HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

Slides:



Advertisements
Similar presentations
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Advertisements

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Deploying and Managing Active Directory Certificate Services
SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
The U.S. Federal PKI and the Federal Bridge Certification Authority
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.
NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl
1 Digital Credential for Higher Education John Gardiner August 11, 2004.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
1 PKI Update September 2002 CSG Meeting Jim Jokl
Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Johnson & Johnson’s Public Key Infrastructure Bob Stahl
HEPKI-TAG UPDATE Jim Jokl University of Virginia
1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Configuring Directory Certificate Services Lesson 13.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
The NIH PKI Pilots Peter Alterman, Ph.D. … again.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Academia Sinica Grid Computing Certification Authority (ASGCCA)
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.
Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
HEBCA – The Operating Authority July 2005 Dartmouth PKI Summit.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.
HIMSS National Conference New Orleans Convention Center
Inter-institutional Trust Fabric Overview and Synergies
Fed/ED December 2007 Jim Jokl University of Virginia
September 2002 CSG Meeting Jim Jokl
Presentation transcript:

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005

2 Topics HEBCA’s goals Progress to date Next steps Collaboration

3 HEBCA’s Goals Provide a mechanism for inter-institutional trust of PKI certificates –Policies –Technical infrastructure Cross-certify participants at appropriate levels of assurance Provide high availability online directory (x-cert lookup) and revocation services Dynamically add cross-certifications of existing CAs Cross-certify with other trust fabrics as appropriate (FBCA, USHER, SAFE, etc.)

4 HEBCA’s Goals (continued) Enable inter-institutional applications: Digital signatures on web forms, applications, reports, etc. Authentication to network services GRID authentication S/MIME signed Trust fabric for server identity certificates, Web Services Any PKI certificate path validation can use the bridge mechanism to impute trust and determine level of assurance.

5 Progress to Date Active and productive Policy Authority Most policy in place Many official docs approved Operating Authority nearly finished installing initial production infrastructure Audit agreements signed, audit starting Collaborating with USHER (policy, infrastructure, Registration Authority)

6 HEBCA Production Hardware

7 Progress to Date (continued) Hurdles overcome Invented techniques and procedures to operate a high assurance CA on a shoestring budget –Streamline everything –Air gap for offline CA automation Resolution of FBCA requirement for US citizenship of “trusted roles” personnel prior to cross-certification Discovered and worked around vulnerability in protocol for indirect CRLs

8 AirGap The Problem: –Offline CA –CRLs generation and publish every 6 hours –Need two trusted personnel present to access CA How do we staff this? Two people visit the machine room every 6 hours? No way!

9 AirGap USB flash device carries signed data between CA and Directory Storage is never connected to both devices at the same time – hardware enforces an “air gap” Storage connected to online Directory for 5 mins every 6 hours, otherwise connected to offline CA Automated sneakernet equivalent!

10 AirGap Components (about $100 cost): –Sewell Manual Share USB Switch –5V relay –5V AC adapter –Power Timer –Simple debounce circuit –Crucial 1Gb Flash Disk –Cron jobs running on CA and online Directory server –Signed objects passed back and forth (CRL, revocation requests, certificate requests, etc.)

11 Next Steps Policies, procedures, and documentation finalized Dry run cross-certification with University of Virginia Audit Initialize production CA Production operations Market and cross-certify with customer CAs Cross-certify with FBCA, other bridges

12 HEBCA and USHER Collaboration Sharing infrastructure and implementation Single OA (Dartmouth) and single RA (Internet2) One CA implementation and system Much shared policy and documentation HEBCA and USHER are significantly cheaper to build and run collaboratively than separately.

13 For More Information HEBCA Website: OA Architect and Implementor Scott Rea - Mark Franklin –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.