[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fwd: [soa-rm] FYI: New US Gov Certificate Authority and PKI dedicated to web services
See below … major theme:
“The overall objective is for the US government to own and operate a broadly trusted PKI capability for web services. This includes one or more root certificates in commercial and open source trusted root stores under which the US government may safely issue certificates securing connections to government services. These certificates would be trusted by all major browsers, operating systems, and other applications that rely on stores of commonly trusted roots. This includes Mozilla and Google, as well as Microsoft, Apple, Adobe, and others.”
Avanti,
BobN
- - - - -
From: FICAM Community (Tech) Listserv [mailto:ICAM-COMMUNITY-TECH@
Sent: Monday, December 05, 2016 11:54 AM
To: ICAM-COMMUNITY-TECH@LISTSERV.
Subject: [ICAM-COMMUNITY-TECH] A new US government CA and PKI for the web
xpost from Security-Today listserv
Hey all,
I'm sending this notice out to a few different federal communities -- please feel free to forward and distribute widely.
The General Services Administration and the Department of Defense are collaborating on the creation of a new root certificate authority (CA) and public key infrastructure (PKI), owned and operated by the US government.
The cross-agency team leading this effort are soliciting agency feedback and participation throughout the process. This project is in the initial stages, and currently has proposed certificate policies open for comments and recommendations on GitHub (links below).
The overall objective is for the US government to own and operate a broadly trusted PKI capability for web services. This includes one or more root certificates in commercial and open source trusted root stores under which the US government may safely issue certificates securing connections to government services. These certificates would be trusted by all major browsers, operating systems, and other applications that rely on stores of commonly trusted roots. This includes Mozilla and Google, as well as Microsoft, Apple, Adobe, and others.
To achieve this, this new US government PKI will be brand new (“greenfield”) infrastructure. It will not issue certificates for persons (e.g. credentials for PIV cards) and will not be part of the existing Common Policy or Federal Bridge PKI infrastructure. It will be designed primarily for external connections, and to adhere to contemporary Web PKI requirements, as expressed in the CA/Browser Forum’s Baseline Requirements[1] and in the policies of the various commercial root stores.
In addition, this US government PKI will participate fully in Certificate Transparency (CT) [2], and will publicly log the full contents of every issued certificate. Publishing certificates to CT is not only a positive security practice, but also an emerging requirement for publicly trusted certificates by multiple large platform providers. We are also evaluating the potential for investing in and diversifying the CT ecosystem by creating a new government-run CT log service.
Finally, we will invite root stores and the client ecosystem to impose clear and technically enforceable name constraints on which certificates the CA hierarchy is allowed to operate for. This will include .gov and .mil. Any further allowed names are likely to be narrow and limited to government properties, but open for discussion during the planning stage.
Altogether, we believe that separating web/device certificates from “people” certificates, along with operating a transparent, technically constrained US government PKI hierarchy with public audits and policies, will make it possible to achieve universal acceptance in commercial root stores for federal roots.
To achieve the goal of having a US government publicly trusted root, we will need to retain the public’s trust. To this end, we are developing this CA hierarchy’s core policy documents in a public repository
on GitHub: https://github.com/
In general, this team plans to engage enthusiastically with public communities, and to have as many of our core operational and policy discussions in public view as possible. Using GitHub for version control and public discussion should make it easier to interact with the relevant communities of practice. However, we can always talk with people over email, and any official final documents will be hosted on .gov URLs.
While this project is still in its early stages and will need significant and ongoing investment to succeed, it represents an exciting opportunity for the US government to improve its security and efficiency, while also investing in and aligning itself with the security of the internet at large.
We’re looking for agency feedback and participation, now and throughout the process. You can ring in on our public issue tracker, reply here on this email thread, email us at uspki-root@listserv.gsa.gov
·
Public issue tracker: https://github.com/
·
Max.gov workspace: https://community.
·
Working group contact email: uspki-root@listserv.
-- Eric
Eric Mill
Senior Advisor on Technology
Technology Transformation Service, GSA
--
Jon Prisby
C: 202-394-2777
Technology Transformation Service (TTS) 18F - U.S. General Services Administration
To unsubscribe from the ICAM-COMMUNITY-TECH list, click the following link:
https://listserv.gsa.gov/cgi-
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]