Overview

Secure information sharing between the Department of Defense (DoD) and its external partners requires Public Key Infrastructure (PKI) interoperability. Like the DoD, many Federal Agencies and DoD partners have implemented a PKI to secure their applications and networks. In the past, these external PKIs were designed to operate independently. Internal policies, technical challenges and vendor selection have all contributed to these different identity management and information protection solutions.

HSPD-12, FIPS-201, and the Federal Bridge Certificate Authority (FBCA) have been implemented to synchronize identity management and information protection across the federal government. These initiatives aid the federal government and private industry in building PKI based solutions that interoperate moving forward.

As deployed PKIs transition to full compliance, the need to share information cannot wait. Legacy PKIs in the near term will have to interoperate with PKIs that fall in line with the FBCA. The DoD is currently evaluating these external PKIs for implementation on DoD systems. Per DoD CIO Memo, SUBJECT: Approval of External Public Key Infrastructures, the DoD PKI Program Management Office (PMO), the DoD Public Key Enabling (PKE) Team and the DoD External Interoperability Working Group will be responsible for interoperability testing and approval.

Procedure

DoD External Interoperability Plan, version 1.0 specifies the process by which an external PKI can be approved to interoperate with the DoD PKI. The process differs according to the classification of the external PKI:

• Category I - U.S. Federal Agency PKIs.



• Category II - Non-Federal Agency PKIs cross-certified with the FBCA or PKIs from other PKI Bridges that are cross-certified with the FBCA.



• Category III - Foreign, Allied, or Coalition Partner PKIs or other PKIs.

The interoperability testing phase of this process is conducted by the Joint Interoperability Test Command PKE Lab according to the DoD PKI Interoperability Test Plan, verison 2.0. Two key trust models are tested:

• Direct Trust Model - The DoD PKE test application will be required to trust the root certificate of the target PKI and have access to its revocation information in order to determine the validity of the target PKI's certificates.



• Cross Certificate Trust Model - The DoD PKI and the target PKI will each issue a certificate to a Certification Authority (CA) in the other PKI, or a third party CA trusted by both, creating a cross-certificate pair or pairs providing bi-directional trust. Trust can also be one-way if only one CA signs a certificate for the other CA.

External PKI Testing Status

The following table contains information on external PKIs that have completed interoperability testing with the DoD PKI.

More detailed information can be found at http://iase.disa.mil/pki-pke/interoperability/index.html.