Upload
poppy-hill
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
May 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton OttawaMay 30May 30thth – 31 – 31stst, 2006, 2006Sheraton OttawaSheraton Ottawa
HSPD – 12 / FIPS 201HSPD – 12 / FIPS 201HSPD – 12 / FIPS 201HSPD – 12 / FIPS 201
Jon R. WallJon R. WallSecurity / IA Security / IA US Public SectorUS Public SectorMicrosoft CorporationMicrosoft Corporation
AgendaAgendaHSPD – 12 / FIPS 201 Overview HSPD – 12 / FIPS 201 Overview
Technology – Things in the design to Technology – Things in the design to considerconsider
Policy / Process – Considerations Policy / Process – Considerations beyond beyond network login network login
Policy / Process – Card life cycle Policy / Process – Card life cycle managementmanagement
HSPD-12…HSPD-12…
Secure and reliable forms of identificationSecure and reliable forms of identificationissued based on sound criteria for verifying an issued based on sound criteria for verifying an individual employee's identity;individual employee's identity;
strongly resistant to identity fraud, tampering, strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; counterfeiting, and terrorist exploitation;
can be rapidly authenticated electronically; and can be rapidly authenticated electronically; and
issued only by providers whose reliability has issued only by providers whose reliability has been established by an official accreditation been established by an official accreditation process process
HSPD-12HSPD-12Summary ViewSummary View
Create a Create a trustedtrusted, , interoperableinteroperable
and and securesecure credential for credential for
logical and physical accesslogical and physical access
One of the biggest challenges facing One of the biggest challenges facing GovernmentGovernment andand BusinessBusiness today today
Must be addressed by commercial Must be addressed by commercial software products designed to meet the software products designed to meet the challenges and remove technology risk for challenges and remove technology risk for the customerthe customer
Pick one? Pick one?
IdentificationIdentification
AuthenticationAuthentication
AuthorizationAuthorization
PIV-1PIV-1Setting the FoundationSetting the Foundation
All about issuing a credential in a trusted fashionAll about issuing a credential in a trusted fashion
Workflow is the foundation of a successful implementationWorkflow is the foundation of a successful implementation
Not only enrollmentNot only enrollment
Recovery / ReplacementRecovery / Replacement
UnblockingUnblocking
RenewalRenewal
RevocationRevocation
RolesRoles
Trust ModelTrust Model
Need to leverage existing infrastructure like Active Need to leverage existing infrastructure like Active Directory as the backboneDirectory as the backbone
PIV-2 PIV-2 Bringing Everything TogetherBringing Everything Together
Brings standards and technologies Brings standards and technologies togethertogether
Smart card applets (card edge)Smart card applets (card edge)
Smart card middlewareSmart card middleware
BiometricsBiometrics
Need to keep the technology Need to keep the technology componentizedcomponentized
All of these moving pieces will have their own All of these moving pieces will have their own release schedules and issuesrelease schedules and issues
Need to implement the solution in layers Need to implement the solution in layers with vendors committed to working with vendors committed to working togethertogether
FIPS 201FIPS 201Use commercially available products with Use commercially available products with roadmaps that will support FIPS 201roadmaps that will support FIPS 201
Today and tomorrowToday and tomorrow
Separate the solution into well defined Separate the solution into well defined component areascomponent areas
Don’t build monolithsDon’t build monoliths
Derive additional valueDerive additional valueSmart card logonSmart card logonSecure emailSecure emailVPNVPNWirelessWireless
Components FIPS 201 SolutionComponents FIPS 201 Solution
Central repository for all user informationCentral repository for all user information
Available group informationAvailable group information
Available permission informationAvailable permission information
Should be the ‘backbone’ of the systemShould be the ‘backbone’ of the system
Existing investmentsExisting investments
DirectoryDirectory
Components FIPS 201 SolutionComponents FIPS 201 Solution
CertificaCertificate te
AuthoritAuthorityy
The root of trustThe root of trustCan be in-house or out-sourcedCan be in-house or out-sourcedIntegrates with the directory for Integrates with the directory for certificate publishingcertificate publishingShould be cross certifiedShould be cross certified
DirectoryDirectory
Components FIPS 201 SolutionComponents FIPS 201 Solution
CertificaCertificate te
AuthoritAuthorityy
HardwarHardwaree
SecuritySecurityModuleModule
Adds FIPS 140-2 Adds FIPS 140-2 Level 3 CertificationLevel 3 CertificationProvides secure Provides secure foundation to foundation to protect protect certificate issuance certificate issuance and enhance key and enhance key management policies management policies Includes multi-Includes multi-layered layered authentication authentication capabilitiescapabilitiesDirectoryDirectory
