Fw: [mil-oss] Fwd: GSA might outsource PKI infrastructure management -- Federal Computer Week

13 views
Skip to first unread message

James.neushul

unread,
Feb 9, 2012, 11:59:30 AM2/9/12
to mil...@googlegroups.com
How about subsidies?  We could have the FEDEX JDAM and Go Daddy CYBER.

Outsourcing is like COTS... which ends up being really expensive GOTS.  It seems like a good idea - but the Gov sucks at negotiation.  

With PKI every shred of data could be encumbered by some vendor.  This is a good time to not be stupid.

Nothing against the idea - it just needs to be done right.  Anyone in the govy smart enough to not jack it up is probably smart enough to run it .. minus the congressional kickbacks.











-------- Original message --------
Subject: [mil-oss] Fwd: GSA might outsource PKI infrastructure management -- Federal Computer Week
From: John Scott III <jms...@gmail.com>
To: mil...@googlegroups.com
CC:


interesting, what else could/should be outsourced? Especially with the looming budget cuts coming

http://fcw.com/articles/2012/02/08/gsa-federal-pki-infrastructure.aspx?s=fcwdaily_090212

GSA open to outsourcing federal PKI operation
• By John S. Monroe

• Feb 08, 2012
The General Services is looking for new ideas about how to manage the Federal Public Key Infrastructure (PKI) Trust system, including the possibility of turning it over to a contractor.

At present, GSA is responsible for the system, which maintains links between federal agencies and public and private groups that issue PKI certificates, and systems that connect different government PKI systems. Among other functions, the system is used to support the process for maintaining Personal Identity Verification credentials.

But in a request for information released earlier this month, GSA invited people to suggest alternative solutions for managing federal PKI operations. The RFI asks for comments on two basic approaches: the current model, in which a contractor provides the service using government-furnished systems, and a services-only model, in which a contractor takes over the system as well.

In the case of the current model, GSA also is looking for ideas about to enhance existing services. For example, the agency would like to develop a funding model that would make it possible to recover the costs of operating the PKI infrastructure. The RFI also asks for comments on how to better divide management responsibilities between the government and the contractor.

In the case of the services-only model, GSA would like comments on how to manage the transition.
-----------------------------------------------------------
John Scott
240.401.6574
< jms...@gmail.com >
http://powdermonkey.blogs.com
@johnmscott

Have you joined MIL-OSS?:
http://groups.google.com/group/mil-oss
http://mil-oss.org/

--
You received this message because you are subscribed to the "Military Open Source Software"  Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

www.mil-oss.org

Mark Bohannon

unread,
Feb 9, 2012, 12:31:51 PM2/9/12
to mil...@googlegroups.com
My two cents ...

When this initiative got under 10+ years ago, it was difficult to get agency buy in.   I haven't followed it closely since I left gov't, but wonder if there has been any meaningful take up of this ... my sense is that USG credentialing/authentication has moved in other directions .... 'PKI' is not the framework anymore.   The phrase 'develop a funding model that would make it possible to recover the costs of operating the PKI infrastructure' especially caught my attention.

I'm wondering if this is a last gasp effort to sustain it ....  just speculation, of course.


*************************************************************
This is a Message from:

Mark Bohannon
Vice President, Corporate Affairs & Global Public Policy
Red Hat, Inc.
Desk:     202-220-3170
Mobile:  202-413-1365
ma...@redhat.com

**************************************************************


From: "James.neushul" <james....@gmail.com>
To: mil...@googlegroups.com
Sent: Thursday, February 9, 2012 11:59:30 AM
Subject: Fw: [mil-oss] Fwd: GSA might outsource PKI infrastructure management -- Federal Computer Week

Harley Garrett

unread,
Feb 9, 2012, 12:47:16 PM2/9/12
to mil...@googlegroups.com
"funding model" caught my attention too. My ATT bill just went up some $13/mo all due to higher fees and fed taxes. Keep your hand on your wallet.

John Scott III

unread,
Feb 9, 2012, 1:46:35 PM2/9/12
to mil...@googlegroups.com
its always been hard to fund infrastructure used by everyone in a model where programs get funded to solve specific problems  

On Feb 9, 2012, at 12:31 PM, Mark Bohannon wrote:

My two cents ... 

