Category III: Foreign, Allied, or Coalition Partner PKIs or other PKIs
Foreign, Allied, or Coalition Partner PKIs or other PKIs are categorized in the DoD External Interoperability Plan as Category III PKIs. In addition to the technical requirements, Category III PKIs must sign a Cross Certification Agreement (CCA) and must be sponsored by a DoD relying party. With respect to Combined Communications-Electronics Board (CCEB), the CCA will comply with Allied Communications Publication (ACP) 185 which is the framework for PKI Interoperability between CCEB partner nations. The Australian Defence Organisation (ADO) PKI provides PKI credentials to military and civilian personnel. Subscribers include any individual that has been approved as having a requirement to be authenticated as affiliated with ADO. Subscribers include:
- Defence personnel (permanent and reserve members of the Australian Defence Force (ADF), and Australian Public Service (APS) employees)
- Members of the ADF Cadets
- Contractors, Consultants and Professional Service Providers (individuals)
- Other individuals approved by ADO as having a requirement for an ADO Certificate.
- Secure Communications Resource Certificates are only issued to non-person entities (NPE), not individuals.
For CCEB PKIs, cross-certificate trust is the DoD recommended trust model for PKI validation. Unless applications specifically prevent cross-certificates, Direct Trust should not be used since relying party systems may inadvertently inherit trust from unapproved PKIs that are cross certified with ADO. To trust the ADO PKI via cross certificate trust, install the US DoD CCEB Interoperability Root CA 2 trust anchor on your public key enabled system. For systems that do not support dynamic certificate path building, it is necessary to install the entire cross-certificate chain. The Direct Trust chain is provided but should only be used on systems incapable of processing cross certificates. Any direct trust implementations must also use the Trust Anchor Constraints Tool (TACT) or implement another OID and name constraint filtering mechanism to prevent acceptance of certificates from unapproved PKIs and/or assurance levels.
See the DoD PKI External Interoperability FAQ for more information on DoD approved partner PKI credentials.
Australian Defence Organisation (ADO)
| Current Certification Authorities (CAs) Details | See Section 4.4.1 of DoD Approved External PKIs Master Document |
| Current CA Certificates | See Australian_Defence_Organisation folder in DoD Approved External PKI Certificate Trust Chains zip |
| Approved Certificate Assurance Levels* | See Section 5.24 of DoD Approved External PKIs Master Document |
| Certificate Revocation List (CRL) Distribution Points** | See Australian Defence Organisation section of DoD Approved External CRL Distribution Points (CRLDPs) |
| Online Certificate Status Protocol (OCSP) Responder URL(s)** | See Australian Defence Organisation section of DoD Approved External OCSP URLs |
| Performs CA Rekeys? | No |
*As represented by OIDs listed in the Certificate Policies extension of the partner certificate; a certificate must assert at least one approved assurance level to be acceptable for use.
**Note: These lists are developed and maintained by DoD PKE based on CRLDP and AIA OCSP values asserted in sample certificates provided to DoD by the partner PKI for testing; they are provided for ease of reference and may not be exhaustive in all cases. Any CRL URL asserted in a CRLDP extension or OCSP URL asserted in an AIA extension of an approved certificate is approved for use by DoD relying parties.