Public Key Infrastructure Home / CAC Lab / GDS Lab / PKE Lab / PKI Lab /
DoD PKI CCEB/Partner Interoperability Testing
Acronyms / Frequently Asked Questions / Online Resources / POCs / Request for Information / Terms and Definitions
Secure information sharing between the Department of Defense (DoD) and its external partners requires Public Key Infrastructure (PKI) interoperability. Like the DoD, many Federal Agencies and DoD partners have implemented a PKI to secure their applications and networks. In the past, these external PKIs were designed to operate independently. Internal policies, technical challenges and vendor selection have all contributed to these different identity management and information protection solutions.
HSPD-12, FIPS-201, and the Federal Bridge Certificate Authority (FBCA) have been implemented to synchronize identity management and information protection across the federal government. These initiatives aid the federal government and private industry in building PKI based solutions that interoperate moving forward.
As deployed PKIs transition to full compliance, the need to share information cannot wait. Legacy PKIs in the near term will have to interoperate with PKIs that fall in line with the FBCA. The DoD is currently evaluating these external PKIs for implementation on DoD systems. Per DoD CIO Memo, SUBJECT: Approval of External Public Key Infrastructures, the DoD PKI Program Management Office (PMO), the DoD Public Key Enabling (PKE) Team and the DoD External Interoperability Working Group will be responsible for interoperability testing and approval.
DoD External Interoperability Plan, version 1.0 specifies the process by which an external PKI can be approved to interoperate with the DoD PKI. The process differs according to the classification of the external PKI:
- DoD Sponsored - Department of Defense (DoD) Sponsored External Certificate Authorities (ECAs) approved by the DoD to issue certificates to the relying parties.
- Category I - U.S. Federal Agency PKIs.
- Category II - Non-Federal Agency PKIs cross-certified with the FBCA or PKIs from other PKI Bridges that are cross-certified with the FBCA.
- Category III - Foreign, Allied, or Coalition Partner PKIs or other PKIs.
The interoperability testing phase of this process is conducted by the Joint Interoperability Test Command PKE Lab according to the DoD PKI Interoperability Test Plan, verison 2.0. Two key trust models are tested:
- Direct Trust Model - The DoD PKE test application will be required to trust the root certificate of the target PKI and have access to its revocation information in order to determine the validity of the target PKI's certificates.
- Cross Certificate Trust Model - The DoD PKI and the target PKI will each issue a certificate to a Certification Authority (CA) in the other PKI, or a third party CA trusted by both, creating a cross-certificate pair or pairs providing bi-directional trust. Trust can also be one-way if only one CA signs a certificate for the other CA.
External PKI Testing Status
The following table contains information on external PKIs that have completed interoperability testing with the DoD PKI.
More detailed information can be found at http://iase.disa.mil/pki-pke/interoperability/index.html.
|Not Tested||Test In Progress||Test Complete||Not Interoperable||Interoperable|
|This trust model was not tested.||Testing is in progress.||Testing is complete.||
External PKI is non-interoperable|
using this trust model.
External PKI is interoperable|
using this trust model.