When this initiative got under 10+ years ago, it was difficult to get agency buy in.   I haven't followed it closely since I left gov't, but wonder if there has been any meaningful take up of this ... my sense is that USG credentialing/authentication has moved in other directions .... 'PKI' is not the framework anymore.   The phrase 'develop a funding model that would make it possible to recover the costs of operating the PKI infrastructure' especially caught my attention.

I'm wondering if this is a last gasp effort to sustain it ....  just speculation, of course.


*************************************************************
This is a Message from:

Mark Bohannon
Vice President, Corporate Affairs & Global Public Policy
Red Hat, Inc.
Desk:     202-220-3170
Mobile:  202-413-1365
ma...@redhat.com

**************************************************************


From: "James.neushul" <james....@gmail.com>
To: mil...@googlegroups.com
Sent: Thursday, February 9, 2012 11:59:30 AM
Subject: Fw: [mil-oss] Fwd: GSA might outsource PKI infrastructure management -- Federal Computer Week

How about subsidies?  We could have the FEDEX JDAM and Go Daddy CYBER.

Outsourcing is like COTS... which ends up being really expensive GOTS.  It seems like a goodidea - but the Gov sucks at negotiation.  

James Neushul

unread,
Feb 14, 2012, 5:42:37 PM2/14/12
to mil...@googlegroups.com
PKI Infrastructure is used for the Common Access Card (CAC) system and
impacts - or will impact - every person and system in the DOD.
Currently it is used for data-at-rest encryption on all USN and USMC
computers. From where I sit (at my CAC accessed and encrypted
computer) PKI pretty much IS the framework. What other directions are
you aware of?

On 2/9/12, John Scott III <jms...@gmail.com> wrote:
> its always been hard to fund infrastructure used by everyone in a model
> where programs get funded to solve specific problems
>
> On Feb 9, 2012, at 12:31 PM, Mark Bohannon wrote:
>
>> My two cents ...
>>
>> When this initiative got under 10+ years ago, it was difficult to get
>> agency buy in. I haven't followed it closely since I left gov't, but
>> wonder if there has been any meaningful take up of this ... my sense is
>> that USG credentialing/authentication has moved in other directions ....
>> 'PKI' is not the framework anymore. The phrase 'develop a funding model
>> that would make it possible to recover the costs of operating the PKI
>> infrastructure' especially caught my attention.
>>
>> I'm wondering if this is a last gasp effort to sustain it .... just
>> speculation, of course.
>>
>>
>> *************************************************************
>> This is a Message from:
>>
>> Mark Bohannon
>> Vice President, Corporate Affairs & Global Public Policy
>> Red Hat, Inc.
>> Desk: 202-220-3170
>> Mobile: 202-413-1365
>> ma...@redhat.com
>>
>> **************************************************************
>>

John Scott III

unread,
Feb 15, 2012, 10:31:50 AM2/15/12
to mil...@googlegroups.com
my comment was as meant to highlight that groups I get called into help always seem starved for funds for pieces of big infrastructure/foundational technology whereas a number of the big IT/C4ISR programs build specific app's that don't often try to share infrastructure with the rest of that gov agency

so big programs create/build to different tech standards

Mark Bohannon

unread,
Feb 15, 2012, 10:38:03 AM2/15/12
to mil...@googlegroups.com
Further to James' post, I think we're talking apples and oranges.

As I read the GSA announcement, this is about the old PKI bridge certificate program -- not about individual agencies' implementation (see language, "which maintains links between federal agencies and public and private groups that issue PKI certificates, and systems that connect different government PKI systems.")   This was the initiative that, from the outset, seemed to have trouble getting agency buy-in.




