PKI: Glue of Middleware Michael R Gettes, Duke University CAMP Enterprise Authentication Michael R Gettes, Duke University CAMP Enterprise Authentication.

Slides:

Advertisements

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

Advertisements

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

Got Directory? January 28, 2004 TIP metadirectory enterprise directory database departmental directories OS directories (MS, Novell,

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

PKI: Glue of Middleware Michael R Gettes, Duke University EuroCAMP March, 2005 Michael R Gettes, Duke University EuroCAMP March, 2005.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

1 Digital Credential for Higher Education John Gardiner August 11, 2004.

EDUCAUSE PKI Working Group Where Are We and Where are We Going.

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado.

HEBCA Overview Internet2 Meeting, Fall 2002 Michael R Gettes Georgetown University

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

X.509/PKI There is progress.... Topics Why PKI? Why not PKI? The Four Stages of X.509/PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

The NIH PKI Pilots Peter Alterman, Ph.D. … again.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000.

PKI and the U.S. Federal E- Authentication Architecture Peter Alterman, Ph.D. Assistant CIO for e-Authentication National Institutes of Health Internet2.

Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University

HEBCA Overview CSG, uWash, 2002 Michael R Gettes Georgetown University

The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.

A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

The Feds and Shibboleth Peter Alterman, Ph.D. Asst. CIO, E-Authentication National Institutes of Health.

Identity Federations and the U.S. E-Authentication Architecture Peter Alterman, Ph.D. Assistant CIO, E-Authentication National Institutes of Health.

PKI Session Overview 1:30 pm edt - Welcome, etiquette, session outline 1:40 pm edt - HEPKI-TAG Update (Jim Jokl, Virginia) 2:00 pm edt - HEPKI-PAG Update.

Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.

Public-Key Infrastructure for Higher Education Mark Luker EDUCAUSE.

Day 3 Roadmap and PKI Update. When do we get to go home? Report from the BoFs CAMP assessment, next steps PKI technical update Break Research Issues in.

Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council

Federal PKI Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.

Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority Meet FedFed.

Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.

Interoperability and the Evolving Federal PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering.

1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.

Federal Identity Management Overview and Current Status Dr. Peter Alterman, Chair Federal PKI Policy Authority.

Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.

U.S. Federal e-Authentication Initiative

Internet2 Member Meeting

Inter-institutional Trust Fabric Overview and Synergies

Fed/ED December 2007 Jim Jokl University of Virginia

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Sixth Annual PKI Summit at Snowmass, Colorado August 2004.

Presentation transcript:

PKI: Glue of Middleware Michael R Gettes, Duke University CAMP Enterprise Authentication Michael R Gettes, Duke University CAMP Enterprise Authentication

Landscaping PKI Hierarchies and Bridges National PKI HEBCA, USHER, InCommon Gap Analysis Development and Cost Sharing EDUCAUSE and Internet2 Federation Crosswalk InCommon & US Federal Government eAuth (again!) I-CIDM and JSF PKI Hierarchies and Bridges National PKI HEBCA, USHER, InCommon Gap Analysis Development and Cost Sharing EDUCAUSE and Internet2 Federation Crosswalk InCommon & US Federal Government eAuth (again!) I-CIDM and JSF

Reminder … SSL/TLS SAML Browsers Servers Shibboleth Client PKI issues, CRLs, authentication SSL/TLS SAML Browsers Servers Shibboleth Client PKI issues, CRLs, authentication

Directories are part of the I in PKI Directory Centralized, automated Name Space VERY carefully controlled Users modify very little Priv’d access highly restricted Control considered necessary step for PKI to trust the directory Eventually, client, server and other certs/CRLs will be published in the directory. Directory Centralized, automated Name Space VERY carefully controlled Users modify very little Priv’d access highly restricted Control considered necessary step for PKI to trust the directory Eventually, client, server and other certs/CRLs will be published in the directory.

Are the Directories part of I in PKI? Kx509 (part of NMI distribution) Short-lived Certificates Avoids CRL and Directory Publications MIT 1 year certs, but people can get all they need using Kerberos Authentication But… A namespace infrastructure is still assumed and they all have it. Kx509 (part of NMI distribution) Short-lived Certificates Avoids CRL and Directory Publications MIT 1 year certs, but people can get all they need using Kerberos Authentication But… A namespace infrastructure is still assumed and they all have it.