ManagemenManagementt
SystemSystem
Components FIPS 201 SolutionComponents FIPS 201 Solution
CertificaCertificate te
AuthoritAuthorityy
HardwarHardwaree
SecuritySecurityModuleModule
Provides management Provides management workflows for all tasksworkflows for all tasksLeverages the directory Leverages the directory for user, group and for user, group and permission informationpermission informationAbstracts the Abstracts the complexity associated complexity associated with card management, with card management, digital certificate digital certificate management, management, biometrics and othersbiometrics and others
DirectoryDirectory
Components FIPS 201 SolutionComponents FIPS 201 SolutionCertificaCertifica
te te AuthoritAuthorit
yy
HardwarHardwaree
SecuritySecurityModuleModule
Provides standards compliant smart cardProvides standards compliant smart cardProvides FIPS compliant middlewareProvides FIPS compliant middlewareProvides both logical and physical access featuresProvides both logical and physical access features
ManagemenManagementt
SystemSystem
DirectoryDirectory Smart Smart CardCard
Outsource PKI / smart card processes - SSPOutsource PKI / smart card processes - SSP
In compliance with EOP guidance in OMB memo M-05-05In compliance with EOP guidance in OMB memo M-05-05
High assurance/availability services for end-user loginHigh assurance/availability services for end-user login
Requires use of a certified Shared Service Provider (SSP)Requires use of a certified Shared Service Provider (SSP)
Run internal PKI for infrastructure useRun internal PKI for infrastructure use
Domain controller certificates issued internallyDomain controller certificates issued internally
Leverage auto-enrollment/renewal of MS CALeverage auto-enrollment/renewal of MS CA
Use SSL certificates for internal web services from internal Use SSL certificates for internal web services from internal CACA
No need for external root for internal servicesNo need for external root for internal services
Best option to meet FIPS requirementsBest option to meet FIPS requirements
Best leverages existing investmentsBest leverages existing investments
Provides optimal infrastructure management controlProvides optimal infrastructure management control
Follows OMB guidanceFollows OMB guidance
FIPS 201 SolutionFIPS 201 SolutionImplementation OptionsImplementation Options - - Hybrid PKIHybrid PKI
Shared Service Provider Shared Service Provider ProgramProgram
General Services Administration launched General Services Administration launched program in 03/04program in 03/04
Enables Federal agencies to leverage Enables Federal agencies to leverage outsourced outsourced PKI servicesPKI services
Supports objectives of HSPD-12Supports objectives of HSPD-12Facilitates issuance of credentials to Agency Facilitates issuance of credentials to Agency employees and contractorsemployees and contractors
Federal Agencies’ Use of SSPs mandated Federal Agencies’ Use of SSPs mandated by OMB memo M-05-05by OMB memo M-05-05
Windows Server 2003 Windows Server 2003
Certificate Authority part of the Certificate Authority part of the platformplatform
MIISMIIS
ExchangeExchange
BizTalk BizTalk
Visual StudioVisual Studio
Leveraging MS PlatformLeveraging MS PlatformValue from Agency EA’sValue from Agency EA’s
The Microsoft PKI including certificates, certificate The Microsoft PKI including certificates, certificate templates, certificate services, certificate templates, certificate services, certificate enrollment, Web enrollment pages, smart card enrollment, Web enrollment pages, smart card support, and public key policies.support, and public key policies.[[Because the Microsoft PKI relies on Active Because the Microsoft PKI relies on Active Directory administrators can use Group Policie Directory administrators can use Group Policie Objects (GPO) to effect the CA’s operation. Objects (GPO) to effect the CA’s operation. For Example a certificate template can be For Example a certificate template can be configured for machine authentication that configured for machine authentication that supports auto-enrollment and renewal. Once this supports auto-enrollment and renewal. Once this is configure using GPO and CA templates every is configure using GPO and CA templates every machine in the Forest can request, receive and machine in the Forest can request, receive and install a certificate that identifies the machine install a certificate that identifies the machine without needing any actions by the Adminsitrators without needing any actions by the Adminsitrators or end-users. or end-users. One example that can provide a significant cost One example that can provide a significant cost avoidance in the area of internal SSL certificatesavoidance in the area of internal SSL certificates
Leveraging MS PlatformLeveraging MS PlatformHow Microsoft PKI WorksHow Microsoft PKI Works
Leveraging MS PlatformLeveraging MS PlatformInfrastructure PKI usesInfrastructure PKI uses
Domain Controller Certificates Domain Controller Certificates
IPSec IPSec
Wireless 802.1x Wireless 802.1x
VPN VPN
Internal SSLInternal SSL
Machine Authentication Machine Authentication
NAP NAP
Network (Router, Firewall..)Network (Router, Firewall..)
