Skip to content
This repository has been archived by the owner on Apr 29, 2021. It is now read-only.

Agency Best Practices for Device Certificates #4

Closed
ajones13 opened this issue Jul 5, 2016 · 10 comments
Closed

Agency Best Practices for Device Certificates #4

ajones13 opened this issue Jul 5, 2016 · 10 comments
Labels
duplicate

Comments

@ajones13
Copy link

ajones13 commented Jul 5, 2016
edited
Loading

I am converting this document into a play.
https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNOEAA4&field=File__Body__s
@konklone
Copy link
Contributor

konklone commented Jul 5, 2016

I can't find the material in the linked PDF in this repository. Where are you drawing it from?

@konklone
Copy link
Contributor

konklone commented Jul 5, 2016

Also, some of it looks quite dated:

Which cryptographic algorithms and key sizes should I use to sign my device
certificates?

...

Where agencies issue one-year device certificates, the FPKIPA recommends generation
of digital signatures using RSA (1024 or 2048 bits) and the SHA-1 hash algorithm
through December 31, 2009. The FPKIPA recommends generation of digital signatures
using RSA (2048 bits) and the SHA-256 hash algorithm on one-year device certificates
issued on or after January 1, 2010.

@lachellel
Copy link
Member

it's not in the repo - @ajones13 wants to add it to the repo somewhere...specific to fpki

so we can remove the PDF documents entirely

It's definitely dated which is why we're trying to "clean house"! 👍

@konklone
Copy link
Contributor

konklone commented Jul 5, 2016

Ah okay, I misread the intent -- I thought @ajones13 was saying they'd made a PDF version of this repository. Apologies for the distraction.

@lachellel
Copy link
Member

#19 duplicate

djpackham pushed a commit that referenced this issue Nov 28, 2016
@Protiviti-JSargent
Merge pull request #4 from GSA/staging
b39da81 
syncing private repo with updates to GSA FPKI main
djpackham pushed a commit that referenced this issue Dec 27, 2016
@dasgituser
Merge pull request #4 from GSA/staging
fd048e0 
Synch With GSA
@weirdscience
Copy link
Contributor

Should this issue be closed?

If USG is establishing a public NPE root, best practices would be for internally operated CAs. Is there a playbook that can be published?

@konklone
Copy link
Contributor

If USG is establishing a public NPE root, best practices would be for internally operated CAs.

I wouldn't say that, since I don't expect the USG root to be mandated or used universally. And even for those who do use a new NPE root, how they choose to obtain those certificates (automated vs manual) is of some relevance.

I've tried to include some guidance here: https://https.cio.gov/certificates/ Though it touches on some topics beyond best practices for device certificates.

@lachellel
Copy link
Member

There are two different use cases:

  • Public Trust SSL
  • Network (intranet) devices which include many more endpoints and non-http protocols and devices

So you're right eric - we should link to the https.cio.gov site for the web pki best practices as this also includes configuration best practices. For internal only locally trusted CAs, the only playbook we've put together is reusing one from DHS (that I send out / not posted) and a very short writeup for setting up a CA for domain controller certs (network auth).

@weirdscience
Copy link
Contributor

Do we need an NPE guide?

PIV Guide Scope - Everything needed to setup and use PIV logically.

FPKI Guide Scope - Everything that happens above PIV and software certs(?)

New Device Guide Scope(?) - Everything devices(?). This might just be a pointer to the M-15-13 guidance, NIST 800-52, and maybe NCCOE TLS project.

@weirdscience
Copy link
Contributor

I'll transfer comments to #19 and close this issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@konklone @lachellel @weirdscience @ajones13