It’s been awhile. I’ve had a few posts queued up to write, and this was one of the first. I try to attend the IAB meetings when possible, but this past August meeting was the first that I’ve been to since March. As most people in our niche identity+smart card government industry know, these meetings are a good opportunity to catch-up with colleagues and hear updates about progress at various agencies. I think all future IAB meetings should be hosted at the American Institute of Architect’s second floor conference room. The concentric circle seating layout with desks is excellent.
Slides and audio from the afternoon’s presentations are available from FIPS 201.com. (Thanks, Avisian)
This August’s meeting kicked off with a wholehearted update from USDA’s Owen Unangst. Owen started with a historical overview of USDA’s Identity and Access Management Vision. I liked his inverted pyramid diagram that outlined this vision. Everything begins at the base with Identity. Identity has existed long before HSPD-12 was announced. HSPD-12 namely addressed the second layer, Credentials, with the PIV specification. USDA has been busy implementing the Accounts, Authorization, and Access Control layers atop credentials. It’s impressive that they’ve made progress with both logical and physical access systems, and that these two historically disparate systems appear to be tightly integrated. I also found it interesting that the topmost layer, Application Integration, is only in the earliest planning stages. Implementation is far from complete.
My biggest take-away from Owen’s presentation was the method and time that went into each of their strategic planning cycles. While a lot of this is classic PMP stuff, what was interesting is that Owen said one of these cycles (Business Reqs Analysis, Gap Analysis, Portfolio Selection, and Portfolio Assessment) should never take more than 3 months. The output of a cycle is a biz case, roadmap, architecture and project plan. Three months should be more than enough time to make a decision and layout a plan to execute it. In my mind, this is why USDA will be successful in implementing their Identity and Access Management vision.
Tim Baldridge of NASA followed Owen’s talk. Tim gave a brief presentation about how a single PIV card will eventually be trusted across multiple domains and agencies, not just by the agency that issued the card. Today, some individuals are being issued cards from each domain to which they need access. Tim uses an example of a doctor from HHS who has both an HHS and DoD PIV card. Federal PKI Trust Anchors such as the Common Policy (Federal Root CA) and Federal Bridge CA (FBCA) will provide the technical infrastructure that will enable this to happen. There is still quite a bit of work to be done here, but it’s good to see that it is on the radar of leaders in the HSPD-12 space. By the October IAB meeting, Tim hopes to be able to demonstrate certificate interoperability in person. I’m looking forward to seeing this demonstration.
Bill MacGregor, an IAB regular from NIST, gave status updates on a few projects and publications. The NIST SP 800-73-3 draft is open for public comment (Actually, looks like comments were due on 13 September). This isn’t a huge update to 800-73. Looks like some good things for PIV-Interoperable cards (UUID definition consistent with NFI spec). Also, some card lifecycle stuff, “on-card retention of historical keys”. The important news is that this update should have no impact on already-issued cards.
NIST also has released an Interagency Report on the Use of ISO/IEC 24727 (NIST IR 7611). ISO/IEC 24727 helps desktop applications discover and talk to the growing number of types of identity smart cards. In the introduction of NIST IR 7611, the Transportation Worker Identity Credential is noted as similar but technically different than a PIV smart card. “The ISO/IEC 24727 framework allows any client-application to communicate with any card-application.” The document describes the structure of the NIST-developed 24727 middleware stack that was developed to communicate with PIV cards. Much of this work was based on the exisiting NIST PIV middleware demo. If possible, the source code will be released. What does “If possible” mean, Bill? Interesting stuff for folks like us.
Bill then offered a reminder in light of some recent press about RFID skimming – “Are they talking about PIV?” Probably not. Not all RFID skimming is the same – not everything can be skimmed. He suggests re-reading SP 800-116, Secton 4, Appedix A to help decided the right authentication assurance level. e.g. If you’re just reading the CHUID from a card, you don’t have a very high assurance that the card was not copied. Verify the CHUID signature, or even better, perform a mutual challenge-response with the card to have a much higher assurance that it was not copied.
Chris Lounden finished the day by giving an update on what GSA’s ICAM group has been up to. He spoke about the ICAM’s goals of making Government more transparent to citizens by making it easier to access government websites and leveraging various Web 2.0 technologies. Chris made it very clear that the ICAM’s current focus is on portable identity for non-PKI, OMB Level of Assurance 3 and below. The concepts introduced are not attempting to redefine or replace what PIV or CAC provide. When implemented correctly, applications can reach a Level of Assurance 4 with PIV or CAC.
ICAM’s approach to allowing portable citizen identities in the federal government is to “Adopt technologies in use by industry (Scheme Adoption)” and “Adopt industry Trust Models (Trust Framework Adoption)”. To assist in Scheme Adoption, ICAM is developing Identity Scheme profiles for OpenID, Information Card, and SAML (WS-Federation is to follow). To assist in Trust Framework Adoption, ICAM has published the “Federal ICAM Trust Framework Provider Adoption Process” on IDManagement.gov. The big deal here is that participation is expected from InCommon, the OpenID Foundation, Information Card Foundation and Liberty Alliance / Kantara.
This is old news now, but ICAM and the participating bodies menitoned above made a big splash about this earlier in the month at the Gov 2.0 conference. I’ll be sharing my thoughts on Open Identity for Open Governement in an upcoming blog post. As mentioned at the beginning of the post, all of the presentations (from which I’ve heavily referenced) and audio recordings (hot) from the IAB meeting are available on FIPS 201.com. I’ll look forward to seeing more familiar faces next month at the in-person IAB meeting at the Smart Card Alliance’s Smart Cards in Government conference (Oct. 27-30).