Code SigningCode Signing
MS Case Study MS Case Study Internal PKI to support Corporate Internal PKI to support Corporate wide 802.1x Wireless network wide 802.1x Wireless network
Improved employee productivity Improved employee productivity
Two Factor VPNTwo Factor VPNUsing Machine Authentication Using Machine Authentication CertificatesCertificates
Using Smart CardsUsing Smart Cards
Administrator Smart Card use for Administrator Smart Card use for High Value resource ManagementHigh Value resource Management
Separate Smart Card – 6 Month validity Separate Smart Card – 6 Month validity periodperiod
Agenda part two Agenda part two
Technology – Things in the design to Technology – Things in the design to considerconsider
Policy / Process – Considerations Policy / Process – Considerations beyond beyond network login network login
Policy / Process – Card life cycle Policy / Process – Card life cycle managementmanagement
US Govt.US Govt.No Single RootNo Single RootStrong single focus on humansStrong single focus on humansFBCA – Federal Bridge Certificate Authority FBCA – Federal Bridge Certificate Authority SSP – Shared Services Provider SSP – Shared Services Provider Properly qualified provider of PKI services Properly qualified provider of PKI services for the governmentfor the governmentGoverned by Authentication and Identity Governed by Authentication and Identity Policy FrameworkPolicy Framework
Federal Common Certificate PolicyFederal Common Certificate PolicyFederal Smart Card PolicyFederal Smart Card PolicyFederal Identity Assurance PolicyFederal Identity Assurance Policy
US Govt.US Govt.
Each federal government entity that Each federal government entity that desires to stand up a PKI required to desires to stand up a PKI required to do so under the Federal .gov root CAdo so under the Federal .gov root CA
Certain existing systems exempt, most existing Certain existing systems exempt, most existing systems have sunset date after which they systems have sunset date after which they must transition to SSPmust transition to SSP
Migration to smart card based Migration to smart card based Identification Cards – token solution Identification Cards – token solution already in placealready in place
Repeatable “approved” solution Repeatable “approved” solution approachapproach
US Govt.US Govt.GSA will establish the .gov root CAGSA will establish the .gov root CA
SSPs will operate as subordinate CAs SSPs will operate as subordinate CAs under the .gov root CAunder the .gov root CA
The .gov root CA will be cross The .gov root CA will be cross certified with FBCA – interoperabilitycertified with FBCA – interoperability
Operate under Common Certificate Operate under Common Certificate PolicyPolicy
Certificate Practice Statement Certificate Practice Statement (CPS) /Registration Practice (CPS) /Registration Practice Statement (RPS) approved by PAStatement (RPS) approved by PA
DoD DoD
Separate PKI Separate PKI
Separate Program for ContractorsSeparate Program for Contractors
Issues with Coalition partnersIssues with Coalition partners
Cross Certification with rest of US Cross Certification with rest of US Govt.Govt.
No Cross Certification with IndustryNo Cross Certification with Industry
Questions I Get Questions I Get (insert agency name) can we have (insert agency name) can we have our root published in Windows Root our root published in Windows Root Certificate listCertificate list
(insert System Integrator name) can (insert System Integrator name) can we cross certify with the DoD / US we cross certify with the DoD / US Govt.Govt.
