Transcription
UNCLASSIFIEDDepartment of DefensePublic Key InfrastructureDoD Approved External PKIsMaster DocumentVersion 6.3March 5, 2018Prepared for:DoD PKI Program Management Office9800 Savage RoadSuite 6718Fort George G. Meade, MD 20755-6718Prepared by:Booz Allen Hamilton8283 Greensboro DriveMcLean, Virginia 22102UNCLASSIFIED
UNCLASSIFIEDRevision PageDateVersionChange 144.4Release 1.0Updated Treasury and ORC SSP sections, updated Department of State assurancelevel section, incorporated text comments, added additional VeriSign ECA CA, andadded VeriSign NFI and ActivIdentity, Inc. NFI as a DoD approved PKIs.Added Citi NFI PKI and new DOD CAs 27-30 and DOD EMAIL CAs 27-30.Added Entrust NFI PKI as a DoD Approved External PKIAdded Verizon Business NFI PKI as a DoD Approved External PKIRemoved expired DoD [EMAIL] CAs 11,12,14Added ORC NFI PKI as a DoD Approved External PKIRemoved expired DoD [EMAIL] CA 13Removed expired Treasury Root CA and 3 Issuing CAs (OCIO, Fiscal, Treasury Public)Added new SHA-256 Dept. of State CA and updated Assurance Level informationAdded Boeing PKI as a DoD Approved External PKIRemoved expired DoD [EMAIL] CA 15-18 and expired Entrust SSP SHA-1 chainsRemoved ActivIdentity NFI PKI as a DoD Approved External PKIUpdated VeriSign NFI SHA-256 chain with US Senate and Millennium PIV-I CAsAdded content for DoD [EMAIL] CA 31-32 and NPE CA 1-2Updated VeriSign NFI PKI SHA-256 chain with Booz Allen and CSC SHA-256 PIV-I CAsReplaced expired Exostar FIS Certificate AuthorityAdded Netherlands Ministry of Defence PKI as a DoD Approved External PKIAdded Australian Defence Organisation (ADO) PKI as a DoD Approved External PKIAdded content for DoD CCEB Interoperability Root CA 1Removed Citi NFI PKI as a DoD Approved External PKIAdded content for Exostar FIS Signing CA 2 Issuing CARenamed VeriSign NFI and SSP to Symantec NFI and SSPUpdated Symantec NFI PKI SHA-256 chain with Eid Passport – RAPIDGate PIV-I CAAdded content for HHS Intermediate CA under Entrust SSPAdded content for Veterans Affairs Issuing CA under Treasury SSPRemoved expired Treasury OCIO Issuing CARemoved expired SHA-1 content from ORC SSP and Symantec NFI/SSP PKIs.Added content for IdenTrust ECA 4Added content for Symantec Client ECA – G4Added new Federal PKI Policy OID: id-fpki-common-piv-contentSigningRemoved expired CAs: DoD [EMAIL] CA 19-20 and IdenTrust ECA 2.Updated CCEB IRCA 1 ADOCA03 cross certificateAdded content for additional Raytheon SHA-1 trust chainAdded content for ORC ECA HW 5, ORC ECA SW 5, and ADOCA016Removed expired content for ORC ECA HW 3 and ORC ECA SW 3UNCLASSIFIED
UNCLASSIFIEDRevision Page e DescriptionAdded Exostar SHA-256 PKI as a DoD Approved External PKI,Removed expired content for VeriSign Client ECA – G2Removed FPKI SHA-1 Authentication and CardAuth OIDsRemoved SHA-1 OIDs from Symantec NFI and SSP, and Verizon Business SSPAdded Cassidian NFI PKI as a DoD Approved External PKIRemoved Exostar SHA-1 PKI as a DoD Approved External PKIReplaced ORC Root 2 with the Federal Common Policy CA (FCPCA) as trust anchorfor ORC SSPRemoved ORC SSP Inherited Policies from ORC Root 2Added Eid Passport – RAPIDGate Premier Issung CA (Symantec NFI)Removed expired CAs: DoD [EMAIL] CA 21-24 and ADOCA014Added content for DoD Root CA 3 and ECA Root CA 4Added Northrop Grumman SHA-256 PKI as DoD Approved External PKIAdded content for NRC Issuing CA (Symantec SSP)Added new FPKI OIDs: id-fpki-common-pivAuth-derived and id-fpki-commonpivAuth-derived-hardwareRemoved expired Raytheon trust chainAdded content for re-keyed Treasury issuing CAs (DHS, NASA, OCIO, SSA)Added content for Raytheon SHA-256 PKIAdded content for DoD [ID SW] [EMAIL] CAs 33-38 and ORC ECA 