PKI Testing SC Status Report

["Evans Paul" <evans_paul@bah.com>]

The last two months have been slow.  The low activity has been mainly attributable to a restriction on marketing activities within the team I work because of reorganization.  We
have cleared that situation, for the most part, and I will now be able to devote several hours to moving the SC work forward.

As luck would have it, there are some new developments in the authentication arena that are likely to raise PKI visibility across a wide segment of US Federal Government agencies
and in many of the vertical industries subject to regulatory oversight.  Already we are seeing signs that interoperability and/or conformance testing will be increasing as a
result.

There are three primary drivers to renewed interest in PKI.  All are focused upon using PKI identity certificates to play a central role in authenticating people who will be
requesting access to information resources of government agencies or enterprises that they have a business relationship with.

The first is the US Government's E-Authentication Initiative.  It is directing agencies to perform authentication risk assessments of systems that people would access from
online.  The assessments are to determine the identity assurance levels necessary to establish a person's identity to a degree of confidence equal to or higher than a level
appropriate to mitigate the risks present in the transactions the person wants to carry out.  The government have establish four levels of assurance.  The first two rely on
assertions and the highest pair will employ PKI identity certificates.  The highest level will be required to be stored on a hardware-based token.

The second is the result of Homeland Security Presidential Directive 12.  The directive orders agencies to conform to Personal Identity Verification (PIV) regulations (currently
under development) for controlling access of all federal employees and contractors to government facilities and information systems.  The high-level concept is that employees and
contractors will be issued a single, standards-based identity card (smart card) that will be used for electronic authentication when accessing logical and physical resources.
Identity management will follow a federated model so that agencies will be able to process credentials issued by another agency.

The third driver is coming from the realization by certain vertical industries that some of their previously guarded information systems must provide access to employees of their
business partners, but in a secure manner.  They have concluded the only scalable method of managing access to those systems is to adopt a federated identity management model.
They have further concluded that PKI identity certificates represent the best technology available that will provide a satisfactory level of authentication assurance and
security.  There are efforts underway in two industries, pharma and aerospace manufacturing, to establish bridge certificate authorities that will additionally cross certify with
the US Federal Bridge CA so that they can extend the utility of certificates to use with their regulators.

All of the scenarios described above will be based upon conformance to a minimum set of standardized PKI certificate attributes and schema.  Conformance testing will be required
to demonstrate satisfactory interoperability.  Currently, testing is being performed as part of the cross-certification process with the US Federal Bridge CA and for approval of
Certificate Service Providers under the e-authentication initiative.  Planning is currently underway to establish testing protocols and standards for the pharma and aerospace
bridges.

I plan to attend the upcoming Federal PKI Technical Work Group meeting next week at NIST where I hope to engage the NIST staff in discussions about their possible participation
in the OASIS PKI TC and Testing SC work.

--  Paul Evans, Booz Allen Hamilton, and Chair of the PKI testing SC