Higher Education cross certificationHigher Education cross certification
Will MS cross certify with X Will MS cross certify with X
What about bridge of bridges What about bridge of bridges
Path Processing Path Processing
Your CA is not certified Your CA is not certified
Track Govt. StdsTrack Govt. Stds
NIST – FIPS 201 NIST – FIPS 201 http://csrc.nist.gov/piv-program/fips201-support-http://csrc.nist.gov/piv-program/fips201-support-docs.htmldocs.html
User identityUser [email protected]@US.GOV
Issuance processIssuance process
Cross Certification Cross Certification
User Certificate structureUser Certificate structureWhat systems initiates eID establishmentWhat systems initiates eID establishment
HRHR
Physical AccessPhysical Access
PayrollPayroll
Security Security
Other Other
User identity User identity
Cross Forest impactCross Forest impact
S/MIME – Suppress name checkS/MIME – Suppress name check
CRL – Http – LDAP CRL – Http – LDAP
RFC 822 – emailRFC 822 – email
Encryption Key EscrowEncryption Key Escrow
Smart Card DesignSmart Card DesignCard LayoutCard Layout
Contact / Contract lessContact / Contract less
Location of Chip Location of Chip
Mag StripMag Strip
Card Size 64K? Card Size 64K?
Biometric data?Biometric data?
Card Life timeCard Life time
Card use - Card use -
Policy / ProcessPolicy / ProcessLegacy Integration Legacy Integration
HR systems HR systems New HireNew Hire
Inter-agency transferInter-agency transfer
Agency transferAgency transfer
Temporary work forceTemporary work force
ContractorContractor
RetirementRetirement
CA Key roll overCA Key roll over
Root life timeRoot life time
Policy life timePolicy life time
Issuing life time 3 - 2 – 1 Issuing life time 3 - 2 – 1
Actual Certs? Actual Certs? DCDC
User AuthUser Auth
IPSecIPSec
AdminAdmin
Policy / ProcessPolicy / ProcessPhysical AccessPhysical Access
Number / Type of systemsNumber / Type of systemsGovt. Buildings Govt. Buildings
Leased SpaceLeased Space
Ability to integrate with network systemsAbility to integrate with network systems
Guard Desk Training Guard Desk Training
Visit request Visit request
Policy / ProcessPolicy / ProcessDeployment ConsiderationsDeployment Considerations
End User trainingEnd User training
Support Desk trainingSupport Desk training
Policy Impact Policy Impact Smart Card login allowed / requiredSmart Card login allowed / required
Machine GPOMachine GPO
User AccountUser Account
Smart Card removal Smart Card removal
Administrator useAdministrator use
Contractor use? Contractor use?
User inputs PIN
5 Kerberos sends certificate in a PKINIT login request to the KDC
7 KDC returns TGT, encrypted with a session key which is in turn encrypted using user’s public key
8 Smart card decrypts the TGT using private key allowing LSA to log user on
6 KDC verifies certificate then looks up principal in DS
ReaderReaderReaderReader
3 GINA passes PIN to LSA
SC
4 LSA accesses smart card and retrieves cert from card
LSALSA
Kerb
eros
Kerb
eros
Kerb
eros
Kerb
eros
KDCKDC
What happens @ 10K feet What happens @ 10K feet Smart Smart Card LogonCard Logon
Card insertion causes Winlogon to display GINA
7.57.5 verifies DC certificate
What is Required What is Required The BasicsThe Basics
End User Card – and knows what Pin isEnd User Card – and knows what Pin is
PC / Laptop needs SC ReaderPC / Laptop needs SC Reader
PC / Laptop needs Middle Ware PC / Laptop needs Middle Ware
PC / Laptop needs to trust User issued RootPC / Laptop needs to trust User issued Root
Domain Controller needs CertifcateDomain Controller needs Certifcate
Domain Controller needs to trust both Domain Controller needs to trust both RootsRoots
User account mapping to Card identity !User account mapping to Card identity !
What is Required What is Required Not so BasicsNot so Basics
Customer CRL size 40+MegCustomer CRL size 40+Meg
Published to LDAP only – no HTTP Published to LDAP only – no HTTP points points
Various Cards in use Various Cards in use
Various Middle Ware in useVarious Middle Ware in use
OCSP ClientOCSP Client
OCSP ServerOCSP Server
OCSP on DC ? OCSP on DC ?
