Q: Does
the ECA program now support certificates that last longer than a year?
A: Yes. Once the IECAs have transitioned to ECA status, they
may issue certificates that are valid for up to three years. Each ECA
vendor will submit a CPS that will describe their certificate offerings.
Q:
Is there a pre-conceived estimate of a 'fair and reasonable' cost for an
IECA compliant certificate?
A: No. We are seeking a sustainable business and cost model, which
provides the customers with certificate services at competitive rates, while
allowing the IECA to make a profit and stay in business.
Q: What specific information about the three qualified IECA suppliers
and their certificates will be supplied to DoD vendors?
A: DOD vendors will be directed to the web sites of the three qualified
IECA suppliers. The IECAs will be expected to provide registration information,
including processes, policies, and cost, to DOD vendors.
Q: What are the names and contact numbers of engineering resources that
can be used to answer technical questions?
A: Please address your questions to pkieca@ncr.disa.mil, if they
are of a technical nature they will be forwarded to the appropriate people
promptly.
Q: What benefits do DoD contractors derive from participating in this
program?
A: Policies are currently being drafted within the DoD requiring
all contractors and other organizations doing business with the DoD
to use secure means of communication. By taking advantage of the
this program, you are complying with DoD regulations. Certificates
can also be used to enable and improve electronic business processes.
In today's world, where the DoD relies more and more on commercial contractors
to accomplish its war-fighting mission, and where terrorism is a primary
concern, the IECA/ECA PKI is a vital tool in protecting Sensitive But
Unclassified (SBU) information that might give our adversaries an advantage.
Q: What incentives will DoD provide to contractors to order and use certificates?
A: Again, it is the early participants that will have a leg up on
other vendors in understanding how to use certificates in a paperless contracting
environment. These vendors will be the first to realize the anticipated
reduced processing cost of a paperless contracting environment.
Q: Can IECA/ECA
software certificates be downloaded onto a hardware token (e.g. smart
card, USB token)?
A: Technically, your software keys can certificates can be loaded
on a hardware token, if the vendor's middleware supports importing
"*.p12" files. If your software certificate and associated private
key are stored in, for example, your Netscape browser, it must be exported
as a *.p12 file and then imported onto the hardware token using the vendor's
middleware.
Q: Why can't
the contractor community use PGP for secure messaging with DoD personnel
instead of ECA's?
A: The purpose of the IECA program is to establish a process whereby
DoD's External partners (e.g., Contractors, Customers, DSS investigators,
etc.) can communicate with DoD in a trusted manner. The current IECA
vendors have undergone an extensive procedure to standup a CA and document
the operational requirements in their CPS which met DoD's requirements.
As part of the transition to ECA, these requirements are being formed into
a separate ECA CP (which is very similar to the DoD CP). We currently
allow PKI Interoperability with the 3 IECA vendors solely because they are
the only PKIs which have been evaluated to be compliant with the DoD PKI's
CP. In particular, we don't allow the use of PGP because the 'Web-of-Trust'
model used by PGP circumvents the Evaluation process established for evaluating
the Trust model used by our External PKIs (i.e., IECA vendors).
Q: Can the DoD contractor community use their own PKI for secure
messaging with DoD personnel instead of ECA's?
A: No.
Only PKIs that have been approved by the DoD can be used for secure
messaging with the DoD. Currently, the approved PKIs are the DoD
PKI, the Interim External Certificate Authority (IECA) PKI (until March
2004), and the External Certificate Authority (ECA) PKI.
Q: If
my organization requires IECA certificates for more than one person,
should I consider purchasing a server certificate and is that sufficient?
A: No. Please review the 3-step process for obtaining an IECA
certificate and in Step 2, it describes the various certificate types
and their function. A server certificate isn't a substitute for
large quantities of identity certificates. A server and identity
certificate are very different in function and have very unique cases
in which they would be used and implemented.
|