CA's included that do not support PIV/CAC/PIV-I

[grandamp]

Looking at the config, there are some CA's included that do not support PIV/CAC/PIV-I:

i.e., All CA's with this Subject and Issuer:

Subject: /C=US/O=U.S. Government/OU=Department of the Treasury/OU=Fiscal Service
Issuer: /C=US/O=U.S. Government/OU=Department of the Treasury/OU=Certification Authorities/OU=US Treasury Root CA

Suggest removing the following CA certificates:

Fiscal Service CA #1

Fiscal Service CA #2

Fiscal Service CA #3

Fiscal Service CA #4

[grandamp]

I wanted to add some more info after looking through the CA certificates that are in the config:

• https://github.com/18F/identity-pki/tree/master/config/certs

The config directory appears to contain a lot of certificates that are part of the Federal PKI. Within the FPKI Playbook there is an open issue to maintain a list of certificates (and CRLs, OCSP, AIA/SIA, etc):

• Pairing of certificates with the URIs for OCSP,CDP, and AIA GSA/fpki-guides#68

I've been working on the same thing, to provide an open source method of tracking certificates (and associated metadata) for the Production Federal PKI, as well as the CITE environment:

• https://github.com/grandamp/api.fpki.io/blob/master/README.md
• https://apidoc.fpki.io/

I.e.,

For all PEM CA certs that are part of production FPKI:

curl -X GET "https://api.fpki.io/v1/caPathAsPEM" -H "accept: text/plain"

For all PEM CA certs that are part of CITE:

curl -X GET "https://apicite.fpki.io/v1/caPathAsPEM" -H "accept: text/plain"

[jgsmith-usds]

Thanks for the feedback! I'm comfortable with the team removing the certs that you identified as not being used to issue PIV certs.

There's an item in the roadmap/backlog to restrict allowed certificates to containing certain policy OIDs. This will help in situations where a particular issuing cert is used for more than PIV/CAC certs.

The general approach I'd feel comfortable with once the policy OID restrictions are added is to keep certificates when in doubt, but be free to remove them if an authority from the component issuing the certificate says that the certificate is not used for PIV/CAC certs.

[grandamp]

Howdy! Will Fiscal CA 3 and 4 be removed soon?

Also, any luck on processing LOA via policy object identifiers?

[grandamp]

The Senate PIV-I issuing CA appears to not have any corresponding certificate policies that this implementation is willing to accept.

Certificate

• https://github.com/18F/identity-pki/blob/main/config/certs/C%3DUS%2C%20O%3DU.S.%20Government%2C%20OU%3DU.S.%20Senate%2C%20OU%3DOffice%20of%20the%20Sergeant%20at%20Arms%2C%20CN%3DSenate%20PIV-I%20CA%20G4.pem

Policies asserted

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.1.7.23.3.1.6
                Policy: 2.16.840.1.113733.1.7.23.3.1.7
                Policy: 2.16.840.1.113733.1.7.23.3.1.13
                Policy: 2.16.840.1.113733.1.7.23.3.1.14
                Policy: 2.16.840.1.113733.1.7.23.3.1.15
                Policy: 2.16.840.1.113733.1.7.23.3.1.17
                Policy: 2.16.840.1.113733.1.7.23.3.1.18

Asserted OID ARC within this repo

https://github.com/18F/identity-pki/search?q=2.16.840.1.113733.1.7.23.3.1

[grandamp]

As a federal employee, when I try to authenticate with my PIV credential, I receive a certificate selection dialog that suggest the login.gov mTLS servers to not serve a hint list. I.e., even self signed certificates in my CNG store are an option.

As a Treasury employee authenticating to Treasury SSO via https://piv.treasury.gov/, I see a filtered list in the certificate selection dialog:

As an entity with a PIV/PIV-I/CAC credential accessing https://iiq.fiscal.treasury.gov/ via a PIV credential, I see similar results to Treasury SSO (though All FPKI is honored, and mTLS leverages TLS 1.3):

[idmken]

Follow-up on this issue, we have an authoritative list of PIV and PIV-I issuers used in the federal government, including all branches. If judicial and legislative branches are customers/users of login.gov, the allowed authenticator's list should include PIV-I.

https://playbooks.idmanagement.gov/fpki/pivcas-and-agencies/

[idmken]

If I understand how this works (and I probably do not), the config/application.yml builds the certs using a static root list and required policies.