*************************************************************
This is a Message from:

Mark Bohannon
Vice President, Corporate Affairs & Global Public Policy
Red Hat, Inc.
Desk:     202-220-3170
Mobile:  202-413-1365
ma...@redhat.com

**************************************************************

From: "John Scott III" <jms...@gmail.com>
To: mil...@googlegroups.com
Sent: Wednesday, February 15, 2012 10:31:50 AM
Subject: Re: [mil-oss] Fwd: GSA might outsource PKI infrastructure management -- Federal Computer Week

Congdon, Benjamin E CIV DISA CTO

unread,
Feb 15, 2012, 11:41:14 AM2/15/12
to mil...@googlegroups.com
Classification: UNCLASSIFIED
Caveats: NONE

The federal bridge mentioned here?: http://iase.disa.mil/pki-pke/interoperability/index.html

Maybe they are just trying to aggregate the current fed/mil CAs. That wouldn't be a bad idea. I think my Apache httpd has about ~150 CAs in the CA trust store right now.

-ben

**************************************************************

________________________________

>>> . By John S. Monroe
>>>
>>> . Feb 08, 2012

www.mil-oss.org


Classification: UNCLASSIFIED
Caveats: NONE


Harley Garrett

unread,
Feb 15, 2012, 12:07:46 PM2/15/12
to mil...@googlegroups.com
Not to confuse the dialog but speaking about public keys......

At a cryptography conference to be held in August in Santa Barbara, Calif. researchers will present research where they examined public databases of 7.1 million public keys used to secure e-mail messages, online banking transactions and other secure data exchanges.

Employing the Euclidean algorithm, an efficient way to find the greatest common divisor of two integers, they examined the public key numbers and discovered small percentage of those numbers were not truly random, making it possible to determine the underlying numbers, or secret keys, used to generate the public key.

They said they “stumbled upon” almost 27,000 different keys that offer no security. “Their secret keys are accessible to anyone who takes the trouble to redo our work”.

Here's the abstract:

Abstract
We performed a sanity check of public keys collected on the web. Our main goal was  to test the validity of the assumption that di erent random choices are made each time keys are  generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected o er no security.  Our conclusion is that the validity of the assumption is questionable and that generating keys  in the real world for multiple-secrets cryptosystems such as RSA is signi cantly riskier than  for single-secret ones such as ElGamal or (EC)DSA which are based on Diffie-Hellman.

And the link to the study FYI

http://eprint.iacr.org/2012/064.pdf

Harley Garrett

Andy Anderson

unread,
Feb 15, 2012, 12:29:53 PM2/15/12
to mil...@googlegroups.com

Neutron

unread,
Feb 16, 2012, 1:29:47 AM2/16/12
to mil...@googlegroups.com
OK .. I apologize.� All I know is that the CAC system is very expensive and is what I thought they might be outsourcing (of course I haven't read ANY of the articles and am completely speaking out of turn..)� The other thing I know is that a vast majority of DOD websites cause browsers to burp out warnings about their certs -- which is just a standard indicator of issues.....Beyond that - and the fact that I was born in Santa Barbara (well Goleta..) .. please disregard my comments as unqualified banter.

Neutron

On 02/15/2012 09:29 AM, Andy Anderson wrote:
And the related news article:� http://www.nytimes.com/2012/02/15/technology/researchers-find-flaw-in-an-online-encryption-method.html?_r=1&hp=&pagewanted=all



On Wed, Feb 15, 2012 at 12:07 PM, Harley Garrett <hgar...@gtsms.com> wrote:
Not to confuse the dialog but speaking about public keys......

At a cryptography conference to be held in August in Santa Barbara, Calif. researchers will present research where they examined public databases of 7.1 million public keys used to secure e-mail messages, online banking transactions and other secure data exchanges.

Employing the Euclidean algorithm, an efficient way to find the greatest common divisor of two integers, they examined the public key numbers and discovered small percentage of those numbers were not truly random, making it possible to determine the underlying numbers, or secret keys, used to generate the public key.

They said they �stumbled upon� almost 27,000 different keys that offer no security. �Their secret keys are accessible to anyone who takes the trouble to redo our work�.


Here's the abstract:

Abstract
We performed a sanity check of public keys collected on the web. Our main goal was �to test the validity of the assumption that di erent random choices are made each time keys are �generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected o er no security. �Our conclusion is that the validity of the assumption is questionable and that generating keys �in the real world for multiple-secrets cryptosystems such as RSA is signi cantly riskier than �for single-secret ones such as ElGamal or (EC)DSA which are based on Diffie-Hellman.


