My two cents ...
When this initiative got under 10+ years ago, it was difficult to get agency buy in. I haven't followed it closely since I left gov't, but wonder if there has been any meaningful take up of this ... my sense is that USG credentialing/authentication has moved in other directions .... 'PKI' is not the framework anymore. The phrase 'develop a funding model that would make it possible to recover the costs of operating the PKI infrastructure' especially caught my attention.
I'm wondering if this is a last gasp effort to sustain it .... just speculation, of course.*************************************************************
This is a Message from:
Mark Bohannon
Vice President, Corporate Affairs & Global Public Policy
Red Hat, Inc.
Desk: 202-220-3170
Mobile: 202-413-1365
ma...@redhat.com
**************************************************************
From: "James.neushul" <james....@gmail.com>
To: mil...@googlegroups.com
Sent: Thursday, February 9, 2012 11:59:30 AM
Subject: Fw: [mil-oss] Fwd: GSA might outsource PKI infrastructure management -- Federal Computer Week
How about subsidies? We could have the FEDEX JDAM and Go Daddy CYBER.
Outsourcing is like COTS... which ends up being really expensive GOTS. It seems like a goodidea - but the Gov sucks at negotiation.
On 2/9/12, John Scott III <jms...@gmail.com> wrote:
> its always been hard to fund infrastructure used by everyone in a model
> where programs get funded to solve specific problems
>
> On Feb 9, 2012, at 12:31 PM, Mark Bohannon wrote:
>
>> My two cents ...
>>
>> When this initiative got under 10+ years ago, it was difficult to get
>> agency buy in. I haven't followed it closely since I left gov't, but
>> wonder if there has been any meaningful take up of this ... my sense is
>> that USG credentialing/authentication has moved in other directions ....
>> 'PKI' is not the framework anymore. The phrase 'develop a funding model
>> that would make it possible to recover the costs of operating the PKI
>> infrastructure' especially caught my attention.
>>
>> I'm wondering if this is a last gasp effort to sustain it .... just
>> speculation, of course.
>>
>>
>> *************************************************************
>> This is a Message from:
>>
>> Mark Bohannon
>> Vice President, Corporate Affairs & Global Public Policy
>> Red Hat, Inc.
>> Desk: 202-220-3170
>> Mobile: 202-413-1365
>> ma...@redhat.com
>>
>> **************************************************************
>>
so big programs create/build to different tech standards
The federal bridge mentioned here?: http://iase.disa.mil/pki-pke/interoperability/index.html
Maybe they are just trying to aggregate the current fed/mil CAs. That wouldn't be a bad idea. I think my Apache httpd has about ~150 CAs in the CA trust store right now.
-ben
**************************************************************
________________________________
>>> . By John S. Monroe
>>>
>>> . Feb 08, 2012
Classification: UNCLASSIFIED
Caveats: NONE
And the related news article:� http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?_r=1&hp=&pagewanted=all
On Wed, Feb 15, 2012 at 12:07 PM, Harley Garrett <hgar...@gtsms.com> wrote:
Not to confuse the dialog but speaking about public keys......
At a cryptography conference to be held in August in Santa Barbara, Calif. researchers will present research where they examined public databases of 7.1 million public keys used to secure e-mail messages, online banking transactions and other secure data exchanges.
Employing the Euclidean algorithm, an efficient way to find the greatest common divisor of two integers, they examined the public key numbers and discovered small percentage of those numbers were not truly random, making it possible to determine the underlying numbers, or secret keys, used to generate the public key.
They said they �stumbled upon� almost 27,000 different keys that offer no security. �Their secret keys are accessible to anyone who takes the trouble to redo our work�.
Here's the abstract:
Abstract
We performed a sanity check of public keys collected on the web. Our main goal was �to test the validity of the assumption that di erent random choices are made each time keys are �generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected o er no security. �Our conclusion is that the validity of the assumption is questionable and that generating keys �in the real world for multiple-secrets cryptosystems such as RSA is signicantly riskier than �for single-secret ones such as ElGamal or (EC)DSA which are based on Diffie-Hellman.
And the link to the study FYI
http://eprint.iacr.org/2012/064.pdf
Harley Garrett
On Wed, Feb 15, 2012 at 9:38 AM, Mark Bohannon <ma...@redhat.com> wrote:
Further to James' post, I think we're talking apples and oranges.