DC Certificate management DC Certificate management
Use Case for testingUse Case for testingUser Scenario Group 1User Scenario Group 1
Road Warriors with inoperative Road Warriors with inoperative smart card or smart card reader and smart card or smart card reader and no direct network accessno direct network access
Road Warriors with PIN locked on Road Warriors with PIN locked on Smart Card Smart Card
User Scenario Group 2 – Regular PC User Scenario Group 2 – Regular PC usersusers
Forgotten card or bad card at workForgotten card or bad card at work
Reversed forgotten card (left in Reversed forgotten card (left in office) and no card at homeoffice) and no card at home
Pin Reset Pin Reset
Use Case for testingUse Case for testingUser Scenario Group 3 – Mobile Device User Scenario Group 3 – Mobile Device UsersUsers
Mobile Device Users Mobile Device Users
User Scenario Group 4 – Service/Test User Scenario Group 4 – Service/Test Account UsersAccount Users
Personal Service Account (both system Personal Service Account (both system and applications)and applications)
Test Account Users can’t use smart cardTest Account Users can’t use smart card
User Scenario Group 5 – System User Scenario Group 5 – System Administration Administration
No reader sharing device at data No reader sharing device at data center/labcenter/lab
Remote AdministrationRemote Administration
Use Case for testingUse Case for testing
Scenario Group 6 – Application Scenario Group 6 – Application Intranet Web ApplicationsIntranet Web Applications
Extranet Web Applications Extranet Web Applications
Non Web Apps Non Web Apps
3rd Party Products3rd Party Products
Legacy ApplicationsLegacy Applications
Exception PlanningException PlanningSome accounts can not use SC …Some accounts can not use SC …
Functional accounts (training, watch stander, etc)Functional accounts (training, watch stander, etc)
Accounts for Temp and volunteersAccounts for Temp and volunteers
Development LabDevelopment Lab
SW testing labSW testing lab
‘‘Exception’ accounts must be identified by Exception’ accounts must be identified by organization organization
What is the Exception processWhat is the Exception process
How long is an Exception validHow long is an Exception valid
What moves an account from one state to other?What moves an account from one state to other?
What about others on network?What about others on network?
Business Process Impact Business Process Impact Track and analyze impact to business Track and analyze impact to business processes. processes.
In processingIn processing
TDYTDY
Out processingOut processing
Joint – business partners Joint – business partners
COOP / CONOP – planning COOP / CONOP – planning
Disconnected networksDisconnected networks
Local Services Local Services
Non MS CA DC certificate lifetimeNon MS CA DC certificate lifetime
Other planning areasOther planning areasOrganize and update Reference paper to address:Organize and update Reference paper to address:
Known Issues and statusKnown Issues and status
Implementation optionsImplementation options
KB articles / referencesKB articles / references
Best Practices for implementation, exception Best Practices for implementation, exception handling and roll backhandling and roll back
Communication Plan: Communication Plan:
Who to report issues to (MS and other vendors)Who to report issues to (MS and other vendors)
How to track issues and statusHow to track issues and status
How to distribute knowledge within Service, How to distribute knowledge within Service, across Services, Contractors, others across Services, Contractors, others
ResolutionsResolutions
Smartcard Lifecycle Smartcard Lifecycle Deployment StagesDeployment Stages
Initial IssuanceInitial Issuance
PIN unblockPIN unblock
RenewalRenewal
RetirementRetirement
RevocationRevocation
Forgotten Smart CardForgotten Smart Card
PIN Unblock PIN Unblock Planning ConsiderationsPlanning Considerations
Users do forget their PINsUsers do forget their PINs
Questions to considerQuestions to considerCan a user initiate the unblock process?Can a user initiate the unblock process?
What software is required at the client?What software is required at the client?
Does the client have to be connected to the Does the client have to be connected to the network or to the Internet for the unblock network or to the Internet for the unblock process?process?
Does the smart card’s SDK provide tools?Does the smart card’s SDK provide tools?
How does the user prove who they say they are How does the user prove who they say they are before initiating the unblock process?before initiating the unblock process?
Smartcard Renewal Smartcard Renewal Lifecycle planningLifecycle planning
How does the renewal process differ How does the renewal process differ from the enrollment process?from the enrollment process?