And the link to the study FYI

http://eprint.iacr.org/2012/064.pdf

Harley Garrett
On Wed, Feb 15, 2012 at 9:38 AM, Mark Bohannon <ma...@redhat.com> wrote:
Further to James' post, I think we're talking apples and oranges.

As I read the GSA announcement, this is about the old PKI bridge certificate program -- not about individual agencies' implementation (see language, "which maintains links between federal agencies and public and private groups that issue PKI certificates, and systems that connect different government PKI systems.")�� This was the initiative that, from the outset, seemed to have trouble getting agency buy-in.




*************************************************************
This is a Message from:

Mark Bohannon
Vice President, Corporate Affairs & Global Public Policy
Red Hat, Inc.
Desk:���� 202-220-3170
Mobile:� 202-413-1365
ma...@redhat.com

**************************************************************


From: "John Scott III" <jms...@gmail.com>
To: mil...@googlegroups.com
Sent: Wednesday, February 15, 2012 10:31:50 AM
Subject: Re: [mil-oss] Fwd: GSA might outsource PKI infrastructure management -- Federal Computer Week


my comment was as meant to highlight that groups I get called into help always seem starved for funds for pieces of big infrastructure/foundational technology whereas a number of the big IT/C4ISR programs build specific app's that don't often try to share infrastructure with the rest of that gov agency

so big programs create/build to different tech standards

On Feb 14, 2012, at 5:42 PM, James Neushul wrote:

> PKI Infrastructure is used for the Common Access Card (CAC) system and
> impacts - or will impact - every person and system in the DOD.
> Currently it is used for data-at-rest encryption on all USN and USMC
> computers. �From where I sit (at my CAC accessed and encrypted
> computer) PKI pretty much IS the framework. �What other directions are

> you aware of?
>
> On 2/9/12, John Scott III <jms...@gmail.com> wrote:
>> its always been hard to fund infrastructure used by everyone in a model
>> where programs get funded to solve specific problems
>>
>> On Feb 9, 2012, at 12:31 PM, Mark Bohannon wrote:
>>
>>> My two cents ...
>>>
>>> When this initiative got under 10+ years ago, it was difficult to get
>>> agency buy in. � I haven't followed it closely since I left gov't, but

>>> wonder if there has been any meaningful take up of this ... my sense is
>>> that USG credentialing/authentication has moved in other directions ....
>>> 'PKI' is not the framework anymore. � The phrase 'develop a funding model

>>> that would make it possible to recover the costs of operating the PKI
>>> infrastructure' especially caught my attention.
>>>
>>> I'm wondering if this is a last gasp effort to sustain it .... �just

>>> speculation, of course.
>>>
>>>
>>> *************************************************************
>>> This is a Message from:
>>>
>>> Mark Bohannon
>>> Vice President, Corporate Affairs & Global Public Policy
>>> Red Hat, Inc.
>>> Desk: � � 202-220-3170
>>> Mobile: �202-413-1365

>>> ma...@redhat.com
>>>
>>> **************************************************************
>>>
>>> From: "James.neushul" <james....@gmail.com>
>>> To: mil...@googlegroups.com
>>> Sent: Thursday, February 9, 2012 11:59:30 AM
>>> Subject: Fw: [mil-oss] Fwd: GSA might outsource PKI infrastructure
>>> management -- Federal Computer Week
>>>
>>> How about subsidies? �We could have the FEDEX JDAM and Go Daddy CYBER.
>>>
>>> Outsourcing is like COTS... which ends up being really expensive GOTS. �It

>>> seems like a goodidea - but the Gov sucks at negotiation.
>>>
>>> With PKI every shred of data could be encumbered by some vendor. �This is

>>> a good time to not bestupid.
>>>
>>> Nothing against the idea - it just needs to be done right. �Anyone in the

>>> govy smart enough to not jack it up is probably smart enough to run it ..
>>> minus the congressional kickbacks.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -------- Original message --------
>>> Subject: [mil-oss] Fwd: GSA might outsource PKI infrastructure management
>>> -- Federal Computer Week
>>> From: John Scott III <jms...@gmail.com>
>>> To: mil...@googlegroups.com
>>> CC:
>>>
>>>
>>> interesting, what else could/should be outsourced? Especially with the
>>> looming budget cuts coming
>>>
>>> http://fcw.com/articles/2012/02/08/gsa-federal-pki-infrastructure.aspx?s=fcwdaily_090212
>>>
>>>
>>> GSA open to outsourcing federal PKI operation
>>> � By John S. Monroe
>>>
>>> � Feb 08, 2012
>>> Source Software" �Google Group.
>> Source Software" �Google Group.