As I read the GSA announcement, this is about the old PKI bridge certificate program -- not about individual agencies' implementation (see language, "which maintains links between federal agencies and public and private groups that issue PKI certificates, and systems that connect different government PKI systems.")�� This was the initiative that, from the outset, seemed to have trouble getting agency buy-in.
*************************************************************
This is a Message from:
Mark Bohannon
Vice President, Corporate Affairs & Global Public Policy
Red Hat, Inc.
Desk:���� 202-220-3170
Mobile:� 202-413-1365
ma...@redhat.com
**************************************************************
Sent: Wednesday, February 15, 2012 10:31:50 AM
Subject: Re: [mil-oss] Fwd: GSA might outsource PKI infrastructure management -- Federal Computer Week
my comment was as meant to highlight that groups I get called into help always seem starved for funds for pieces of big infrastructure/foundational technology whereas a number of the big IT/C4ISR programs build specific app's that don't often try to share infrastructure with the rest of that gov agency
so big programs create/build to different tech standards
On Feb 14, 2012, at 5:42 PM, James Neushul wrote:
> PKI Infrastructure is used for the Common Access Card (CAC) system and
> impacts - or will impact - every person and system in the DOD.
> Currently it is used for data-at-rest encryption on all USN and USMC
> computers. �From where I sit (at my CAC accessed and encrypted
> computer) PKI pretty much IS the framework. �What other directions are
> you aware of?
>
> On 2/9/12, John Scott III <jms...@gmail.com> wrote:
>> its always been hard to fund infrastructure used by everyone in a model
>> where programs get funded to solve specific problems
>>
>> On Feb 9, 2012, at 12:31 PM, Mark Bohannon wrote:
>>
>>> My two cents ...
>>>
>>> When this initiative got under 10+ years ago, it was difficult to get
>>> agency buy in. � I haven't followed it closely since I left gov't, but
>>> wonder if there has been any meaningful take up of this ... my sense is
>>> that USG credentialing/authentication has moved in other directions ....
>>> 'PKI' is not the framework anymore. � The phrase 'develop a funding model
>>> that would make it possible to recover the costs of operating the PKI
>>> infrastructure' especially caught my attention.
>>>
>>> I'm wondering if this is a last gasp effort to sustain it .... �just
>>> speculation, of course.
>>>
>>>
>>> *************************************************************
>>> This is a Message from:
>>>
>>> Mark Bohannon
>>> Vice President, Corporate Affairs & Global Public Policy
>>> Red Hat, Inc.
>>> ma...@redhat.com
>>>
>>> **************************************************************
>>>
>>> From: "James.neushul" <james....@gmail.com>
>>> To: mil...@googlegroups.com
>>> Sent: Thursday, February 9, 2012 11:59:30 AM
>>> Subject: Fw: [mil-oss] Fwd: GSA might outsource PKI infrastructure
>>> management -- Federal Computer Week
>>>
>>> How about subsidies? �We could have the FEDEX JDAM and Go Daddy CYBER.
>>>
>>> Outsourcing is like COTS... which ends up being really expensive GOTS. �It
>>> seems like a goodidea - but the Gov sucks at negotiation.
>>>
>>> With PKI every shred of data could be encumbered by some vendor. �This is
>>> a good time to not bestupid.
>>>
>>> Nothing against the idea - it just needs to be done right. �Anyone in the
>>> govy smart enough to not jack it up is probably smart enough to run it ..
>>> minus the congressional kickbacks.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -------- Original message --------
>>> Subject: [mil-oss] Fwd: GSA might outsource PKI infrastructure management
>>> -- Federal Computer Week
>>> From: John Scott III <jms...@gmail.com>
>>> To: mil...@googlegroups.com
>>> CC:
>>>
>>>
>>> interesting, what else could/should be outsourced? Especially with the
>>> looming budget cuts coming
>>>
>>> http://fcw.com/articles/2012/02/08/gsa-federal-pki-infrastructure.aspx?s=fcwdaily_090212
>>>
>>>
>>> GSA open to outsourcing federal PKI operation
>>> � By John S. Monroe
>>>
>>> � Feb 08, 2012
>>> Source Software" �Google Group.
