The FBCA Architecture:Lessons Learned

Tim Polk, NIST

March 9, 2001

FBCA Goals

• Leverage emerging agency PKIs to create a unified federal PKI

• Limit workload agency CA staff• Support agency use of

– Any FIPS-approved cryptographic algorithm– A broad range of commercial CA products

• Propagate policy information to certificate users in different agencies

EMA Challenge Architecture

Multiple CAs in FBCA Membrane

• Support multiple cryptographic algorithms

• Support for multiple certificate management protocols

FBCA architecture

• FBCA CAs– Offline– No network

connectivity

• FBCA directory online

An Alternative Bridge Architecture

• Bridge CAs offline but have network connectivity

• Internal directory

• Firewall (strict)

• Border Directory

FBCA Directory Architecture

• Chained X.500 directories• Dual-rooted FBCA directory is “hub”

– dc=gov

– o=U.S. Government, c=US

Lessons Learned

• Bridge CAs can unite PKIs with– Different architectures– Different cryptographic algorithms– Different DITs

• Heterogeneous commercial products can be used inside the bridge

• Client software is the limiting factor• X.500 chaining simplifies certificate retrieval• Offline bridge architecture is secure but inefficient