>> To post to this group, send email to mil...@googlegroups.com
>> To unsubscribe from this group, send email to
>> mil-oss+u...@googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/mil-oss?hl=en
>>
>> www.mil-oss.org
>>
>
> --
> You received this message because you are subscribed to the "Military Open Source Software" �Google Group.

> To post to this group, send email to mil...@googlegroups.com
> To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
>
> www.mil-oss.org

-----------------------------------------------------------
John Scott
You received this message because you are subscribed to the "Military Open Source Software" �Google Group.

To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

www.mil-oss.org
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

Andy Anderson

unread,
Feb 16, 2012, 9:56:59 AM2/16/12
to mil...@googlegroups.com
FYI, security expert Bruce Schneier chimed in on his blog today about this research:  http://www.schneier.com/blog/archives/2012/02/lousy_random_nu.html

Harley Garrett

unread,
Feb 16, 2012, 10:29:12 AM2/16/12
to mil...@googlegroups.com
No apology necessary my friend and your comments are more important than mine. A respectful and healthy dialog is how society moves itself forward - gee, at least I hope it is. Your inputs are needed and you certainly are not unqualified. The CAC system reminds me of the TFX during McNamara's day. Became the F-111. A great example of the idea that if you throw enough money at a project, it may actually fly someday. In my view though, certs don't do much for ID and traditional authentication is barely ahead of Moore's law albeit NIST is doing a credible job bringing industry and government together to tackle cloud security. A better solution when it reaches maturity may be biometric enabled ID - for those who don't mind their retina and finger prints on file in a government data base. My my, always trade-offs with new technology eh? But the fact is programs like CAC are competitively procured and usually are delivered with little, if any, Open Source code. Here I'm wide open since I really don't know if CAC uses OSS or not. May be GOTS but GOTS is far from having a corner on the cyber security market simply because its also competitively versus collaboratively developed. Anyway, in my skewed opinion, the quality and cost to deploy and maintain all systems that depend on software are at least proportional to the % of Open Source code used in creating them if not 2x or 3x more reliable and secure.  As a reluctant tax payer I like that.

Harley Garrett


On Thu, Feb 16, 2012 at 12:29 AM, Neutron <james....@gmail.com> wrote:
OK .. I apologize.  All I know is that the CAC system is very expensive and is what I thought they might be outsourcing (of course I haven't read ANY of the articles and am completely speaking out of turn..)  The other thing I know is that a vast majority of DOD websites cause browsers to burp out warnings about their certs -- which is just a standard indicator of issues.....Beyond that - and the fact that I was born in Santa Barbara (well Goleta..) .. please disregard my comments as unqualified banter.

Neutron


On 02/15/2012 09:29 AM, Andy Anderson wrote:
On Wed, Feb 15, 2012 at 12:07 PM, Harley Garrett <hgar...@gtsms.com> wrote:
Not to confuse the dialog but speaking about public keys......

At a cryptography conference to be held in August in Santa Barbara, Calif. researchers will present research where they examined public databases of 7.1 million public keys used to secure e-mail messages, online banking transactions and other secure data exchanges.

Employing the Euclidean algorithm, an efficient way to find the greatest common divisor of two integers, they examined the public key numbers and discovered small percentage of those numbers were not truly random, making it possible to determine the underlying numbers, or secret keys, used to generate the public key.

They said they “stumbled upon” almost 27,000 different keys that offer no security. “Their secret keys are accessible to anyone who takes the trouble to redo our work”.


Here's the abstract:

Abstract
We performed a sanity check of public keys collected on the web. Our main goal was  to test the validity of the assumption that di erent random choices are made each time keys are  generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that two out of every one thousand RSA moduli that we collected o er no security.  Our conclusion is that the validity of the assumption is questionable and that generating keys  in the real world for multiple-secrets cryptosystems such as RSA is signi cantly riskier than  for single-secret ones such as ElGamal or (EC)DSA which are based on Diffie-Hellman.