>> Source Software" �Google Group.
>> To post to this group, send email to mil...@googlegroups.com
>> To unsubscribe from this group, send email to
>> mil-oss+u...@googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/mil-oss?hl=en
>>
>> www.mil-oss.org
>>
>
> --
> You received this message because you are subscribed to the "Military Open Source Software" �Google Group.
> To post to this group, send email to mil...@googlegroups.com
> To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
>
> www.mil-oss.org
-----------------------------------------------------------
John Scott
�240.401.6574
< jms...@gmail.com >
http://powdermonkey.blogs.com
@johnmscott
Have you joined MIL-OSS?:
http://groups.google.com/group/mil-oss
http://mil-oss.org/
--
You received this message because you are subscribed to the "Military Open Source Software" �Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
www.mil-oss.org
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
�
www.mil-oss.org
OK .. I apologize. All I know is that the CAC system is very expensive and is what I thought they might be outsourcing (of course I haven't read ANY of the articles and am completely speaking out of turn..) The other thing I know is that a vast majority of DOD websites cause browsers to burp out warnings about their certs -- which is just a standard indicator of issues.....Beyond that - and the fact that I was born in Santa Barbara (well Goleta..) .. please disregard my comments as unqualified banter.
Neutron
On 02/15/2012 09:29 AM, Andy Anderson wrote:
On Wed, Feb 15, 2012 at 12:07 PM, Harley Garrett <hgar...@gtsms.com> wrote:
Not to confuse the dialog but speaking about public keys......
At a cryptography conference to be held in August in Santa Barbara, Calif. researchers will present research where they examined public databases of 7.1 million public keys used to secure e-mail messages, online banking transactions and other secure data exchanges.
Employing the Euclidean algorithm, an efficient way to find the greatest common divisor of two integers, they examined the public key numbers and discovered small percentage of those numbers were not truly random, making it possible to determine the underlying numbers, or secret keys, used to generate the public key.
They said they “stumbled upon” almost 27,000 different keys that offer no security. “Their secret keys are accessible to anyone who takes the trouble to redo our work”.
Here's the abstract:
Abstract
We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that di erent random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected o er no security. Our conclusion is that the validity of the assumption is questionable and that generating keys in the real world for multiple-secrets cryptosystems such as RSA is signicantly riskier than for single-secret ones such as ElGamal or (EC)DSA which are based on Diffie-Hellman.
And the link to the study FYI
http://eprint.iacr.org/2012/064.pdf
Harley Garrett
On Wed, Feb 15, 2012 at 9:38 AM, Mark Bohannon <ma...@redhat.com> wrote:
Further to James' post, I think we're talking apples and oranges.
As I read the GSA announcement, this is about the old PKI bridge certificate program -- not about individual agencies' implementation (see language, "which maintains links between federal agencies and public and private groups that issue PKI certificates, and systems that connect different government PKI systems.") This was the initiative that, from the outset, seemed to have trouble getting agency buy-in.
*************************************************************
This is a Message from:
Mark Bohannon
Vice President, Corporate Affairs & Global Public Policy
Red Hat, Inc.
Desk: 202-220-3170
Mobile: 202-413-1365
ma...@redhat.com
**************************************************************
Sent: Wednesday, February 15, 2012 10:31:50 AM
Subject: Re: [mil-oss] Fwd: GSA might outsource PKI infrastructure management -- Federal Computer Week
my comment was as meant to highlight that groups I get called into help always seem starved for funds for pieces of big infrastructure/foundational technology whereas a number of the big IT/C4ISR programs build specific app's that don't often try to share infrastructure with the rest of that gov agency
so big programs create/build to different tech standards
On Feb 14, 2012, at 5:42 PM, James Neushul wrote:
> PKI Infrastructure is used for the Common Access Card (CAC) system and
> impacts - or will impact - every person and system in the DOD.
> Currently it is used for data-at-rest encryption on all USN and USMC
> computers. From where I sit (at my CAC accessed and encrypted
> computer) PKI pretty much IS the framework. What other directions are
> you aware of?
