90 likes | 97 Vues
The FBCA Architecture: Lessons Learned. Tim Polk, NIST March 9, 2001. FBCA Goals. Leverage emerging agency PKIs to create a unified federal PKI Limit workload agency CA staff Support agency use of Any FIPS-approved cryptographic algorithm A broad range of commercial CA products
E N D
The FBCA Architecture:Lessons Learned Tim Polk, NIST March 9, 2001
FBCA Goals • Leverage emerging agency PKIs to create a unified federal PKI • Limit workload agency CA staff • Support agency use of • Any FIPS-approved cryptographic algorithm • A broad range of commercial CA products • Propagate policy information to certificate users in different agencies
Multiple CAs in FBCA Membrane • Support multiple cryptographic algorithms • Support for multiple certificate management protocols
FBCA architecture • FBCA CAs • Offline • No network connectivity • FBCA directory online
An Alternative Bridge Architecture • Bridge CAs offline but have network connectivity • Internal directory • Firewall (strict) • Border Directory
FBCA Directory Architecture • Chained X.500 directories • Dual-rooted FBCA directory is “hub” • dc=gov • o=U.S. Government, c=US
Lessons Learned • Bridge CAs can unite PKIs with • Different architectures • Different cryptographic algorithms • Different DITs • Heterogeneous commercial products can be used inside the bridge • Client software is the limiting factor • X.500 chaining simplifies certificate retrieval • Offline bridge architecture is secure but inefficient