|
US DoD Bridge Certification
Authority (BCA) Technology Demonstration
Click
here for the final report for the US Department of Defense (DoD)
BCA Phase II Technology Demonstration (Adobe Acrobat PDF format).
Overview
The Federal Government sponsored a project tailored toward the implementation
of a Bridge Certification Authority (BCA) as a means to provide
interoperability among independently established and operated public
key infrastructures (PKIs). The project, which became known as the
BCA demonstration, is designed to prove that the BCA concept and,
by association, the border directory concept, is technically feasible
and is useful and effective for facilitating trust relationships
among many different PKIs which operate under different certificate
policies.
A government and contractor team designed, developed,
integrated, and tested the necessary hardware and software components
to produce the BCA demonstrations. Due to the complexity and time
limitations associated with creating the demonstrations, the demonstrations
were separated into a Phase I demonstration and a Phase II demonstration.
Phase I Demonstration
The Phase I demonstration, completed and demonstrated over the 1999
to 2000 timeframe, included the following capabilities:
- Establishment
of trust relationships through the BCA among three domains, comprising
three different PKI vendors.
- Establishment
of directory connectivity among the three domains.
- Establishment
of the border directory.
- Development
and processing of certificate paths through the BCA.
- Transfer of signed data between
applications constructing certificate paths that include the BCA.
Phase II Demonstration
The Phase II demonstration was completed and demonstrated over the
2000 to 2001 timeframe. All of Phase I capabilities are folded into
the Phase II demonstration with the addition of the following capabilities:
- Establishment of trust relationships through
the BCA among five domains, comprising five different PKI vendors.
- Establishment of directory connectivity
among the five domains.
- Demonstration of the border directory
through web-based presentation tools.
- Transfer of both signed and encrypted
data between applications constructing certificate paths that
include the BCA.
- Demonstration of cryptographic algorithm
agility.
- Demonstration of access control for security-labeled
information in both store-and-forward and web-based environments,
based on authorizations contained in attribute certificates.
Results
Both Phase I and Phase II demonstrations
have been presented to government agencies and commercial companies
as a proof-of-concept. The demonstrations proved that:
- The BCA and border directory concepts
are feasible solutions to PKI interoperability.
- Attribute certificates can serve as an
effective method of conveying privileges.
- Access control based on data labeling
is feasible.
- Commercial off-the-shelf (COTS) products
may satisfy government requirements.
- Standards compliance is an important
requirement that sometimes can be difficult to meet, and does
not guarantee complete interoperability.
Federal PKI Links
Additional information about the Federal PKI and BCA can be found
on the following web pages:
Public Key Infrastructure Interoperability
Test Suite (PKITS)
The Public
Key Infrastructure Interoperability Test Suite (PKITS) is a
free and openly available test resource that provides information
and test data for developers writing Public Key Enabled software
that builds and validates certification paths, including certification
paths within Bridge CA architectures.
Questions
|