|External PKI||PKI Category||Federal Bridge Relationship||Date Certified||Direct Trust Model||Cross Certified Trust Model|
|ActivIdentity PIV-I Service||Category II||CertiPath Bridge Member||08/2011||Not Tested||Interoperable||Not Tested||Not Tested|
|Australian Defence Organisation (ADO) NIPRNet||Category III||Member through CCEB||03/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|Australian Defence Organisation (ADO) SIPRNet||Category III||Memeber through CCEB||06/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|Boeing Medium Assurance Domain||Category II||CertiPath Bridge Member||07/2013||Interoperable||Not Tested||Not Tested||Interoperable|
|Booz Allen Hamilton Inc.||Category II||Member through Symantec NFI||12/2012||Interoperable||Interoperable||Interoperable||Not Tested|
|Canada Department of National Defence (DND) SIPRNet||Category III||Member through CCEB||11/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|Cassidian Communications||Category II||CertiPath Bridge Member||06/2014||Not Tested||Interoperable||Not Tested||Interoperable|
|Citi Managed Identity Services||Category II||CertiPath Bridge Member||07/2011||Not Tested||Interoperable||Not Tested||Not Tested|
|Computer Sciences Corp||Category II||Member through Symantec NFI||01/2013||Not Tested||Interoperable||Not Tested||Interoperable|
|Department of Energy||Category I||Member through Entrust SSP||02/2010||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of Homeland Security||Category I||Member through U.S. Treasury SSP||03/2009||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of Justice||Category I||Member through Entrust SSP||09/2008||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of State||Category I||Federal Bridge Member||06/2011||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of Transportation||Category I||Member through Symantec SSP||11/2008||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of Treasury||Category I||Federal Bridge Member||12/2008||Interoperable||Interoperable||Not Tested||Not Tested|
|Department of Veterans Affairs||Category I||Federal Bridge Member||10/2011||Not Tested||Interoperable||Not Tested||Not Tested|
|Eid Passport, Inc.||Category II||Member through Symantec NFI||10/2013||Interoperable||Interoperable||Interoperable||Interoperable|
|Environmental Protection Agency||Category I||Member through ORC SSP||12/2008||Interoperable||Interoperable||Not Tested||Not Tested|
|Exostar SHA-256||Category II||Federal Bridge Member||04/2014||Not Tested||Interoperable||Not Tested||Interoperable|
|Exostar SHA-1 (Issuing CA 2)||Category II||Certipath Bridge Member||06/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|Federal Aviation Administration||Category I||Member through Symantec SSP||05/2009||Interoperable||Interoperable||Not Tested||Not Tested|
|General Services Administration Managed Service Office||Category I||Member through Entrust SSP||05/2011||Interoperable||Interoperable||Not Tested||Not Tested|
|Human Health Services||Category I||Member through Entrust SSP||11/2013||Not Tested||Interoperable||Not Tested||Interoperable|
|Lockheed Martin||Category II||Certipath Bridge Member||07/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|IdenTrust ECA||DoD Sponsored||Member through DoD||Pending||Testing is in Progress||Not Tested||Testing is in Progress||Not Tested|
|National Aeronautics and Space Administration||Category I||Member through U.S. Treasury SSP||03/2009||Interoperable||Interoperable||Not Tested||Not Tested|
|National Institute of Standards and Technology||Category I||Member through Entrust SSP||02/2009||Interoperable||Interoperable||Not Tested||Not Tested|
|Northrop Grumman Corporation||Category II||Certipath Bridge Member||06/2013||Interoperable||Not Tested||Interoperable||Not Tested|
|Operational Research Consultants ECA||DoD Sponsored||Member through DoD||06/2014||Interoperable||Not Tested||Interoperable||Not Tested|
|Operational Research Consultants Non-Federal Issuer||Category II||Federal Bridge Member||03/2012||Not Tested||Interoperable||Not Tested||Not Tested|
|Operational Research Consultants Shared Services Provider (SSP) 3||Category I||Federal Bridge Membership||07/2014||Not Tested||Interoperable||Not Tested||Interoperable|
|Operational Research Consultants Shared Services Provider (SSP) 4||Category I||Federal Bridge Membership||Pending||Not Tested||Testing is in Progress||Not Tested||Testing is in Progress|
|Raytheon||Category II||Certipath Bridge Member||04/2014||Interoperable||Not Tested||Interoperable||Not Tested|
|Social Security Administration||Category I||Member through U.S. Treasury SSP||01/2009||Interoperable||Interoperable||Not Tested||Not Tested|
|Symantec ECA||DoD Sponsored||Member through DoD||Pending||Testing is in Progress||Not Tested||Testing is in Progress||Not Tested|
|Verizon Non-Federal Issuer||Category II||Federal Bridge Member||07/2011||Not Tested||Interoperable||Not Tested||Not Tested|