Federal Internet Law & Policy
An Educational Project

Crypto :: PKI & Federal Bridge

Dont be a FOOL; The Law is Not DIY
- Crypto
- Reference

"On the Internet, no one knows you are a dog."
- Peter Steiner, New York Times Cartoon 1993

In the magnificent anti-utopian cinema Brazil, the hero of the movie Sam Lowry is promoted from the bowels of the dark bureaucracy to a new position with the Information Retrieval Office. On his first day at the new office, he is baffled at the door by "not even a pretense of a security check." Our hero declares to the door clerk, "My name is Sam Lowry."

"You're expected," says the clerk.
"Don't you want to search me?"
"No, sir," says the clerk.
"My I.D. cards?" suggests Sam.
"No need, sir."
"But I could be anybody," declares Sam.
"No you couldn't, sir," retorts the clerk.

The invasive utopian vision of Brazil is quite contrary to existence in cyberspace; you can be anybody. And this creates a bit of an issue of authenticating just who you might be. One mechanism of authenticating the identity of parties is through Public Key Infrastructure (PKI).

PKI establishes the identity of a party and then associates the identity of a party with a cryptographic key. The US National Institute for Standards and Technology (NIST) describes PKI as follows:

A public key cryptographic system is a cryptographic system where two mathematically related keys are used to encipher and decipher information. In a public key cryptographic system, one key is used to encipher or decipher the information and other key is used to perform the reverse operation. One of the keys must be kept secret and that is known as a private key, while the other key may be distributed to anyone and is called the public key. Within a PKI, a data structure called a certificate is used to bind a specific identity to a specific public key and information on how the public key can be used... Certification Authorities (CAs) are trusted entities that issue certificates to users within a PKI and provide status information about the certificates the CA has issued.

[NIST Bridge Certificate Authorities] The PKI can authenticate multiple aspects of transactions. It can

  • Authenticate the individual,
  • Authenticate the message (the message sent is the message received),
  • Establish non repudiation (correspondents cannot deny the transaction), and
  • Assure confidentiality (only the authorized parties to the transaction can read the transaction).
  • Here is the dance:

    Step 1: Individual goes to certificate authority who
    Step 2: issues a credential and
    Step 3: posts the credential to certificate repository.
    Step 4: Individual interacts with relying party who
    Step 5: consults certificate repository which
    Step 6: authenticates individual.
    Step 7: Relying party responds to individual.

    The NIST Computer Security Resource Center

    is taking a leadership rule in the development of a Federal Public Key Infrastructure that supports digital signatures and other public key-enabled security services. NIST is coordinating with industry and technical group developing PKI technology to foster interoperability of PKI products and projects. In support of digital signatures, NIST has worked with the Federal PKI Steering Committee to produce digital signature guidance. [CSRC PKI]

    Federal Bridge Certificate Authority

    PKI is great: a key that enables transactions. A dilemma is manifest, however, out of the creation of multiple and incompatible public key systems. With a plethora of federal agencies and offices using multiple PKI, this has the potential to create a burden for any party seeking to do transactions with federal offices. One cumbersome solution is to get a key for every system and have a key collection that looks like a high school janitor's. Another solution which minimizes the number of keys is to create one unified system. While some countries have adopted national unified PKI, the US has not. Another solution is a bridge that links certificate authorities together. This is the solution of the Federal Bridge Certificate Authority.

    The Federal Bridge Certificate Authority (FBCA) (not to be confused with the FCBA) makes keys from participating certificate authorities (CAs) interoperable. It is an intermediary which recognizes the credibility and authenticity of key A and key B, recognizing the keys as meeting the demands of the other. Note that the Certificate Authorities, not users, interface with the FBCA. The result is fewer keys needed in order to interoperate with more bodies. (CAs can also have direct relationships with each other instead of cooperating through a Bridge Authority.)

    FBCA is organizationally under the Federal CIO Council. The governing body is the Federal PKI Policy Authority. Initial participants include GSA, Department of Justice, Department of Commerce, NSA, OMB, and Department of Treasury. Available at the FBCA website is contact information and forms needed to cross certify with the FBCA.

    Federal Government Activity


    News & Blogs

    © Cybertelecom ::