Does the user have to go through the Does the user have to go through the identity validation processidentity validation process
Every yearEvery year
At regular intervals (every three, five, or At regular intervals (every three, five, or seven years)seven years)
Never, ever againNever, ever again
Will the user have to connect to a portal Will the user have to connect to a portal or can the process be performed through or can the process be performed through autoenrollmentautoenrollment
Revocation Revocation Disaster and recovery planningDisaster and recovery planning
Who is responsible for reporting a smart Who is responsible for reporting a smart card lost?card lost?
Who performs the actual revocation of the Who performs the actual revocation of the smart card?smart card?
Will the user be allowed to log on with a Will the user be allowed to log on with a password in the interim?password in the interim?
What revocation reason is provided for the What revocation reason is provided for the lost smart cardlost smart card
What about data encrypted with card? What about data encrypted with card?
What if the smart card is just misplaced…What if the smart card is just misplaced…
Temporary Smartcards Temporary Smartcards Lost and Forgotten cardsLost and Forgotten cards
Can you deploy temporary smart cardsCan you deploy temporary smart cardsLimited lifetimeLimited lifetimeDoes not replace the original smart cardDoes not replace the original smart cardOnly if the location of the smart card is known!Only if the location of the smart card is known!
Determine what issuance process is Determine what issuance process is requiredrequired
Does it match the initial issuance process?Does it match the initial issuance process?What identification must be shown, especially if What identification must be shown, especially if the smart card is also the employee badge?the smart card is also the employee badge?Who issues the temporary smart cards?Who issues the temporary smart cards?
Smartcard Limitations Smartcard Limitations Current ChallengesCurrent Challenges
Connecting to Windows 2000 Terminal Connecting to Windows 2000 Terminal ServicesServicesConnecting to Dial-up and VPN connections Connecting to Dial-up and VPN connections hosted by an ISPhosted by an ISPPerforming cross-forest authentication in Performing cross-forest authentication in Windows 2000Windows 2000Adding a new computer to the domainAdding a new computer to the domainAuthenticating against Outlook Web Authenticating against Outlook Web Access with basic or form-based Access with basic or form-based authenticationauthenticationWindows Vista Reduces the list!Windows Vista Reduces the list!
Smartcard Limitations Smartcard Limitations Current ChallengesCurrent Challenges
Authenticating applications that are Authenticating applications that are non-Kerberizednon-Kerberized
Storing EFS encryption certificatesStoring EFS encryption certificates
Storing EFS recovery certificatesStoring EFS recovery certificates
Hosting multiple user credentials for Hosting multiple user credentials for authentication on a single smart card authentication on a single smart card (eg Your user and administrative (eg Your user and administrative account)account)
Windows Vista Reduces the list!Windows Vista Reduces the list!
Vista Feature SummaryVista Feature Summary
Smart Card Logon Enabled – insert reader, Smart Card Logon Enabled – insert reader, enable card @ logonenable card @ logon
Improved Logon PerformanceImproved Logon Performance
Integrated Pin Change & Unblock Integrated Pin Change & Unblock components in Logon screencomponents in Logon screen
Smart Card KSP for Windows Vista and Smart Card KSP for Windows Vista and beyondbeyond
ECC Card Module support built-inECC Card Module support built-in
Support for Multiple Certificates per CardSupport for Multiple Certificates per Card
User Access Control SupportUser Access Control Support
Protocols: OCSP ResponderProtocols: OCSP Responder
OCSP OCSP Client Client
(CAPI 2)(CAPI 2)
Web ProxyWeb Proxy Online Online ResponderResponder
ManagemeManagementnt
Online Certificate Status Protocol Online Certificate Status Protocol ResponderResponder
RFC 2560 compliantRFC 2560 compliant
Focus on performance, scalability and Focus on performance, scalability and manageabilitymanageability
HTTPHTTP DCOMDCOM
DCOMDCOMCRLCRL
MSFT CAMSFT CA
OtheOtherr
Smart Card Certification Smart Card Certification CenterCenter
New certification and logo program New certification and logo program for smart card modulesfor smart card modules
Ensures quality and interoperabilityEnsures quality and interoperability
Enables online distribution of card Enables online distribution of card modulesmodules
Expands card ecosystem on WindowsExpands card ecosystem on Windows
Planned start of operation: Q1/2006Planned start of operation: Q1/2006