HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities Sponsors: I2, Educause, CREN, Charter – Technical Activities Group (TAG) –Certificate profiles, CA software –Private key protection –Mobility, client issues –Interactions with directories –Testbed projects –Communicate results

Survey of Anticipated Campus PKI Applications Schools participating in the HEPKI work were surveyed on anticipated uses for PKI on campus HEPKI-TAG PKI Applications Survey

Certificate Profile Work A per-field description of certificate contents –Standard and extension fields –Criticality flags –Syntax of values permitted per field Spreadsheet & text formatsSpreadsheettext Higher education profile repository –

Certificate Profiles Validity Period –Wide variation from per-session to one year –Long term: expiration synchronized to semester Some form of assurance level indicator –Explicit extension –Policy OID –In issuer field Key usage –Some certificates employ Key Usage field

PKI Complexity and Applications You often hear of PKI as a solution for: –Authentication for high-assurance processes Funds transfer Medical records Student grades –Digital signatures Contracts Other legal documents But, can’t it also be a good fit as a technology that is better than passwords but less than a high-assurance CA?

PKI-lite Project Premise: many useful PKI applications can be supported using a relatively simple PKI –Simplified policy & practices Do we have large complex policies and practices for we operate our existing systems? –Examples of existing campus assurance levels Passwords on large central systems ID card system

PKI-lite Project Assumptions Overarching goal – simplify –Use PKI technology with existing application policy and practices PKI-lite design objectives –S/MIME –Web authentication Specify as little as possible –But provide suggested answers and templates

PKI-lite Technical Assumptions Certificate revocation capability is up to the institution and is not required Key usage will not be specified No requirement for separate signing and encryption certificates No requirements for key escrow Fully on-line CAs are allowed. PKI-lite does not specify the level of protection for the campus CA Simplified user identity assurance

PKI-lite Certificate Profile Single common profile supporting –Web authentication –S/MIME Relatively stable –in final review since December PKI-lite Certificate Profile

S/MIME Testing Outlook, Outlook Express, Netscape –General interoperability OK at the level –Users can choose to sign, encrypt, or both –Clients use different certificate stores Certificate management issues Eudora with tumbleweed plug-in S/MIME support in other clients lacking

S/MIME Testing Outlook certificate quirk –Requires both signing and encryption certificates –So, watch key usage field Encryption issues –Folder storage Sent mail Inbox Folders –Private key backup and management Escrow Backup

S/MIME Testing Message forwarding to alternate inbox –Some mailers may tamper with the message contents Mailing list software –Conversion of tabs to spaces –Deletion of trailing blanks, tabs –List configuration options Opaque signing –A solution –Interoperability S/MIME & perfect privacy? – The address book problem

PKI-lite Campus Infrastructure Issue certificates –Contract with commercial CA –CA Software –Freely available certificates for testing Authentication for web applications –Many ways: mod_ssl & Apache S/MIME –Clients –Directory –Documentation & certificate management recommendations

HEPKI-Tag Projects and Demonstrations Certificate Profile Maker –Web interface –Generates XML HEPKI-CA –A demonstration CA PKI Authentication Demo –Accepts certificates from various participating schools Institutional root certificate repository –Download institutional/organizational root certificates

CA Private Key Protection Issues –CA Private Key is the root of all trust –Private key storage options Clear text storage on disk Encrypted storage on disk On hardware device –Physical protection of CA Locked doors and racks OS Configuration –Multi-level solutions –Jeff Schiller draft on TAG websitedraft

The Mobility Problem A definition: the ability to use the same cert/key-pair from multiple computers Some scenarios: –Move to a new computer –Users with work and home computers –Students and a public lab environment

The Mobility Problem Do mobility requirements depend on the application? –Web-auth and an on-line CA –S/MIME Mobility needs and assurance levels –Impact on non-repudiation? Solution space: hardware and software mechanisms

Hardware Tokens External hardware devices –Memory-only devices –Key-pair generation Private key import? –PIN protection scheme –Physical security –Provides dual-factor authentication –USB and various other reader interfaces

Hardware Token Examples: Smart Cards Default behaviors –Customized programming can change behavior Dual user/admin PIN systems –Card locks after x user-pin attempts –Fuse opens after y admin pin attempts Single PIN/Reinitialize systems –Card blocks after x user-pin attempts –Card can be reset back to factory state and reused

Software-based Solutions Issues –Overall level of protection –Authenticating the user –Non-repudiation? Floppy disk and import/export IETF SACRED SingleSignon.net

Discussions and projects HEPKI-TAG Website –Recommendations –Information for those starting on PKI References How-to information Certificate profiles Minutes and survey data –

Project Participation Much work remains –Research and recommendations –Pilot projects –Mobility –S/MIME Project –Consider participating in HEPKI-TAG if you are working on a PKI deployment

Where to watch middleware.internet2.edu PKI for Networked Higher – PKI Labs –middleware.internet2.edu/pkilabs