Enterprise Directory Service (EDS)
The Enterprise Directory Service (EDS) consists of two directory services, Global Directory Service (GDS) and Joint Enterprise Directory Services (JEDS). These services are designed to support the DoD community by making available DoD PKI and ECA certificate revocation lists (CRLs), intermediate Certification Authority (CA) certificates, DoD users' public encryption certificates and other user information.
The Global Directory Service (GDS) is an enterprise directory service available on both NIPRNet and SIPRNet that supports the DOD PKI Program. GDS is responsible for hosting DoD PKI and ECA certificate revocation lists (CRLs) and intermediate Certification Authority (CA) certificates. All DoD PKI certificates point to the GDS in their certificate distribution point (CRLDP) extension. GDS also provides an enterprise user directory called DoD 411 where users may search and download contact records that include the contact's public encryption certificate. This allows users to encrypt email to DoD recipients who do not exist in their local email directory. DoD 411 is available via both HTTP (web browser) and LDAP interfaces and can be configured as an address book within Microsoft Outlook.
The DoD Enterprise White Pages replaced Joint Enterprise Directory Services (JEDS) in May 2013. It is a set of services available on both NIPRNet and SIPRNet that provide a DoD-wide search capability for user information including names, contact information and other job related attributes. The DoD Enterprise White Pages harvest and correlate DoD user attributes from multiple DoD data sources; attributes are then made available to DoD users through a central PKI enabled site *PKI to enable DoD people discovery.
The DoD PKE team is currently evaluating a variety of thin clients for usability with the SIPRNet Hardware Token as well as consolidating information from evaluation efforts across the DoD community. The current status is available here *PKI. Please contact email@example.com if your organization is evaluating a thin client or if you don't see your thin client on the list.
Robust Certificate Validation Service (RCVS)
The Robust Certificate Validation Service (RCVS) is the DoD PKI's Online Certificate Status Protocol (OCSP) responder infrastructure. OCSP is a mechanism for determining the revocation status of X.509 certificates. OCSP, as defined by RFC 2560 and 5019, uses a request-response paradigm in which an OCSP client submits a certificate status request to an OCSP responder and the responder, in turn, returns an OCSP response indicating whether the certificate status is good, revoked or unknown. DoD OCSP responses are generated from data contained within DoD PKI certificate revocation lists (CRLs); however, since an OCSP response contains status for only one or a small number of certificates, it is a much lighter-weight way to obtain certificate status than downloading a full CRL. For more information on OCSP including OCSP trust models, please read our slick sheet on OCSP *PKI. For more information on when to use OCSP versus CRLs, please read our Certificate Revocation Checking *PKI slick sheet. Both slick sheets can be found on the PKE A-Z page under the Slick Sheets and White Papers category.
SIPRNet Token and NSS PKI
In order to ensure accountability and enable secure authentication on the Secret Internet Protocol Router Network (SIPRNet), a new and separate hardware token has been developed. The SIPRNet Hardware Token contains an individual's PKI certificates for network logon, user authentication to networks and websites, and secure e-mail on the SIPRNet. The PKI certificates on the SIPRNet hardware token are issued by authorized National Security System (NSS) Certification Authorities (CAs) and are in compliance with DoD and CNSS requirements and regulations. For more information on the SIPRNet token and the NSS PKI, please read our SIPRNet Hardware Token Overview *PKI slick sheet found on the PKE A-Z page under the Slick Sheets and White papers category.
NSS PKI Common Service Provider (CSP)
The Committee on National Security Systems (CNSS) Policy No. 25 laid the foundation for a Public Key Infrastructure (PKI) to support National Security Systems (NSS) on Secret networks across the Federal Government. The CNSS Directive #506 establishes the requirement for all federal agencies to implement the NSS-PKI to promote interoperability and secure information sharing and to use PKI to provide strong authentication on Secret level networks. The DoD PKI PMO, using previous NIPRNet and SIPRNet PKI experience, responded and built an NSS PKI infrastructure for the DoD. The DoD is currently issuing SIPRNet hardware tokens from this infrastructure to personnel throughout the department.
The CNSS recognized that it was not cost-effective for each Federal Agency to establish and operate a separate PKI. As a result, CNSS Policy No. 25 created a Common Service Provider (CSP), which would operate the NSS PKI and provide certificate management services for Participating Agencies (PAs). The DoD PKI PMO was chosen to build and operate the NSS PKI CSP. The DoD PKI PMO, under the guidance of the CNSS and primary management of DISA, has been working with the CNSS PKI Member Governing Body (MGB) to incorporate the capabilities needed by the CSP into the NSS PKI. The CSP began issuing certificates on hardware tokens in June 2013. DISA manages the certificate life cycle for Participating Agencies. In general, DoD Registration Authorities (RAs) and Trusted Agents (TAs) will not be affected by the implementation of the NSS PKI CSP.
Federal Information Sharing
PKI interoperability is an essential component of secure information sharing between DoD and its partners within the federal government and industry. DoD Instruction 8520.02 provides details on the processes to become a DoD approved PKI. DoD Instruction 8520.03 defines sensitivity levels and credential strengths that must be used to authenticate for access to resources at each sensitivity level. These DoD requirements align with larger federal government initiatives around the implementation and use of federated credentials, including M-04-04, HSPD-12, and FIPS-201. Leveraging approved externally issued credentials can reduce overall cost to the DoD and increase information assurance by limiting the number and scope of Common Access Cards issued and managed by the Department. In addition, correctly using approved externally issued credentials will enable the DoD to meet recent guidance published by the Office of Management and Budget to reduce overall government costs associated with issuing and managing credentials. For a comprehensive list of policy documents, please go to the PKI and PKE Policies page.
All DoD-approved external PKIs can be found on the IASE site on the External and Federal PKI Interoperability page. There you can find additional information for each external PKI including certificate trust chains, acceptable certificate assurance levels, and other useful information.
For an overview of the Federal PKI and Federal Bridge and to learn more about the usage of External PKIs within the DoD, please read our Working with External PKIs slick sheet.