IdenTrust operates an issuing CA for the US Federal Government - General 
Services Administration - Access Certificates for Electronic Services Program 
(ACES). It is a government sponsored PKI program separate from the Non-Federal 
issuer programs under the Federal Bridge.

ACES certificates are can be used for identity (people signature and 
authentication) or devices (server authentication). The individual ACES vendors 
write their own CPS and the IdenTrust CPS meets CAB Forum BR and through a 
WebTrust for SSL audit ( 
IdenTrust operates their ACES issuing CA with a path to both the Federal Common 
Policy CA and an IdenTrust public root. Since the issuing CA is certified with 
the Federal PKI and not the root, there is no path to the IdenTrust public root 
 from the rest of the Federal PKI.

I think this and DigiCert are the only two examples of a PKI hierarchy with the 
Federal PKI that do not allow Federal PKI certificates to validate to the 
public root of the company. This testing was outlined in the FPKI SSL testing 
on github.

>From a user experience perspective, companies (and government agencies) should 
>use SSL certificates that fit their requirements. Trying to explain how to use 
>PKI is hard enough so having a statement that says "Don't use this PKI except 
>where and when in this configuration" just adds to the confusion. I'd say that 
>statement fit the needs of the overall federal government effort in ensuring 
>federal websites used SSL certificates which offered a consistent user 

@Peter -  But the policy mapping between these different use cases is perhaps 
overly complex and certainly not user friendly. "
- Do you mean the policy mapping used by ACES and the Federal PKI?

This specific IdenTrust CA does not have a cross-certificate back to the 
Federal PKI. It has two distinct validation paths to two different roots; 
Federal Common Policy and the IdenTrust Public Root. Only IdenTrust issued ACES 
Federal PKI certificates can validate with Mozilla.
NOTICE: Protiviti is a global consulting and internal audit firm composed of 
experts specializing in risk and advisory services. Protiviti is not licensed 
or registered as a public accounting firm and does not issue opinions on 
financial statements or offer attestation services. This electronic mail 
message is intended exclusively for the individual or entity to which it is 
addressed. This message, together with any attachment, may contain confidential 
and privileged information. Any views, opinions or conclusions expressed in 
this message are those of the individual sender and do not necessarily reflect 
the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, 
printing, copying, retention, disclosure or distribution is strictly 
prohibited. If you have received this message in error, please immediately 
advise the sender by reply email message to the sender and delete all copies of 
this message. Thank you.
dev-security-policy mailing list

Reply via email to