Messaging and Directory Server software used around the world in the Government, Military, Aviation and Commercial sectors.

isode.com / about /

Media Resources

Federal Bridge Certification Authority's deployment of Isode's M-Vault

The Federal Bridge Certification Authority (FBCA) enables transitive trust among entities cross certified with the FBCA, to include federal government, state and local government, foreign governments, businesses, and the public, using X.509 PKI (Public Key Infrastructure).

Isode's M-Vault X.500 plays a fundamental role in supporting the FBCA by providing its directory services. This case study summarizes the FBCA concept, why the FBCA chose M-Vault X.500, and how it has been deployed.

 

Federal Bridge Certification Authority (FBCA)

Entities, to include US Government agencies, are making increased use of digitally signed transactions, using X.509 PKI certificates. The implementation of trust within an entity PKI is based on a Certification Authority (CA), which issues certificates to its end users, as well as its management functions to publish certificate and certificate status information in a directory or a database.

The FBCA challenge was to facilitate the interoperability of that trust and authentication system among disparate entity PKIs; thereby, enabling a user, say in one entity PKI, to verify a digital signature made by another user in a different entity PKI .

In other words, a user (User 1) in one entity PKI (Entity 1) is issued a certificate by that entity’s CA. User 1 then digitally signs a document or e-mail sent to another user (User 2) in another entity PKI (Entity 2). User 2 needs to verify that User 1’s digital signature is valid. This is done by building and validating a certificate "trust chain". Using the FBCA, the trust chain that would be built is:

"User 1" -> "CA Entity 1" -> FBCA -> "CA Entity 2" -> "User 2"

The FBCA is a key component when building trust chains. The trust request could go directly from one entity PKI to another entity PKI. However, this method does not scale and the maintenance of these trust relationships would become completely unmanageable given the large number of US government departments.

The FBCA supports a trust chain by building a trust relationship ('cross-certification' in PKI terms), between itself and the entities PKIs. Cross certification includes the policy mapping to determine the appropriate level of assurance which is then asserted in the cross certificates issued to the respective entity PKIs to securely transact business of the various cross certified CAs, and dealing with certificate revocation.

Directory plays a key role in supporting this infrastructure.

Isode and Authera

A Prototype FBCA was implemented four years ago and, after certification and accreditation, a Production FBCA was granted approval to operate in May 2002.

When the FBCA broadened its directory scope to support LDAP clients, Authera (an Isode channel partner based in Baltimore, Maryland) supplied six copies of Isode's M-Vault X.500 (LDAP and X.500 directory server) to FBCA in May 2003, for testing.

Why did FBCA Choose M-Vault X.500?

The FBCA required a directory server that supported both X.500 and LDAP. The FBCA Operational Authority conducted a limited market analysis of available directories that offered this capability. M-vault X.500 was one among these products.  Four factors made M-Vault X.500 the choice for FBCA:

1. It supports "LDAP Chaining", which meets the federal PKI requirements to support LDAP PKI clients.
2. It has the ability to support X.500 chaining to support the widely adopted protocol in the federal government.
3. Isode's M-Vault X.500 was more robust than all alternatives in the LDAP stress tests that FBCA Operational authority performed.
4. Authera provided the FBCA with responsive, on-site installation, maintenance and support.

The FBCA Directory Deployment in Detail

FBCA use two copies of M-Vault X.500 for their operational service, one as the master and the other as an identical subordinate server to provide dedicated LDAP connectivity. Two further copies are used at the FBCA hotsite, and the two final copies for internal interoperability testing.

The FBCA directory is primarily used to provide directory connectivity between entity PKIs. This connectivity can be provided by the client (referral) or by the directory server on behalf of the client (chaining). Server provided directory connectivity establishes connectivity (chaining) relationships to entity PKI LDAP and X.500 directories. This connectivity enables access then to entity PKI directories which hold CRLs and user and CA certificates. This is important for several reasons:

1. The entity PKI directory may not accept LDAP queries from arbitrary sources.
2. The client making the query may not support LDAP referrals.
3. The FBCA may have received the query from another entity PKI over X.500 DSP.

The directory holds the data for the Federal PKI, which includes the FBCA and three other CAs managed by the FBCA Operational Authority. This data includes certificates, CRLs, and cross certificates issued within the Federal PKI CAs and to other entities PKI. This data is used during certificate path discovery and validation.

Summary

M-Vault X.500, supplied by Isode in association with its partner Authera, supports the US critical infrastructure and is fundamental to the FBCA.

M-vault X.500 was chosen for being a single COTS solution, performance, robustness, and having 24x7 support. M-vault X.500 was the right choice for the FBCA and is the right choice for any department, service, or agency needing a solution for interoperability among LDAP and X.500 repositories.