It’s been a busy year so far. Last week we began our full-time presence in DC. I moved from Fort Wayne to DC and will be working in the city for the foreseeable future. Our company headquarters will stay in Fort Wayne, and will continue to be the primary site of our software engineering team. The DC office will serve as both a business development and client support location. Most of our customers are in the greater-DC area, and it makes a lot of sense for us to have full-time staff here. It is good to be back.
Every month or so, the Government Smart Card Interagency Advisory Board (IAB) holds a public meeting to discuss the HSPD-12 State of the Union. There are several presentations given about notable smart card and related projects, and there’s plenty of time for Q&A as well as networking. The meetings are attended by both government employees & contractors as well as many vendors. Normally, we wouldn’t make a special trip from Fort Wayne to DC for these meetings, but now that I’m local I’ll be attending these meetings more often.
For this March 5th, 2009 meeting located in the GSA Auditorium we got to hear from the following speakers:
- Tim Baldridge (NASA) gave the opening and closing remarks, as well as an update on the PAIIWG id, which is being built on the PIV GUID.
- Judy Spencer (GSA) talked about the future of the government’s Identity Management Strategy and the creation of the Federal Identity , Credential, and Access Management (ICAM) sub-committee
- Jarrod Frahm (Dept. of State) gave an interesting presentation on how the Dept. of State is using a separate smart card with Match-On-Card Biometrics for authentication, and mentioned the department’s plans for merging this MoC smart card with their PIV smart cards.
- Craig Wilson (FEMA) gave a summary of the impressive Winter Chill exercise that took place earlier this year. First Responders with PIV, CAC and FRAC smart cards performed geo-location-aware, near-real-time electronic validations across the US. This exercise was used to demonstrate the capabilities of validating cardholders in the field who might be relocated during a disaster.
- Steve Duncan (GSA) was scheduled to give an update on GSA’s Managed Service Office (MSO) Shared Service Providers, but had to cancel at the last-minute.
- Bill MacGregor (NIST) followed-up on the Dept. of State’s match-on-card biometric project and commented on NIST’s stance of MoC support on PIV cards.
The presentations should eventually make their way up to the GSC IAB web site. FIPS201.com has posted audio from previous IAB meetings. I learned something new from all of the presentations. I’ll comment on a few items that I found especially interesting.
ICAM: The Future of the Government’s IDM strategy
- The ICAM sub-committee is being co-chaired by Judy Spencer & Paul Grant (DoD). The fundamentals haven’t changed: The IdAM guidance will be built upon the eAuthentication’s M-04-04 and NIST SP 800-63.
- The eAuth portal will be moving from SAML version 1 to 2.
- eAuth will be partnering with Liberty Alliance for levels 1 and 2.
- Commercial digital certificates that are cross-certified with the Federal Bridge are now available from VeriSign. (See the Press Release)
- ICAM’s next steps are to publish a PIV Interoperability for non-federal entities guide & publish an ICAM roadmap & implementation guide. Also, they plan to establish a Citizen Outreach Focus Group
BLADE / PKI – Department of State
- BLADE: “Biometric Logical Access Development & Execution”
- Before PIV cards were widely available, the Dept. of State started a pilot program that allows users to access applications using a smart card and match-on-card biometric applet in-place-of or in-addition-to a PIN. Due to the size & compatibility requirements of the MoC applet, DoS could not include this functionality on their official PIV cards. Precise Biometrics is providing the MoC applets and readers.
- DoS is using the BLADE smart cards to provide PKI logon via kerberos. Their long-term goal is to provide logon to all DoS websites.
- DoS is currently trying to create a hybrid PIV / BLADE-MoC smart card – they need more storage space on the smart card chip. Until this issue is solved, DoS cardholders will use the BLADE card for logical access and their PIV cards for physical access.
- One of their biggest challenges is hardware and software deployment overseas.
- The interesting part of this project is that it has re-ignited NIST’s interest in Match-On-Card biometrics support. Bill MacGregor (NIST) commented on this in a later presentation.