The allowed policies already include medium hardware from Entrust and Identrust, but not PIV-I. It may be as simple as including the PIV-I policies in this required policies list.

identity-pki/config/application.yml.default

Line 54 in 6e37b9d

required_policies: |

Referencing this page to map OIDS

1. https://csrc.nist.gov/Projects/Computer-Security-Objects-Register/pki-registration
2. https://playbooks.idmanagement.gov/fpki/tools/citeguide/

Here is a first pass at improving the list of required policies (if this is how it the script works)

@grandamp, did I miss any or should it also include any federally-issued hardware certificate and any PIV-I? What list do you use?
Recommend Adding

• Entrust PIV-I Authentication - "2.16.840.1.114027.200.3.10.7.6"
• DigiCert PIV-I Authentication - "2.16.840.1.113733.1.7.23.3.1.18"
• IdenTrust PIV-I Authenticaiton - "2.16.840.1.113839.0.100.18.0"
• WidePoint PIV-I Authentication - "1.3.6.1.4.1.3922.1.1.1.18"
• Derived PIV Authentication - "2.16.840.1.101.3.2.1.3.41", ## FPKI Common Derived PIV Auth HW
• Federally-issued PIV-I - "2.16.840.1.101.3.2.1.3.45",## FPKI Common PIV-I Auth

Consider Removing

• Remove this because it's not an authentication cert - "2.16.840.1.101.3.2.1.3.7", ## FPKI Common HW
• Remove this unless someone can verify - "2.16.840.1.101.2.1.11.9", ## Couldn't find this one, but in the DoD arc.
• Remove this unless someone can verify -"2.16.840.1.101.2.1.11.19", ## Couldn't find this one, but in the DoD arc.
• Hardware cert, but not PIV - "2.16.840.1.101.2.1.11.42", ## DoD MediumHW 112
• Hardware cert, but not PIV - "2.16.840.1.101.2.1.11.43",## DoD MediumHW 128
• Hardware cert, but not PIV - "2.16.840.1.101.2.1.11.44", ## DoD MediumHW 192
• Remove this unless someone can verify - "2.16.840.1.101.3.2.1.12.2", ## FPKI arc, not listed.
• Unclear if this should be used for authentication to Login.gov - "2.16.840.1.101.3.2.1.12.3", ## DoD ECA Medium Token
• Unclear if this is for authentication - "2.16.840.1.101.3.2.1.12.5", ## DoD ECA Medium Token sha256
• Not PIV or PIV-I, but hardware - "2.16.840.1.101.3.2.1.12.10", ## DoD ECA Medium HW sha256
• Not PIV-I, but hardware - "2.16.840.1.114027.200.3.10.7.2" ## Entrust NFI MediumHW

[mitchellhenke]

Thank you for following up on this and the links to the references!

I can try to explain the "Required Policies" a bit. My understanding is we currently require that any of the certs in the chain have one of the listed policies, which is why the Senate PIV-I certificate mentioned previously is usable.

I will discuss internally a bit and review the links to add/remove OIDs as needed!

Regarding the initial issue with the certificates that do not support PIV/CAC/PIV-I, those are now removed (though it was due to expiration).

[grandamp]

Since this issue is still open, have you observed the following non-PIV certificate?

