Note: this blog entry is a copy of one that I originally posted on Intelink-U. Sadly, nobody there had any Federal Bridge success stories to share. Since all the references are available on the public Internet, I thought it would be interesting to publish it to a wider audience and see if I got any positive replies.
According to a 2001 paper by Peter Alterman, Ph.D., instead of creating a single PKI solution for the entire Federal enterprise, the Federal PKI Steering Committee decided to create a consolidated PKI infrastructure, consisting of discrete Federal Agency PKIs interoperating through a non-hierarchical Bridge certification authority (CA). This solution of theirs is known as the Federal Bridge CA.
In the paper, Dr. Alterman made a number of predictions regarding PKI in the Federal government and ended with this hopeful sentence, “In as little as ten years, engineers, computer scientists and users will wonder what all the fuss about PKI was back at the turn of the millennium. With luck, we will still be around to explain it all to them.”
It’s now 2009, so while 10 years haven’t actually passed, I believe enough years have passed to ask whether the Federal Bridge is performing as advertised. There’s a July 2008 DoD memo that approves certain external PKI infrastructures. To date, however, I can send encrypted emails only to others within the DoD; I can’t send encrypted emails to anybody in the 13 other agencies/companies that have been JITC-certified for DoD interoperability.
I’m curious whether *anybody* in the Federal government is actually taking advantage of the Federal Bridge. Or do we taxpayers simply pay for lots of people to make policy and perform tests, while the actual implementation gets left to agencies that don’t really want to work together anyway?
I have recently been involved in testing of COTS products with cross-certificates and the FBCA. Although the concept of the bridge is fine, we have found that operational in products like MS it is a lot harder to pull off (or just doesn’t work). The problem lies with the complexity of the model. PKI is hard enough for the lay person to understand. Then you start introducing cross-certificates, path constraints, etc and it gets even harder…even for admins.
I think the only way we crack this nut is to use something like SCVP to outsource trust decisions to a trust service of sorts. Of course we have to convince Microsoft and other vendors to support it…
Kevin, you make a very interesting point. I have to admit, that I don’t know all that much about the technical side of PKI implementation. I just know that if I want to send an encrypted email to my buddy Bob, I need his public key. (See “PKI for dummies” diagram at http://www.networkworld.com/gif/1999/0517tech.gif) Somewhere in there is a requirement for my system has to trust his certificate and his system to trust mine. But if it’s as hard as you say it is, then what exactly have “they” been testing and calling successful?
Found this today >> http://iase.disa.mil/pki-pke/interoperability/fed_crosscert.html
It gives me hope.