And the link to the study FYI

http://eprint.iacr.org/2012/064.pdf

Harley Garrett
On Wed, Feb 15, 2012 at 9:38 AM, Mark Bohannon <ma...@redhat.com> wrote:
Further to James' post, I think we're talking apples and oranges.

As I read the GSA announcement, this is about the old PKI bridge certificate program -- not about individual agencies' implementation (see language, "which maintains links between federal agencies and public and private groups that issue PKI certificates, and systems that connect different government PKI systems.")   This was the initiative that, from the outset, seemed to have trouble getting agency buy-in.




*************************************************************
This is a Message from:

Mark Bohannon
Vice President, Corporate Affairs & Global Public Policy
Red Hat, Inc.
Desk:     202-220-3170
Mobile:  202-413-1365
ma...@redhat.com

**************************************************************


From: "John Scott III" <jms...@gmail.com>
To: mil...@googlegroups.com
Sent: Wednesday, February 15, 2012 10:31:50 AM
Subject: Re: [mil-oss] Fwd: GSA might outsource PKI infrastructure management -- Federal Computer Week


my comment was as meant to highlight that groups I get called into help always seem starved for funds for pieces of big infrastructure/foundational technology whereas a number of the big IT/C4ISR programs build specific app's that don't often try to share infrastructure with the rest of that gov agency

so big programs create/build to different tech standards

On Feb 14, 2012, at 5:42 PM, James Neushul wrote:

> PKI Infrastructure is used for the Common Access Card (CAC) system and
> impacts - or will impact - every person and system in the DOD.
> Currently it is used for data-at-rest encryption on all USN and USMC
> computers.  From where I sit (at my CAC accessed and encrypted
> computer) PKI pretty much IS the framework.  What other directions are

> you aware of?
>
> On 2/9/12, John Scott III <jms...@gmail.com> wrote:
>> its always been hard to fund infrastructure used by everyone in a model
>> where programs get funded to solve specific problems
>>
>> On Feb 9, 2012, at 12:31 PM, Mark Bohannon wrote:
>>
>>> My two cents ...
>>>
>>> When this initiative got under 10+ years ago, it was difficult to get
>>> agency buy in.   I haven't followed it closely since I left gov't, but

>>> wonder if there has been any meaningful take up of this ... my sense is
>>> that USG credentialing/authentication has moved in other directions ....
>>> 'PKI' is not the framework anymore.   The phrase 'develop a funding model

>>> that would make it possible to recover the costs of operating the PKI
>>> infrastructure' especially caught my attention.
>>>
>>> I'm wondering if this is a last gasp effort to sustain it ....  just

>>> speculation, of course.
>>>
>>>
>>> *************************************************************
>>> This is a Message from:
>>>
>>> Mark Bohannon
>>> Vice President, Corporate Affairs & Global Public Policy
>>> Red Hat, Inc.
>>> Desk:     202-220-3170
>>> Mobile:  202-413-1365

>>> ma...@redhat.com
>>>
>>> **************************************************************
>>>
>>> From: "James.neushul" <james....@gmail.com>
>>> To: mil...@googlegroups.com
>>> Sent: Thursday, February 9, 2012 11:59:30 AM
>>> Subject: Fw: [mil-oss] Fwd: GSA might outsource PKI infrastructure
>>> management -- Federal Computer Week
>>>
>>> How about subsidies?  We could have the FEDEX JDAM and Go Daddy CYBER.
>>>
>>> Outsourcing is like COTS... which ends up being really expensive GOTS.  It

>>> seems like a goodidea - but the Gov sucks at negotiation.
>>>
>>> With PKI every shred of data could be encumbered by some vendor.  This is

>>> a good time to not bestupid.
>>>
>>> Nothing against the idea - it just needs to be done right.  Anyone in the