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 72058693549668964 (0x10001000001ba64)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = WidePoint, OU = Certification Authorities, CN = WidePoint ORC NFI 4
        Validity
            Not Before: May  3 19:04:14 2022 GMT
            Not After : May  2 00:00:00 2025 GMT
        Subject: C = US, O = AuthentX, OU = AuthentxDevices, CN = AuthentxApplications, UID = 74e26325-605f-4172-8869-4c9b9d567809, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:ea:74:f4:30:21:55:3c:9f:97:a8:7e:42:bb:
                    73:13:66:a5:20:40:30:ec:9a:aa:bf:7c:29:49:79:
                    e8:c9:c4:36:38:56:4d:7f:b9:39:31:ab:01:58:fe:
                    83:48:f0:fa:a6:5e:75:d7:5b:47:0b:c8:d8:8c:3e:
                    27:14:a2:5e:a8:44:9b:b6:c4:b4:42:86:77:7c:aa:
                    51:14:cf:ad:64:e4:ae:69:04:e9:8f:00:47:65:6b:
                    bf:11:13:c6:c8:10:b4:a9:a4:0a:42:7c:94:a5:a1:
                    86:c6:7d:b0:e4:34:ab:29:26:da:9b:7e:6b:6c:42:
                    ef:ad:43:75:08:3b:63:13:0e:a3:0d:26:69:77:d8:
                    d3:8a:00:70:2b:16:3b:a4:86:6f:a3:db:65:b5:dd:
                    24:1f:b2:ba:1b:2b:5c:a1:05:5a:0d:d6:59:28:de:
                    c7:ba:6f:6c:9a:61:88:31:43:e9:ac:32:aa:38:92:
                    c3:5e:c1:27:39:b9:68:94:18:59:04:31:63:ce:86:
                    4c:f7:1a:8a:9a:2f:51:35:99:d1:a9:b3:f7:9e:c7:
                    a0:b6:cc:51:6d:14:39:24:79:e8:81:8e:83:4e:f7:
                    4d:ac:43:23:cc:d1:97:f5:6a:95:53:47:3d:f7:97:
                    6d:0f:c6:e1:b0:71:cf:51:d4:1b:ab:04:25:4e:e8:
                    91:63
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.3922.1.1.1.3
            Authority Information Access:
                CA Issuers - URI:http://aia.xca.xpki.com/AIA/IssuedCertsforXTec_PIVI_CA1.p7c
                OCSP - URI:http://ocsp.xca.xpki.com/ocsp
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                email:[email protected]
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://crl.xca.xpki.com/CRLs/XTec_PIVI_CA1.crl
                  URI:ldap://crl.xca.xpki.com/ou=XTec%20PIVI%20CA1,ou=PIV-I%20SSP,ou=XPKI,o=XTec%20Inc,c=US,dc=xcacrl?certificateRevocationList;binary
                Full Name:
                  DirName:DC = xcacrl, C = US, O = XTec Inc, OU = XPKI, OU = PIV-I SSP, OU = XTec PIVI CA1, CN = CRL222