6.Removed content for Cassidian/Airbus (decommissioned)Added content for DoD [ID] [EMAIL] CAs 39-44Added content for Carillon Federal Services PKIRemoved expired content for DoD [EMAIL] CA 25-26Added content for re-keyed Entrust SSP PKI chainAdded content for DoD ID SW CAs 45-46 and IndenTrust NFI (IdenTrust Root andBooz Allen PIV-I CAs)Added content for DoD Root CA 4, DoD ID SW CAs 47-48, and IndenTrust ECA 5.Updated Lockheed Martin Assurance Level section.Added content for Lockheed Martin SHA-256, CSRA (Symantec NFI), Treasury FiscalService Issuing CA (re-keyed), IdenTrust ECA S21, and ORC NFI 3. Removed expiredTreasury Fiscal Service Issuing CA. Added TSCP SHA-256 Assurance Levels.Added content for DoD Root CA 5, IdenTrust ECA Component S21 and CSRA DeviceCA. Updated ORC NFI PKI assurance levels.Added content for DoD CAs 49-58, DoD CCEB Interoperability Root CA 2, BoeingSecureBadge Medium-G2, and Carillon Federal Services PIV-I CA 2. UpdatedADOCA03 ADOCA016 cross cert. Removed DoD Intermediate CA 1-2(decommissioned) and NASA Operational CA-serial 0x443EA7E9 (expired)Added SureID Issuing CA (Symantec NFI). Updated CCEB Interoperability Root CA 1 ADOCA03 cross certificate. Removed expired IdenTrust ECA 3, NASA OperationalCA-(serial 0x45F94AB5), and SSA Issuing CA serial 0x45F94AA3)UNCLASSIFIED
UNCLASSIFIEDRevision Page (continued)Date03/05/2018VersionChange Description6.3Updated content for Lockheed Martin SHA-256 (CertiPath Bridge). Added contentfor ADO SHA-256 PKI. Removed expired DoD [EMAIL] CA 27-30, ORC ECA HW4, ORCECA SW4, Verisign ECA-G3, Lockheed Martin SHA-1, Millennium Challenge Corp, ICFInternational, DHS CA-4, Dept. of Transportation G3, Naval Reactors G2, and HHSSSP CA B7. Removed Symantec ECA G4 (no longer an approved ECA vendor)UNCLASSIFIED
UNCLASSIFIEDTable of Contents1.0 Introduction . 12.0 DoD PKI External Interoperability Landscape . 23.0 DoD PKI Trust Chains . 33.1 DoD Trust Anchors . 33.1.1 DoD Root CA 2 . 33.1.2 DoD Root CA 3 . 33.1.3 DoD Root CA 4 . 33.1.4 DoD Root CA 5 . 43.1.5 DoD Interoperability Root CA 1. 43.1.6 DoD Interoperability Root CA 2. 43.1.7 DoD CCEB Interoperability Root CA 1 . 43.1.8 DoD CCEB Interoperability Root CA 2 . 53.2 DoD Subordinate/Issuing CAs . 53.2.1 DoD RSA2048/SHA-1 Subordinate CAs . 53.2.2 DoD RSA2048/SHA-256 Subordinate CAs . 83.2.3 DoD ECC p256/SHA-256 Subordinate CAs . 113.2.4 DoD ECC p384/SHA-384 Subordinate CAs . 124.0 ECA PKI Trust Chains . 134.1 ECA Trust Anchors . 134.1.1 ECA Root CA 2 . 134.1.2 ECA Root CA 4 . 134.2 ECA Subordinate/Issuing CAs . 134.2.1 ECA SHA-1 Subordinate CAs . 144.2.2 ECA SHA-256 Subordinate CAs . 155.0 DoD Approved External PKI Trust Chains . 165.1 DoD Approved External PKI Summary . 165.2 Federal Agencies (Category I PKIs) . 185.2.1 Entrust SSP PKI (GSA MSO). 185.2.2 ORC SSP PKI . 195.2.3 Department of State PKI . 205.2.4 U.S. Treasury SSP PKI . 205.2.5 Symantec SSP PKI (formerly VeriSign SSP PKI) . 235.2.6 Verizon Business SSP PKI . 245.3 Industry Partners (Category II PKIs) . 255.3.1 Boeing PKI. 255.3.2 Carillon Federal Services PKI . 265.3.3 Entrust Managed Services NFI PKI . 275.3.4 Exostar, LLC. . 275.3.5 IdenTrust NFI PKI . 285.3.6 Lockheed Martin . 285.3.7 Netherlands Ministry of Defence PKI . 295.3.8 Northrop Grumman . 305.3.9 ORC NFI PKI . 315.3.10 Raytheon . 325.3.11 Symantec NFI PKI (formerly VeriSign NFI PKI) . 325.3.12 Verizon Business NFI PKI . 355.4 Foreign, Allied, or Coalition Partner PKIs or other PKIs (Category III PKIs) . 35UNCLASSIFIED