>>> govy smart enough to not jack it up is probably smart enough to run it ..
>>> minus the congressional kickbacks.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -------- Original message --------
>>> Subject: [mil-oss] Fwd: GSA might outsource PKI infrastructure management
>>> -- Federal Computer Week
>>> From: John Scott III <jms...@gmail.com>
>>> To: mil...@googlegroups.com
>>> CC:
>>>
>>>
>>> interesting, what else could/should be outsourced? Especially with the
>>> looming budget cuts coming
>>>
>>> http://fcw.com/articles/2012/02/08/gsa-federal-pki-infrastructure.aspx?s=fcwdaily_090212
>>>
>>>
>>> GSA open to outsourcing federal PKI operation
>>> • By John S. Monroe
>>>
>>> • Feb 08, 2012
>>> Source Software"  Google Group.
You received this message because you are subscribed to the "Military Open Source Software"  Google Group.

Jennings, Jared L CTR USAF AFMC 46 SK/CCI

unread,
Feb 16, 2012, 2:29:42 PM2/16/12
to mil...@googlegroups.com
Quoth Harley Garrett:

> In my view though, certs don't do much for ID and traditional
authentication is
> barely ahead of Moore's law albeit NIST is doing a credible job
bringing industry and government
> together to tackle cloud security.

By "traditional authentication", do you mean passwords? We could be way
ahead of Moore's law with those <http://xkcd.com/936>, if "barely ahead"
were not mandated in the DoDI 8500.2 IA controls.

I think certs do a lot, inside the DoD, for the people and servers who
have them. This is because we spend a lot of money securing every part
of the certificate's lifecycle, including revocation. That money
translates almost directly into security guarantees. In the general
case, I can agree that certificates aren't that great, because not
everyone spends as much securing their CAs, so the level of trust is not
consistent, and interoperability is poor. Also, in the global context of
the Internet, certificate revocation doesn't work, as evidenced by
Google's recent decision to disable it by default in Chrome.

> A better solution when it reaches maturity may be biometric enabled
> ID - for those who don't mind their retina and finger prints on file
in a government data base. My my,
> always trade-offs with new technology eh?

I can't see that it would ever be a better solution. You have to trust
the reader instead of the token, and the token is irrevocable and not
separable by function (I have three keys for different purposes, but
only one set of fingers).

> But the fact is programs like CAC are competitively procured
> and usually are delivered with little, if any, Open Source code.

I believe smartcards in general are delivered with little if any Open
Source code. The MUSCLE project exists, and I think it provides useful
code that runs on the card. But I'm not aware of any organization which
has deployed MUSCLE cards. On the management and enrollment side, I
think wide swaths of the Red Hat Certificate System are open-source, but
I'm not sure about the code that runs on the tokens themselves.

Harley Garrett

unread,
Feb 16, 2012, 5:01:47 PM2/16/12
to mil...@googlegroups.com
Good observations Jared. I loved the xkcd site & agree re: 8500.2. I would offer however that tokens may be irrevocable but they can be stolen and fingers can't without a lot of duress. They can also be phished as RSA found out:

http://www.networkworld.com/news/2011/082611-was-this-the-e-mail-that-250136.html

For more on bio vs tokens Dave Kerns NWW offered this RSA Lessons Learned:

http://www.networkworld.com/newsletters/dir/2011/062011id1.html

I think the key (no pun intended) is the level at which information needs to be secure is dependent on what the information to be secured is and no technical solutions can be 100% effective against the human factor. Both tokens and biometrics are both good ID/authentication technologies but one size doesn't necessarily fit all apps.

In any case I see this area as fertile ground for OSS simply because individual firms have finite work forces and are motivated by profiting on their IP versus collaborative problem solving. Don't misunderstand me here tho, I'm not anti-COTS or anti-GOTS, just think for really serious areas that affect everyone, the more people we have contributing to a solution the better the solution will be.

HFG


Jennings, Jared L CTR USAF AFMC 46 SK/CCI

unread,
Feb 17, 2012, 2:11:51 PM2/17/12
to mil...@googlegroups.com
HFG:

> In any case I see this area as fertile ground for OSS

Not widely farmed, but fertile. Out in the industry it seems IT people
are going on about BYOD (bring your own device). What if you could BYOT
(bring your own token)?

Reply all
Reply to author
Forward
0 new messages