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                12:E2:AB:E4:33:6B:30:7F:3E:EA:6F:3E:02:D6:1E:BC:60:2B:F1:F5
            X509v3 Subject Key Identifier:
                B0:11:C9:B4:29:C4:CC:5A:0A:69:CD:70:78:97:42:5E:64:10:BD:F6
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        1a:b5:d0:7a:e9:6a:52:3b:1a:2e:08:ad:20:3b:04:15:ef:b2:
        ad:c3:69:dd:9c:51:9f:ee:ee:7e:06:1b:99:98:f1:2d:2f:6d:
        97:2d:19:a9:e9:3b:28:02:d9:6a:bc:16:98:c6:e9:0f:e3:69:
        93:87:3d:c6:fc:01:6c:fb:e8:e3:97:86:1a:23:d0:06:59:ba:
        08:a7:33:27:cb:37:13:18:7a:61:8d:03:96:a2:bd:40:fc:0b:
        57:b0:fa:fa:db:30:e6:96:db:3f:07:d8:c9:5a:10:ee:1a:c5:
        14:4b:34:f6:15:3d:a8:a9:3f:e4:b3:d9:c8:e5:a9:38:28:30:
        04:af:1d:0c:c6:98:d0:8c:76:df:db:39:8a:a2:ad:9a:df:90:
        f0:39:ed:98:95:74:6f:f6:cc:4f:66:2e:f2:af:b4:a8:12:eb:
        b8:bb:f8:25:3d:39:e1:24:24:8f:d7:33:eb:03:15:1c:4c:26:
        51:9a:48:94:94:7f:0a:af:27:54:36:01:e3:17:d2:89:e3:20:
        3b:9e:57:88:c9:f5:06:15:19:58:e3:6c:bd:a3:e4:d9:4f:7b:
        b8:86:b1:15:d3:c2:e3:e8:9f:c8:15:ba:50:70:a1:09:e0:f5:
        c6:55:37:2e:3c:41:44:d1:c2:9c:76:09:0f:a4:e0:dc:e7:d1:
        f2:83:39:b5:9f:45:e6:c0:d4:96:26:b7:60:14:89:3c:fc:a3:
        ae:68:f4:bd:26:5a:39:3f:d4:f8:d0:f8:d0:eb:d8:77:e4:37:
        62:36:b9:b3:0c:cf:a5:e0:8c:d7:55:48:b5:94:04:72:eb:85:
        af:f9:b4:bb:50:35:40:e3:4b:1b:08:70:26:6f:14:66:8f:ac:
        9a:fd:b4:5a:d3:da:15:5e:25:6b:d0:21:5b:18:3d:36:3a:c3:
        64:a8:9a:5b:51:2f:ce:db:bd:ea:3f:74:32:49:57:7a:dc:cb:
        b3:db:57:e4:1c:00:43:11:a7:6a:40:a2:a3:2a:9f:2a:b2:22:
        25:29:bb:f3:15:4e:90:ba:cd:eb:d7:e1:57:57:34:2a:9b:b6:
        b0:ed:e1:c8:b4:ec:2b:3b:7f:e1:4b:8c:34:2f:91:70:d1:58:
        9e:3c:da:38:90:7d:b0:3e:75:50:f7:3e:f9:fa:5d:af:3b:8a:
        b9:d9:da:18:fe:39:7d:1b:3a:4d:83:5a:c9:15:dd:82:00:8f:
        c0:57:73:71:eb:19:7d:c1:b0:82:d4:a5:1a:2e:7c:7b:b5:f7:
        ae:d3:88:af:20:bc:36:c8:26:a3:f3:1e:81:46:05:2d:0b:99:
        3b:58:d5:d1:17:22:64:08:c3:8b:82:9b:9a:9f:f5:22:6d:93:
        83:02:f9:49:a6:01:74:8a
-----BEGIN CERTIFICATE-----
MIIHLTCCBRWgAwIBAgIIAQABAAABumQwDQYJKoZIhvcNAQELBQAwYzELMAkGA1UE
BhMCVVMxEjAQBgNVBAoTCVdpZGVQb2ludDEiMCAGA1UECxMZQ2VydGlmaWNhdGlv
biBBdXRob3JpdGllczEcMBoGA1UEAxMTV2lkZVBvaW50IE9SQyBORkkgNDAeFw0y
