How an organization gets certified to issue these high-assurance IDs
In the early days of finance in England, bankers would routinely write letters of introduction for customers so they could access credit in other parts of the world. “If you had an account in good standing with a bank in England you would be given a letter of introduction and when you sailed to the new world you would use it to get a loan,” says Jeff Nigriny, CEO at CertiPath.
Today’s new world is online and identity credentials now take the place of these letters from hundreds of years ago. CertiPath enables other organizations to issue high assurance PIV-I credentials so that individual’s can be trusted in this new online world. “It’s not that a relying party knows who I am directly or even explicitly, it’s about trusting the issuer of the credential,” Nigriny explains.
Recently, CertiPath has taken financial services provider Citi through the process as well as HID Global. Both organizations are now certified to issue PIV-I credentials. Other organizations are also working to become certified, Nigriny says. The market potential for PIV-I is enormous with as many as 54 million credentials anticipated.
Many of these will be going to federal contractors but there’s also a market for first responders and health care workers. Additionally, Citi announced plans to issue high-assurance credentials to its customers as well.
With the National Strategy for Trusted Identities in Cyberspace and efforts to secure online identities in motion, PIV-I has been discussed as a possible option for citizens.
The road to PIV-I certification begins with paperwork, says Judith Spencer, chair of the Policy Management Authority at CertiPath. A company must explain their intent and how their PIV-I system will operate. At this stage we are trying to make sure the request is coming from a legitimate potential issuer, explains Spencer.
From there the request goes to CertiPath’s Policy Management Authority, an advisory group consisting of the existing CertiPath-enabled issuers. The group provides non-binding views to CertiPath on policy, technology and business practices related to the Bridge Certification Authority and approval of applicants for cross-certification.
Members of this group, through CertiPath, have credential interoperability and have been cross certified with the federal bridge through a common trust framework, Spencer says. “The members administer the framework and they’re able to see each other’s policies,” she explains. “That’s how we maintain the mutual trust.”
Defining the terms:
Policy management authority: An advisory group created by CertiPath that provides non-binding input on policy, technical and business practices related to the Bridge Certification Authority and approval of applicants for cross-certification.
Certificate authority: Core to a Public Key Infrastructure, the purpose of these trusted third parties is to issue digital certificates for use by other subordinate authorities, organizations, or individuals.
Certificate policy: A certificate policy is a document that defines the various actors in a PKI, their roles and their duties.
Certificate practice statement: An organization’s standard operating procedure on how the service will be operated and how the certificate authority will be compliant with the certificate policy.
Policy mapping service agreement: An agreement that identifies the appropriate assurance level for interoperability between all parties.
After approval from the authority the organization enters into a policy mapping service agreement which states that CertiPath will provide services that may lead to cross certification.
And then it’s a process of more back and forth. The company needs to provide a certificate policy and if it plans to offer encryption, a key recovery practice statement, Spencer says.
Then CertiPath maps the company’s certificate policy to its own. “It’s not about compliance but conformance and having compatible processes,” Spencer explains. “They don’t have to do it like we do it but we have to get the same results.”
CertiPath goes through the policy and provides a mapping report. “It contains questions we have or requirements if missing or inadequately covered,” Spencer says.
For example, a common issue is order process. CertiPath requires that an organization runs logs of the system and reviews them every two weeks. “From the time you flip a switch to turn on your certificate authority to when you turn it off everything needs to be continually audited for anomalies,” Spencer says.
CertiPath returns the results of the mapping to the company, which can then start a process of back and forth until the certificate policy mapping returns the same results.
After that’s accepted the company needs to write a certification practices statement (CPS). This is the organization’s standard operating procedure on how the service will be operated and how the certificate authority will be compliant with the certificate policy. For example, if the certificate policy says there is a secure facility that is protected from unauthorized access, the CPS would describe the facility and the credentials required for access to facilities and offices.
After that’s completed the organization must hire a third-party auditor experienced with PKI systems, Spencer says. The auditor looks at the certification practice statement and makes sure it’s fulfilled with the certificate policy.
If this is a new service and the organization doesn’t have any credentials issued, a “day zero audit” is performed. The auditor looks at the physical environment where the credentials will be stored and issued, the operations, the personnel and separation of duties. “The auditor is going to make sure people are actually doing what’s in the document,” she says.
While the audit is taking place, testing is done on the credentials the company wants to issue. The organization issues the four certificates and PIV-I compliant smart cards to CertiPath for testing, Spencer says. They are tested in CertiPath’s lab to make sure the certificate profiles are correct. Officials from the Federal PKI Authority are brought in to observe the tests.
The smart card has to be fully populated with the certificates, biometrics and containers, Spencer says. “It has to be a real operational card,” she adds.
CertiPath runs a suite of PIV-I tests on the card to make sure it operates correctly. If errors are found a report with explanations is delivered to the company. The look of the card is scrutinized during this process. “It must be visually distinguishable as a PIV-I card so it doesn’t appear to be masquerading as a PIV card,” Spencer explains.
Results of this testing along with the documentation of the applicant’s key recovery system goes to CertiPath’s Policy Management Authority. The group reviews the results and votes on whether the organization should be certified. From start to finish the process takes between six and twelve months depending on how quickly and organization can turn around documents and make the necessary changes, Spencer says.
But that doesn’t mean they’re done with the reports. After six months of issuing credentials a full operational audit has to be performed and submitted back to the Policy Management Authority. If the company hasn’t issued a significant number credential’s in that first six months they can get another six-month extension. But operational audits are required for all organizations every 12 months.