>
> On 2/9/12, John Scott III <jms...@gmail.com> wrote:
>> its always been hard to fund infrastructure used by everyone in a model
>> where programs get funded to solve specific problems
>>
>> On Feb 9, 2012, at 12:31 PM, Mark Bohannon wrote:
>>
>>> My two cents ...
>>>
>>> When this initiative got under 10+ years ago, it was difficult to get
>>> agency buy in. I haven't followed it closely since I left gov't, but
>>> wonder if there has been any meaningful take up of this ... my sense is
>>> that USG credentialing/authentication has moved in other directions ....
>>> 'PKI' is not the framework anymore. The phrase 'develop a funding model
>>> that would make it possible to recover the costs of operating the PKI
>>> infrastructure' especially caught my attention.
>>>
>>> I'm wondering if this is a last gasp effort to sustain it .... just
>>> speculation, of course.
>>>
>>>
>>> *************************************************************
>>> This is a Message from:
>>>
>>> Mark Bohannon
>>> Vice President, Corporate Affairs & Global Public Policy
>>> Red Hat, Inc.
>>> ma...@redhat.com
>>>
>>> **************************************************************
>>>
>>> From: "James.neushul" <james....@gmail.com>
>>> To: mil...@googlegroups.com
>>> Sent: Thursday, February 9, 2012 11:59:30 AM
>>> Subject: Fw: [mil-oss] Fwd: GSA might outsource PKI infrastructure
>>> management -- Federal Computer Week
>>>
>>> How about subsidies? We could have the FEDEX JDAM and Go Daddy CYBER.
>>>
>>> Outsourcing is like COTS... which ends up being really expensive GOTS. It
>>> seems like a goodidea - but the Gov sucks at negotiation.
>>>
>>> With PKI every shred of data could be encumbered by some vendor. This is
>>> a good time to not bestupid.
>>>
>>> Nothing against the idea - it just needs to be done right. Anyone in the
>>> govy smart enough to not jack it up is probably smart enough to run it ..
>>> minus the congressional kickbacks.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -------- Original message --------
>>> Subject: [mil-oss] Fwd: GSA might outsource PKI infrastructure management
>>> -- Federal Computer Week
>>> From: John Scott III <jms...@gmail.com>
>>> To: mil...@googlegroups.com
>>> CC:
>>>
>>>
>>> interesting, what else could/should be outsourced? Especially with the
>>> looming budget cuts coming
>>>
>>> http://fcw.com/articles/2012/02/08/gsa-federal-pki-infrastructure.aspx?s=fcwdaily_090212
>>>
>>>
>>> GSA open to outsourcing federal PKI operation
>>> • By John S. Monroe
>>>
>>> • Feb 08, 2012
>>> Source Software" Google Group.
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
By "traditional authentication", do you mean passwords? We could be way
ahead of Moore's law with those <http://xkcd.com/936>, if "barely ahead"
were not mandated in the DoDI 8500.2 IA controls.
I think certs do a lot, inside the DoD, for the people and servers who
have them. This is because we spend a lot of money securing every part
of the certificate's lifecycle, including revocation. That money
translates almost directly into security guarantees. In the general
case, I can agree that certificates aren't that great, because not
everyone spends as much securing their CAs, so the level of trust is not
consistent, and interoperability is poor. Also, in the global context of
the Internet, certificate revocation doesn't work, as evidenced by
Google's recent decision to disable it by default in Chrome.
> A better solution when it reaches maturity may be biometric enabled
> ID - for those who don't mind their retina and finger prints on file
in a government data base. My my,
> always trade-offs with new technology eh?
I can't see that it would ever be a better solution. You have to trust
the reader instead of the token, and the token is irrevocable and not
separable by function (I have three keys for different purposes, but
only one set of fingers).
> But the fact is programs like CAC are competitively procured
> and usually are delivered with little, if any, Open Source code.
I believe smartcards in general are delivered with little if any Open
Source code. The MUSCLE project exists, and I think it provides useful
code that runs on the card. But I'm not aware of any organization which
has deployed MUSCLE cards. On the management and enrollment side, I
think wide swaths of the Red Hat Certificate System are open-source, but
I'm not sure about the code that runs on the tokens themselves.
Not widely farmed, but fertile. Out in the industry it seems IT people
are going on about BYOD (bring your own device). What if you could BYOT
(bring your own token)?