The FPKIMA intends to revoke the following certificates issued by the Federal Bridge CA G4 (FBCAG4):

FBCAG4 to CertiPath Bridge CA 2 (Revocation planned for on or around 3/18/2021)

• Certificate Issuer: CN = Federal Bridge CA G4, OU = FPKI, O = U.S. Government, C = US
• Certificate Subject: CN = CertiPath Bridge CA - G2, OU = Certification Authorities, O = CertiPath LLC, C = US
• Certificate Serial: 154d6e5eb1df740a2588ca6e27d3b557829a0dfc
• Certificate SHA1 Hash: 3bfc4df881682f8846bff486d422025aee7494d8

FBCAG4 to SAFE Bridge CA 02 (Revocation planned for on or around 3/18/2021)

• Certificate Issuer: CN = Federal Bridge CA G4, OU = FPKI, O = U.S. Government, C = US
• Certificate Subject: CN = SAFE Bridge CA 02, OU = Certification Authorities, O = SAFE-Biopharma, C = US
• Certificate Serial: 18a4dd0c2b5068bf964e3f333e76821f1594042b
• Certificate SHA1 Hash: 600319e6c322229f88e0f434ba96fb0dfd00252e

FBCAG4 to FCPCA (Revocation the day prior to FCPCA Decommissioning, TBD – Mid May)

• Certificate Issuer: CN = Federal Bridge CA G4, OU = FPKI, O = U.S. Government, C = US
• Certificate Subject: CN = Federal Common Policy CA, OU = FPKI, O = U.S. Government, C = US
• Certificate Serial: 198ef944a16068e7c0b85cd2f5b2cfb5de8b2174
• Certificate SHA1 Hash: fb3f5e09cac4fe4066f6c48cce31feca02fea677

And patterns (based on assertion models allowed):

Kerberos
SAML
Direct x509 authentication

Description of Issue:

After all migrations, follow-up with search.gov to update the indexers and potential change to inline results in config.yml.

Details of Issue:

References (Docs, Links, Files):

Possible Solution

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

Content, links, graphics, format, and 508 review of FPKI Guide.

Details of Issue:

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

Text only fills the middle portion of the screen. Fix the formatting so it is wider.

Details of Issue:

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

• notice_date: February 25, 2021
  change_type: Intent to Perform CA Certificate Issuance
  start_datetime:
  system: IdenTrust Global Common Root CA 1
  change_description: IdenTrust intends to issue a new CA certificate from IdenTrust Global Common Root CA 1 to replace the IGC Server CA 1 certificate that has an expiration date of 4/14/2024.
  contact: support at identrust dot com
  ca_certificate_hash:
  ca_certificate_issuer: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US
  ca_certificate_subject: CN=IGC Device CA 1
  cdp_uri:
  aia_uri:
  sia_uri:
  ocsp_uri:

The link to Suitability and Security Clearance Performance Accountability Council (PAC) might lead to the wrong page: https://www.dcsa.mil/About/

Potential new link: https://www.gao.gov/highrisk/govwide_security_clearance_process/

• Using a logon script on managed devices to set friendly names for person certs
• Applies to applications and ease of use for users

Need sample scripts

Description of Issue:

Most of the images are small and hard to read. Semi-related to issue #5. Maybe implement a feature to make the image bigger when it's clicked.

Details of Issue:

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

A single page with a list of all the documents in this repo.

Details of Issue:

users shouldn't have to search for a document. there should be a page with a list of all current documents.

Add a doc folder and move all documents to the doc folder. An automatic page that lists documents in the folder without manually maintaining a yml file.

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

"Linux" is not really a fair way to describe where the pkcs11.so will be or even what it will be named on the variety of Linux distributions that exist. For example, on debian, not only is pkcs11.so not the name (opensc-pkcs11.so) but it is not in /usr/lib. In ArchLinux it is in /usr/lib but once again is not named pkcs11.so. I, admittedly, don't know what distro the information on the page comes from but it should state which distribution it comes from.

Link to the Content Page for Contributors:

piv-guides/_engineering/01_firefox.md

Change favicon to US Flag

FAQ Item

Why do users see the following message?

• Windows Needs Your Current Credentials
• Please Lock this computer, then unlock it using your most recent password or smart card

This happens when the kerberos ticket lifetime expires and a new authentication event is required. User is set to user based enforcement, which requires a new PKINIT event with the domain controller. Equals = Please authenticate again.