MjA1MDMxOTA0MTRaFw0yNTA1MDIwMDAwMDBaMIGxMQswCQYDVQQGEwJVUzERMA8G
A1UECgwIQXV0aGVudFgxGDAWBgNVBAsMD0F1dGhlbnR4RGV2aWNlczEdMBsGA1UE
AwwUQXV0aGVudHhBcHBsaWNhdGlvbnMxNDAyBgoJkiaJk/IsZAEBDCQ3NGUyNjMy
NS02MDVmLTQxNzItODg2OS00YzliOWQ1Njc4MDkxIDAeBgkqhkiG9w0BCQEWEWF1
dGhlbnR4QHh0ZWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
yep09DAhVTyfl6h+QrtzE2alIEAw7Jqqv3wpSXnoycQ2OFZNf7k5MasBWP6DSPD6
pl5111tHC8jYjD4nFKJeqESbtsS0QoZ3fKpRFM+tZOSuaQTpjwBHZWu/ERPGyBC0
qaQKQnyUpaGGxn2w5DSrKSbam35rbELvrUN1CDtjEw6jDSZpd9jTigBwKxY7pIZv
o9tltd0kH7K6GytcoQVaDdZZKN7Hum9smmGIMUPprDKqOJLDXsEnOblolBhZBDFj
zoZM9xqKmi9RNZnRqbP3nsegtsxRbRQ5JHnogY6DTvdNrEMjzNGX9WqVU0c995dt
D8bhsHHPUdQbqwQlTuiRYwIDAQABo4IClDCCApAwGAYDVR0gBBEwDzANBgsrBgEE
AZ5SAQEBAzCBggYIKwYBBQUHAQEEdjB0MEcGCCsGAQUFBzAChjtodHRwOi8vYWlh
LnhjYS54cGtpLmNvbS9BSUEvSXNzdWVkQ2VydHNmb3JYVGVjX1BJVklfQ0ExLnA3
YzApBggrBgEFBQcwAYYdaHR0cDovL29jc3AueGNhLnhwa2kuY29tL29jc3AwEwYD
VR0lBAwwCgYIKwYBBQUHAwIwHAYDVR0RBBUwE4ERYXV0aGVudHhAeHRlYy5jb20w
ggFcBgNVHR8EggFTMIIBTzCBuaCBtqCBs4YuaHR0cDovL2NybC54Y2EueHBraS5j
b20vQ1JMcy9YVGVjX1BJVklfQ0ExLmNybIaBgGxkYXA6Ly9jcmwueGNhLnhwa2ku
Y29tL291PVhUZWMlMjBQSVZJJTIwQ0ExLG91PVBJVi1JJTIwU1NQLG91PVhQS0ks
bz1YVGVjJTIwSW5jLGM9VVMsZGM9eGNhY3JsP2NlcnRpZmljYXRlUmV2b2NhdGlv
bkxpc3Q7YmluYXJ5MIGQoIGNoIGKpIGHMIGEMRYwFAYKCZImiZPyLGQBGRYGeGNh
Y3JsMQswCQYDVQQGEwJVUzERMA8GA1UECgwIWFRlYyBJbmMxDTALBgNVBAsMBFhQ
S0kxEjAQBgNVBAsMCVBJVi1JIFNTUDEWMBQGA1UECwwNWFRlYyBQSVZJIENBMTEP
MA0GA1UEAwwGQ1JMMjIyMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUEuKr5DNr
MH8+6m8+AtYevGAr8fUwHQYDVR0OBBYEFLARybQpxMxaCmnNcHiXQl5kEL32MA4G
A1UdDwEB/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAgEAGrXQeulqUjsaLgitIDsE
Fe+yrcNp3ZxRn+7ufgYbmZjxLS9tly0Zqek7KALZarwWmMbpD+Npk4c9xvwBbPvo
45eGGiPQBlm6CKczJ8s3Exh6YY0DlqK9QPwLV7D6+tsw5pbbPwfYyVoQ7hrFFEs0
9hU9qKk/5LPZyOWpOCgwBK8dDMaY0Ix239s5iqKtmt+Q8DntmJV0b/bMT2Yu8q+0
qBLruLv4JT054SQkj9cz6wMVHEwmUZpIlJR/Cq8nVDYB4xfSieMgO55XiMn1BhUZ
WONsvaPk2U97uIaxFdPC4+ifyBW6UHChCeD1xlU3LjxBRNHCnHYJD6Tg3OfR8oM5
tZ9F5sDUlia3YBSJPPyjrmj0vSZaOT/U+ND40OvYd+Q3Yja5swzPpeCM11VItZQE
cuuFr/m0u1A1QONLGwhwJm8UZo+smv20WtPaFV4la9AhWxg9NjrDZKiaW1Evztu9
6j90MklXetzLs9tX5BwAQxGnakCioyqfKrIiJSm78xVOkLrN69fhV1c0Kpu2sO3h
yLTsKzt/4UuMNC+RcNFYnjzaOJB9sD51UPc++fpdrzuKudnaGP45fRs6TYNayRXd
ggCPwFdzcesZfcGwgtSlGi58e7X3rtOIryC8Nsgmo/MegUYFLQuZO1jV0RciZAjD
i4Kbmp/1Im2TgwL5SaYBdIo=
-----END CERTIFICATE-----