture • Chained X.500 directories • Dual-rooted FBCA directory is “hub” • dc=gov • o=U.S. Government, c=US

Lessons Learned • Bridge CAs can unite PKIs with • Different architectures • Different cryptographic algorithms • Different DITs • Heterogeneous commercial products can be used inside the bridge • Client software is the limiting factor • X.500 chaining simplifies certificate retrieval • Offline bridge architecture is secure but inefficient

The FBCA Architecture: Lessons Learned

The FBCA Architecture: Lessons Learned

Presentation Transcript

LESSONS LEARNED

LESSONS LEARNED

LESSONS LEARNED

Lessons Learned

Lessons Learned

Lessons Learned

Lessons Learned

Lessons Learned

Lessons Learned

Lessons learned

Lessons Learned

Lessons Learned

Lessons Learned

Lessons Learned

Lessons Learned

Lessons Learned

Lessons Learned

Lessons Learned:

Lessons Learned

LESSONS LEARNED