Similar to "user cannot have a session longer than 24 hours before re-authenticating" for web apps etc.

Fix GSA logo in footer

Description of Issue:

It would be a nice user feature for a PDF version of each guide or playbook.

Details of Issue:

Create a PDF version that is downloadable of each guide or playbook or at a minimum the architecture playbook because it is mentioned in 19-17. A version control of the architecture may help agencies with implementing or tracking specific versions.

References (Docs, Links, Files):

Check on pagination to create a PDF from multiple pages or converting multiple pages into a single page.

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

FPKI graph is not displaying.

We should consider not using the code tags. Not mobile friendly and doesn't show the scrolling.

This is a placeholder issue as the FPKIMA prepares to decommission the Federal Common Policy CA (FCPCA).

The FCPCA will be decommissioned after:

1. revoking the certificates referenced in GSA/fpki-guides#841
2. issuing a final, long-term CRL

Note: This issue will be updated as more information is available.

Description of Issue:

Add "Edit This Page" to layout.

Description of Issue:

FICAM Architecture Standards & Policies

https://federalist-6b49c9d3-af36-4c09-9954-7421ffabc251.app.cloud.gov/preview/gsa/playbooks-wdsv2/staging/arch/standards/#policies

OMB Circular A-123 points to M-16-17

Details of Issue:

The link to OMB Circular A-123 points to the document with M-16-17 as a cover page. Should we reference M-16-17 in the link text or context paragraph?

Link to the Content Page for Contributors:

https://github.com/GSA/playbooks-wdsv2/blob/staging/_arch/ficam_standards_policies.md

Description of Issue:

This page should include a list of the available playbooks

piv/user/

Potentially breakout under a Playbooks Tab.

Each page is using a different model for a date, for example:

• No date
• Last updated
• Posted date
• Publish date

Consolidate on one pattern, consistent placement and terms - and incorporate into the templates directly.

Description of Issue:

Should we add a Useful Tools item to the navigation on PIV-Guides? If so, should the same tools show up on both FPKI-Guides and PIV-Guides?

Details of Issue:

References (Docs, Links, Files):

Just an idea of tools that could be listed on this page

• NIST 85B (800-73-4) Test Tool - http://csrc.nist.gov/groups/SNS/piv/npivp/sw-downloads.html
• PITT Tool - http://pkif.sourceforge.net/pitt.html
• OpenSC - https://github.com/OpenSC/OpenSC/wiki

If a New Page or Content is Needed, Expected Outcomes:

A new page and navigation item that provides links to useful PIV tools

Link to the Content Page for Contributors:

Description of Issue:

Unable to update .png images without the source file used to create the .png - Visio, Gliffy, etc.

Details of Issue:

References (Docs, Links, Files):

All of the files in https://github.com/GSA/ficam-arch/tree/staging/img are .PNG image files and not easily editable to make changes and improvements to.

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

Update the playbooks html to ask for pubdate variable and then update all playbook front matter to use pubdate.

Nice to be able to sort by title or date. Add a header to the table.

Details of Issue:

References (Docs, Links, Files):

Possible Solution

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

Content, links, graphics, format, and 508 review of PIV Guide.

Details of Issue:

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

CertiPath notified [email protected] of its intent to modify the certificate issued from the CertiPath Bridge CA - G3 to the Federal Bridge CA G4.

The modified certificate will update the inhibitPolicyMapping skipCert value of “1” to "2".

notice_date: April 12, 2021
change_type: Intent to Perform CA Certificate Issuance
start_datetime:
system: CertiPath Bridge CA
change_description: CertiPath Bridge CA - G3 intends to issue a modified cross certificate to the Federal Bridge CA G4.
contact: support at certipath dot com
ca_certificate_hash:
ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US
ca_certificate_subject: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US
cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl
aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c
sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c
ocsp_uri:

notice_date: April 2, 2021
change_type: Intent to Perform CA Certificate Issuance
start_datetime:
system: TSCP SHA256 Bridge CA
change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA intends to issue a cross certificate to Carillon Federal Services.
contact: steve.race at tscp dot org
ca_certificate_hash:
ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US
ca_certificate_subject: CN=Carillon Federal Services PIV-I CA2, OU=Certification Authorities, O=Carillon Federal Services Inc., C= US
cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl
aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c
sia_uri:
ocsp_uri:

Note: This is a renewal of the existing certificate below:

• Issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US
• Subject: CN=Carillon Federal Services PIV-I CA2, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US
• Validity: September 22, 2020 to September 22, 2021
• Serial #: 663415d34e59e00fa138da6075064702
• SHA-1 Hash: 97ff543ab95bd5e3a065834f240ad6b3c6b7d985
• Key Size: 2048-bit (RSA)
• Signature Algorithm: SHA256 with RSA

Overall issue to create FAQ sections for relevant communities:

• General User
• Developer / Implementer
• Policy (Potentially)

Keeping audience in mind when organizing these FAQs should help improve usability over just combining everything together.

Description of Issue:

Add 'Back to Top" link at bottom of page to the playbook and guide template.

Description of Issue:

https://github.com/18F/uswds-jekyll

Details of Issue:

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

Some users are seeing very long paths being built to unexpected trust anchors via FBCAG4.

Details of Issue:

This is cryptographically unrelated to the common G2 migration but could be added as a consideration to untrust some return cross certs that might cause issues.

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

new troubleshooting section: "I have distributed G2 but am seeing a much longer path to an unexpected root" and include FBCAG4 --> FCPCAG2 cross cert instructions for distrust/untrust.

Link to the Content Page for Contributors:

https://github.com/GSA/fpki-guides/blob/common-migration-troubleshooting/_common/10_troubleshooting.md

Description of Issue:

Content, links, graphics, format, and 508 review of FICAM PM guide.

Details of Issue:

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

Scenarios:

• Some civilian agencies have adopted the "EDIPI" nomenclature in their PIV credentialing
  • Notably: DHS
• EDIPI is just one Dept of Defense identifier number from DoD data repositories
• When the same nomenclature is used, there is a perception that the 10-digit value associated with PIV/CAC or similar are unique (as is) across all government. Conflicts arise.

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

• Could be an update to the credential identifiers page here: https://piv.idmanagement.gov/identifiers/

This would be new -- not a conversion of an existing document. Target audience is agency relying parties. This playbook will describe how to integrate an SCVP client into an application to enable certificate validation services.

Description of Issue:

The table header uses white text on a white background. Should be blue, but doesn't come through.

fpki/pivcas-and-agencies/

The Federal PKI Management Authority shared the following System Notification:

• Notice Date: April 2, 2021
• System: FPKI Trust Infrastructure - Federal Bridge CA G4
• Type: CA Certificate Issuance
• Change Description: The Cross-certificate from the FBCA G4 to the IdenTrust Global Common Root CA is expiring on 8/21/2021. IdenTrust has requested a new 3-year cross-certificate be issued to this CA to continue their participation in the FPKI. The IdenTrust annual review package is next due to be submitted by 8/31/2021.
• Contact: fpki dash help at gsa dot gov
• Certificate Issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US
• Certificate Subject: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US
• Certificate Revocation List: http://repo.fpki.gov/bridge/fbcag4.crl
• Certificate Bundle (AIA): http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c
• Certificate Bundle (SIA): http://validation.identrust.com/roots/IssuedbyIGCRootCA1.p7c

This notification will be posted during next week's Pull Request.

From hack the playbooks session

Description of Issue:

• How do I configure my to accept any Govt User's PIV for Authentication
• Network is the system, not an internet facing web application.

Use case:

As an agency, I have other government users on detail or working in my agency through cross-collaboration on special programs. These government users are provided a network account for my network, and I want to configure my network domain(s) to authenticate the user with their PIV/CAC credential without issuing a new PIV/CAC from my agency.

Details of Issue:

Challenges

• I need to manage multiple trust stores for network authentication or federation services or VPN services
• I want a list of certificates and configurations to support this
• Only for other Government agency users
• I want notification on when new Intermediate certificates are generated and a place for me and my engineers to poll these certificates if I need to update my trust stores
• I want clear information on account linking options and what is the lowest common denominator that will work for all PIV/CAC credentials and associated certificates that have been issued and are valid today.

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

TBD

Copied from FPKI Guide. A user guide focused on cloud email. Cloud email because that is the technology direction.

Security/Manager Guide (?) - Alignment with 800-53 controls (?)
Engineer Guide - How to enable digitally signed and encrypted email in Office 365 and Gmail.
User Guide - How to sign and encrypt in email in Outlook for Web and Gmail / How to verify a digitally signed email.

