Trusted Identities That Drive Global Commerce IdenTrust: NCMS Presentation JPAS Logon changes requiring PKI credentials Richard Jensen, October 19 th 2011

Trusted Identities

That Drive

Global Commerce

IdenTrust: NCMS Presentation

JPAS Logon changes requiring PKI credentials

Richard Jensen, October 19th 2011

2Copyright ©2011 IdenTrust, Inc. | All Rights Reserved

Agenda

Summary of PKI requirement

What is PKI What are these things called Digital Certificates

Who’s behind this

Types of Certificates

What’s the difference

Getting a Certificate Where do you begin

What’s required

Documentation and forms

Trusted Correspondent Program

Questions


So what is PKI?

In broad terms, Public Key Infrastructure (PKI) refers to the methods, technologies and techniques that together provide a secure infrastructure that enables users of a basically unsecured public network (the Internet) to securely and privately exchange information

A systemic approach where every participant agrees to abide by a specific set of rules (the Policy) regarding Identity Management

Application owners want to ensure that the people trying to access their sites really are who they say they are

End Users have someone verify their identity so they can be issued a Digital Certificate to use in online transactions or to access protected sites

Certificate Authorities (like IdenTrust) issue Digital Certificates to individuals once they are certain of a person’s identity, based on a set of rules (the Policy)

Policy

CA

Digital

Certificates

Policy

CA

Digital

Certificates

Applications


Who is in charge of this program?

The DoD established the External Certificate Authority (ECA) program to accommodate the issuance of DoD approved PKI certificates to individuals that do not have or qualify for a Common Access Card (CAC). DoD is the ‘owner’ of the ECA Policy

DISA Manages the ECA Program. ECA is just the name of the Certificate Policy under which the credentials are issued. DISA certifies Certificate Authorities (like IdenTrust) after the CA goes through a rigorous set of testing to meet ECA Policy requirements: Security, System Architecture, Fulfillment, Processes, Revocation, etc.

DMDC decided to accept ECA certificates for use in the JPAS system. JPAS is simply an application that relies on the integrity of ECA certificates


PKI’s ‘product’ is a Digital Certificate

a PKI Digital Certificate is a Digital Identity issued to an individual so they can:

Authenticate your identity to an online system. For JPAS this augments the username and password currently in use

Digitally sign documents. You can use your Digital Certificate to replace your wet ink signature; and

Encrypt documents and transactions. Digital Certificates allow you to send encrypted email so that only the intended recipient can view your message and attachments


What type of certificate does JPAS require?

Both certificate types are hardware based certificates and must be stored on a FIPS 140-2 level 2 or higher Key Storage Mechanism (KSM) per DoD policy

KSM’s available are either Smart Cards (similar to CAC Cards) or USB devices

JPAS strongly recommends the KSM be in a Smart Card format. DoD facilities may not let you bring a USB token on site

1. ECA Medium Hardware Assurance; or 2. ECA Medium Token Assurance


What’s the difference?

Both ECA certificate types are hardware based certificates One key difference is who performs the Identity Vetting The hardware devices are exactly the same However, there is a ‘mapping’ difference

ECA Medium Hardware is a higher assurance certificate than Medium Token Some DoD applications require Medium Hardware

In either case, you must meet face to face with the person performing the identity vetting

Certificate Type Identity Vetting Mapping

ECA Medium Hardware Assurance

IdenTrust Registration Agent

Trusted Agent

Medium High level of Federal Bridge

ECA Medium Token Assurance

IdenTrust Registration Agent

Trusted Agent

Notary Public

Authorized DoD Employee

Medium level of Federal Bridge


How do you get an ECA certificate?


Choose one of the three (you’d better choose correctly!)


IdenTrust has a customized approach for JPAS

www.identrust.com/jpas


All you have to do is click on the “buy” button

www.identrust.com/jpas


Go through the on-line application process


What is required?

There are identity documents to show to the Trusted Agent or Notary


Then you both get to sign (this example is Medium Hardware)

Once for the applicant…

And once for the Trusted Correspondent…


Then you both get to sign (this example is Medium Token)

Once for the applicant…

And once for the Notary…


There is also a Subscribing Organization Agreement

Requires the signature of someone within the company who can agree to the conditions of the ECA contract for the applicant

Company is acknowledging that the associate is getting a certificate as a representative of the company and that they agree to allow the associate to use the certificate on their behalf


Both forms are sent to the Registration department

The Registration team conducts an investigation into the probability of the identity

They assign a “confidence score” based on a comprehensive criteria

Once they decide, they send an email to the applicant informing of the decision

If favorable, they send certificate retrieval instructions

If un-favorable, they send information regarding rejection

?


If successful, you’ll receive…

An email from the Registration department telling you you’ve been approved

A package with a letter on retrieval instructions and your hardware

Guidance on protecting your device

A CD with Drivers and middle-ware for your computer to understand your certificate

Instructions on how to:

Load the drivers

Prepare the KSM

Load the private keys

Certificate test

Once your certificate test is complete

Go to JPAS and register your certificate


Who, What, Where, When, How: Trusted Correspondent

Who: Typically in HR or Security

What: Internal associate who perform identity vetting on company’s own employees

Where: In person appointments

When: Whenever an employee needs a certificate

How: Company ‘officer’ signs a separate agreement accepting terms/conditions for the actions of their employee to act as a Trusted Correspondent.

Your company becomes liable for the truthfulness of the identity Agrees to rules regarding documentation and identity checking Must follow the “letter of the law” just like we do No short cuts, just because they’re your employees


Benefits of having your own Trusted Correspondent

No need to wait for an appointment with the CA

Allows ‘bulk loading’ for multiple users Eliminates the need for individual users to go through the entire application process

Minimum of five per submission

All supporting documents must be included together

Streamlines processing CA does not have to do some of the usual steps (VoE)

Reduces costs

Enhanced control Upon termination of an employee, a TC can immediately revoke certificate

New employees can be added quicker

May be able to resolve basic certificate issuance quicker than relying on CA

The only cost is for the certificate of the TC candidate The TC is required to have their own Medium Hardware certificate so they can send

encrypted emails back and forth to the CA


TC Addendum to Subscribing Organization Agreement

Company officer signs this agreement:

https://secure.identrust.com/certificates/policy/eca/eca-tc-addend.pdf


And begin ‘bulk loading’ your associates

TC sends completed spreadsheet via signed and encrypted email to Registration Department


Questions?

Richard JensenDirector of Government Sales ECA Program Manager

Associate Member NCMS

256-303-9412

[email protected]

?Contact Info:


NCMS Members qualify for a 20% Discount

www.identrust.com/ncms

Documents

Trusted Identities That Drive Global Commerce IdenTrust: NCMS Presentation JPAS Logon changes requiring PKI credentials Richard Jensen, October 19 th 2011