Combined Communications Electronics Board (CCEB) PKI Cross-Certification Between CCEB Nations
- 64 pages
- For Official Use Only
1.1.1 Purpose
This section provides the long-term Public Key Infrastructure (PKI) interoperability architecture for the CCEB Allies as agreed at the February 2005 Canberra Collocated Meeting. The architecture enables interoperability through direct cross-certification of each National Defence PKI (NDPKI) in a mesh configuration.
1.1.2 Audience
The audience for this section is expected to be the PKI management and engineering/technical staff involved in Defense2 PKI Program Management Offices (PMOs) or Project Teams. The audience includes Government and industry personnel involved in the definition, design, and development of the NDPKIs. Familiarity with PKI concepts is assumed.
1.1.3 Background
CCEB Nations exchange Military information and data under the Combined Joint Multilateral Master Military Information Exchange Memorandum of Understanding (CJM3IEM). A Combined Joint Military Information Exchange Annex (CJMIEA) adds Authenticated Services which can use but are not limited to one, or a combination of, the following: Validation of Internet Protocol (IP) domain name; Presentation of user name; Presentation of user name and password; Presentation of cryptographic credentials using Public Key Technology; and Presentation of biometric credentials. CJMIEA Authentication Services involves policies, processes, and technologies to support the exchange and validation of authentication credentials. One basis for this exchange and validation is strong digital identities for both individuals and devices from interoperable NDPKIs that support strong identity management regimes, common policies and technical implementations. To achieve the CCEB Management Plan task of establishing interoperable NDPKIs4, the CCEB Executive Group (EG) has endorsed the PKI Task Force (TF) recommendation for a two phase interoperability approach:
a. Short-term which supports Allied access to US Department of Defense (DoD) owned websites on Unclassified but Sensitive Internet Protocol Network (NIPRNET). The solution, as agreed at the September 2004 Washington CCEB Collocated Meeting, creates policies and procedures, through the use of a Trusted Agent (TA) regime, for defense personnel in CCEB nations to obtain PKI Certificates from the US DoD PKI system.
b. The long-term approach supports interoperable, authenticated military information and data exchange within the SECRET high environment or within a lower classification system-high environment between CCEB nations over approved networks using PKI technology.