Special Considerations - Archive and e-discovery of encrypted emails.

Description of Issue:

Steps to consider implementing altsecids

1. Determine how to populate the AltSecID field for all accounts that will use a smart card to logon. All non-privileged and privileged accounts.
2. Populate all the AltSecID fields of all users with PIV Cards.
3. Create a process to populate the AltSecID as new users are issued a PIV Card.
4. Either certificate (PIV Auth or PIV Digital Signature) may be used to manually populate the AltSecID field, but the PIV Auth will be used for actual authentication.
5. Once that is complete, change the local policy which will remove the digital signing certificate for showing up.
6. Change the registry setting on all domain controllers running the KDC service and restart the service.
7. Additional user impact considerations. Hint box popping up.

Details of Issue:

Agencies are requesting updated guidance on how to migrate away from using the digital signature certificate for authentication.

References (Docs, Links, Files):

Common policy profile change mandated specific EKU on all certificates.

https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/common-change-proposal-2018-03.pdf

Possible Solution

Use of altsecids already exists. This updates that content to be more procedural ala a playbook.

If a New Page or Content is Needed, Expected Outcomes:

Step-by-step guide on how to implement alsecids

Link to the Content Page for Contributors:

https://playbooks.idmanagement.gov/piv/network/account/#implementing-altsecurityidentities-and-piv-certificate-mapping

Add information, configurations and scripts for which error logs to enable on network domains for enterprise engineers to troubleshoot.

List of the common errors encountered mapped to primary and secondary troubleshooting specific to federal agencies

Description of Issue:

The playbook search result title shows as "FICAM Playbook" rather than the actual page title.

Details of Issue:

Should say the page title.

Possible Solution

Look at the page template.

We need some feedback here to understand any repercussions with not using Principal Name mapping for network.

Primarily for common implementations and office automation tools (cloud email providers, common federation services).

For MacOSX and network authentication (aka bound to a network domain), NIH has a private repository for a plugin that builds upon the native smart card apis.

• https://github.com/NIH-CIT/NIHAuthPlugin

There are also commercially available options.
Need to add a section under network for MacOSX and considerations.

Description of Issue:

Too much space on the side of the pages layout.

Details of Issue:

Look at the grid-container to fix the max width setting.

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

Content, links, graphics, format, and 508 review of PACS Guide.

Details of Issue:

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

Content, links, graphics, format, and 508 review of FICAM Arch guide.

Details of Issue:

References (Docs, Links, Files):

If a New Page or Content is Needed, Expected Outcomes:

Link to the Content Page for Contributors:

Description of Issue:

WinCrypt SSH Agent looks like a promising option for SSH authentication by CAC/PIV users. If it tests out well, it may be worth mentioning in the Windows section of the Engineering Guides - Enable SSH as others may not be aware of this project's existence.

Details of Issue:

I recently hit a snag with the current version of PuTTY/PuTTY-CAC and RHEL 8 STIG settings, so I started looking for some other options. I came across this repository that looks quite promising as it would allow CAC/PIV authentication using the Windows native OpenSSH implementation.

I'd be interested in what other CAC/PIV users think.

References (Docs, Links, Files):

WinCrypt SSH Agent on GitHub

It looks like you have quite a few Help Wanted issues in your repo. You can feature these on Code.gov and reach a larger audience by adding specific tags to your Help Wanted issues.

Here are the specifics - https://github.com/GSA/code-gov/blob/master/HelpWanted.md
And, an example - https://github.com/GSA/code-gov-web/issues/417

Let me know if you have questions,
Cheers!
Joe

Description of Issue:

Search is not fully integrated with pacs.idmanagement.gov.
Details of Issue:

IDManagement.gov Search results do not present items from pacs.idmanagement.gov site
Steps to recreate issue:

Identify phrase on site (for example "Credential holder data repository", hosted on "https://pacs.idmanagement.gov/what-is-pacs/"
Paste phrase in search box and submit
Review results page.
Steps taken to resolve issue:

Reviewed config.yml
Compared configuration across playbook sites where search is functional.
Enabled sitemap gem as requested by Search.gov support team. Confirmed indexing was successful.
Awaiting feedback from Search.gov team on next steps.
References (Docs, Links, Files):

N/A

If a New Page or Content is Needed, Expected Outcomes:

N/A

Link to the Content Page for Contributors:

N/A