- Jarrod Frahm gave the presentation and he is the BLADE PM. Mark McCloy is the PKI PM. Steven Gregory is the IIB Branch Chief.
NIST’s thoughts on Match-On-Card for PIV
- Bill MacGregor (NIST) gave a follow-up presentation on how MoC is being considered as a PIN replacement option for PIV cards.
- Motivations for MoC support include improved usability and improved security & reliability
- What’s not changing: Backwards compatibility with existing PIV card standard, the authentication model, FIPS 140-2 Level 2 requirements, metrics for biometrics testing (MINEX)
- The NIST process for adopting new technology recommendations: 1. R&D (NIST IRs, papers, presentations), 2. Best Practice Guidelines (Special Pubs), 3. Standards (ANSI, ISO and, rarely, FIPS)
- NIST R&D for MoC includes, so far:
- 8/2007: NIST IR 7485: MINEX II – MoC Performance I
- 11/2007: NIST IR 7452: Secure MoC Feasibility Report (I worked on an early draft of this report while with my previous employer)
- 2/2008: NIST IR 7477: MINEX II – MoC Performance II
- ISO/IEC 24787 On-Card Biometric Comparison (comments from ANSI/INCITS B10 & M1, liaison with ANSI/INCITS B10.12)
- Moving forward:
- FY 2009: Revisit & formalize requirements
- FY 2009: Recommend an implementation approach
- consider ISO/IEC 24787 mapping (updated on 3/11/09 – Thanks, Bill)
- propose modifications to 800-73, 800-76, FIPS 201
- “Enable a direction based on merits.”
“Winter Chill” – FEMA’s electronic validation exercise
- Craig Wilson, Senior Consultant for FEMA, gave an exciting presentation on FEMA’s latest in-the-field exercise dubbed “Winter Chill”.
- The exercise involved state and local Federal Emergency Response Officials (FEROs) and representatives from DoD and FEMA.
- The exercise included moving these representatives around from one site to another and validating their identity using electronic validation of PIV, CAC and FRAC smart cards as well as state-issued Drivers Licenses.
- In addition to the real-time validation of these credentials, the geo-location was tagged and reported in “near real-time”. (I guess they didn’t want to commit to saying “real-time)
- Duane Stafford, representing the State of Virginia (VDOT?) talked about how VA provided the geospatial awareness technology.
- The software was demo’d during the meeting.
- As we entered the IAB meeting there were two entrances being manned by some of the same representatives that validated credentials during Winter Chill. The high-assurance entrance scanned PIV cards. The low-assurance entrance scanned driver’s licenses. My newly-issued driver’s license passed with flying colors.
Proposal of a new PIV GUID
- Tim Baldridge (NASA) gave a summary of the work done to evolve the PIV FASC-N.
- Problem: Current PIV card ID number (FASC-N) was not designed to support non-federal PIV Card Issuers (PCIs).
- Proposal: A GUID (128-bit value, i.e. HUGE) shall be assigned to each issued PIV card according to RFC 4122.
- The proposal infers a requirement to update the data model for signed objects, including certs, to include the GUID in addition tot he FASC-N.
- Development of new functionality in the PIV standard and guidance to support “Mutual Registration” by Relying Parties in co-operation with the PCI.
After the PIV GUID presentation and wrap-up there was some more Q&A. There was some more discussion around this Mutual Registration topic and Match-On-Card biometrics. The part that I found particularly interesting was the MoC Philosophy. The idea is simple:
I control access to my card with my fingerprints that I enrolled.
This really helped me grasp a new motivation for MoC. The fingerprint does not belong on the server. If a user is using it in place of a PIN, it should be treated like a PIN. Only the user should be able to enroll their MoC fingerprints. There may be an unblock function that the server provides, but the user should be in control of the enrollment process and know that their fingerprint templates are only stored on the smart card.
I hope this was helpful to those who couldn’t attend. Now that I’m around DC more often, I’d be happy to meet-up more often in-person. Also, I recently launched the company’s official Twitter feed. Send me an @TrustBearer reply on Twitter to get in-touch.