UNCLASSIFIED5.4.1 Australian Defence Organisation (ADO) PKI . 366.0 Assurance Levels . 396.1 DoD Assurance Levels . 406.2 ECA PKI Assurance Levels . 406.3 Federal PKI (FPKI) Assurance Levels . 416.3.1 SHA-1 Federal PKI Assurance . 416.3.2 Federal PKI Assurance Levels . 416.4 Entrust SSP PKI Assurance Levels . 426.5 ORC SSP PKI Assurance Levels . 426.5.1 ORC SSP PKI Asserted Policies . 426.6 Department of State PKI Assurance Levels . 436.7 U.S. Treasury SSP PKI Assurance Levels . 436.8 Symantec SSP PKI Assurance Levels . 446.8.1 Symantec SSP PKI Asserted Policies . 446.8.2 Symantec SSP PKI Inherited Policies. 446.9 Verizon Business SSP PKI Assurance Levels . 456.9.1 Verizon Business SSP PKI Asserted Policies . 456.9.2 Verizon Business SSP PKI Inherited Policies . 456.10 Boeing PKI Assurance Levels . 466.11 Carillon Federal Services PKI Assurance Levels . 466.12 CertiPath Bridge Assurance Levels . 476.13 Entrust Managed Services NFI PKI Assurance Levels . 476.14 Exostar Assurance Levels. 486.15 IdenTrust NFI PKI Assurance Levels . 486.16 Lockheed Martin Assurance Levels . 496.17 Netherlands Ministry of Defence PKI Assurance Levels . 496.18 Northrop Grumman PKI Assurance Levels . 496.19 ORC NFI PKI Assurance Levels . 506.20 Raytheon PKI Assurance Levels . 506.21 Symantec NFI PKI Assurance Levels . 516.22 TSCP SHA-256 Bridge Assurance Levels . 516.23 Verizon Business NFI PKI Assurance Levels . 526.24 Australian Defence Organisation (ADO) PKI Assurance Levels . 52Glossary of Terms . 53UNCLASSIFIED
UNCLASSIFIED1.0 IntroductionThis document provides Certification Authority (CA) certificate trust chain and assurance level information forall Department of Defense (DoD) approved Public Key Infrastructures (PKIs). DoD Chief Information Officer(CIO) is the governing authority for DoD approved external PKIs. Prior to 2008, the only DoD approvedexternal PKI was the DoD-managed External Certification Authority (ECA) program PKI. On May 24, 2011, DoDCIO released Department of Defense Instruction (DoDI) 8520.02 authorizing PKI interoperability with DoDapproved external PKIs The DoD External Interoperability Plan describes the criteria and process for DoDapproved external PKIs and is available on the DoD authoritative external Interoperability Pages/index.aspx. DoD approved PKIs must conform to allcriteria stated in the DoD External Interoperability Plan to include cross certification with the Federal PKI (FPKI)at Federal Bridge Certification Authority (FBCA) medium hardware assurance level or higher and successfulcompletion of Joint Interoperability Test Command (JITC) testing1. DoD organizations that wish tointeroperate with DoD approved external PKIs must comply with DoD Instruction 8520.02.2 DoD relyingparties may interoperate using cross-certificate trust or direct trust. If interoperating using direct trust, DoDrelying parties must ensure that they are only accepting PKI credentials that meet the FBCA medium hardwareassurance level restriction.3 In addition to PKI authentication and validation, administrators should ensurethat DoD information systems are performing access control.4The DoD Partner PKI Interoperability test plan is located on the external interoperability site at /index.aspx2 DoDI 8520.02 is available ssuances/dodi/858002 2015 dodi.pdf3 For more information on Assurance Levels, see Section 6.4 DoD CIO Memorandum, “Compliance and Review of Logical Access Control in Department of Defense (DoD) Processesis available at f11UNCLASSIFIED
UNCLASSIFIED2.0 DoD PKI External Interoperability LandscapeThe following diagram provides an overview of the Federal PKI Interoperability Landscape and illustrates thecross-certificate trust relations
Mar 05, 2018 · ECA SW4, Verisign ECA-G3, Lockheed Martin SHA-1, Millennium Challenge Corp, ICF International, DHS CA-4, Dept. of Transportation G3, Naval Reactors G2, and HHS SSP CA B7. R