PKI Basics (Hierarchies) ROOT X Y

PKI Basics (Bridges) ROOT X Y Directories

Multiple CAs in FBCA Membrane Survivable PKI Cross Certificates allow for “one/two-way policy” Directories are critical in BCA world. Clients changing Survivable PKI Cross Certificates allow for “one/two-way policy” Directories are critical in BCA world. Clients changing

Board of Instantiation and Development (BID) Clair Goldsmith, Chair, UT System Augustson (PSU), Klingenstein (Internet2), Levine (Dartmouth), Wasley (UCOP), Hazelton (Wisconsin-Madison), Brentrup (Dartmouth), Gettes (Duke), Jokl (Virginia) EDUCAUSE: Luker, Worona Purpose is to instantiate a HE Bridge, organization and policy structures Foster Deployment and Development of Bridged PKI Clair Goldsmith, Chair, UT System Augustson (PSU), Klingenstein (Internet2), Levine (Dartmouth), Wasley (UCOP), Hazelton (Wisconsin-Madison), Brentrup (Dartmouth), Gettes (Duke), Jokl (Virginia) EDUCAUSE: Luker, Worona Purpose is to instantiate a HE Bridge, organization and policy structures Foster Deployment and Development of Bridged PKI

Technical Policy PKI is 1/3 Technical and 2/3 Policy?

HEPKI Council Jack McCredie, Chair, UC Berkeley Michael Baer, Sr VP ACE Rich Guida, Johnson & Johnson Mark Luker, EDUCAUSE Mark Olson, EVP of NACUBO Dave Smallen, Hamilton College Nancy Tribbensee, ASU Not operational, policy and oversight Will approve the creation of the HEBCA Policy Authority Completed November 15, 2004 Charged with Higher Education direction and strategy for PKI initiatives, not just Bridge Jack McCredie, Chair, UC Berkeley Michael Baer, Sr VP ACE Rich Guida, Johnson & Johnson Mark Luker, EDUCAUSE Mark Olson, EVP of NACUBO Dave Smallen, Hamilton College Nancy Tribbensee, ASU Not operational, policy and oversight Will approve the creation of the HEBCA Policy Authority Completed November 15, 2004 Charged with Higher Education direction and strategy for PKI initiatives, not just Bridge

On Campus End Entity: Some schools, MIT, Dartmouth, UTHSC but not wide deployment in US. i2 trials on Doc Sigs Server Side and Infrastructure -- used all over the place but not yet well coordinated Lacking a national infra for Higher Ed HEBCA/USHER/InCommon/SAML PKI is just 18 months away (again!) :-) End Entity: Some schools, MIT, Dartmouth, UTHSC but not wide deployment in US. i2 trials on Doc Sigs Server Side and Infrastructure -- used all over the place but not yet well coordinated Lacking a national infra for Higher Ed HEBCA/USHER/InCommon/SAML PKI is just 18 months away (again!) :-)

PKI in HE – 5 likely “Killer Apps” Signed Stop identity spoofing from weak passwords, etc. Increase use of electronic commerce at campus & Institutional & national levels Windows and Office Applications Interop Shibboleth GRID Computing Enabled for Federations E-grants Faster, secured grant processing Faster (e-)payments More secured communications & fund Xfers Federal focus is on this initiative Signed Stop identity spoofing from weak passwords, etc. Increase use of electronic commerce at campus & Institutional & national levels Windows and Office Applications Interop Shibboleth GRID Computing Enabled for Federations E-grants Faster, secured grant processing Faster (e-)payments More secured communications & fund Xfers Federal focus is on this initiative

US Higher Ed Root:USHER CREN Root CA Version 2 To use ID Proofing policies of CREN augmented for InCommon Low Barrier to entry Coming from Internet2 Should be X-Certified with HEBCA Analog to US Federal Root CA CREN Root CA Version 2 To use ID Proofing policies of CREN augmented for InCommon Low Barrier to entry Coming from Internet2 Should be X-Certified with HEBCA Analog to US Federal Root CA

HEBCA Current Status HEBCA Certificate Policy (brother Wasley) Will develop CPS from this policy Dartmouth College Contracted to implement HEBCA in 12/03 EDUCAUSE funded Received AEG from Sun Microsystems ($50K) Equipment ordered and received Signing Hardware -- not yet. Working software agreement with RSA as first CA in bridge Maybe even further deal with Higher Ed for CA services & s/w Informal cross-certification with US Gov completed Will operate at High Level of Assurance HEBCA Certificate Policy (brother Wasley) Will develop CPS from this policy Dartmouth College Contracted to implement HEBCA in 12/03 EDUCAUSE funded Received AEG from Sun Microsystems ($50K) Equipment ordered and received Signing Hardware -- not yet. Working software agreement with RSA as first CA in bridge Maybe even further deal with Higher Ed for CA services & s/w Informal cross-certification with US Gov completed Will operate at High Level of Assurance

I-CIDM International Collaboration on Identity Mgmt Joint Strike Fighter Program Rules of Engagement Citizenship, Legal, Technical, Policy & Process (Criteria & Methods, CP/CPS, Corporate Policy) Principal Parties US Higher Education FBCA Pharmaceutical Industry (SAFE) Commercial Aerospace (JSF) Internationally Driven and Participation International Collaboration on Identity Mgmt Joint Strike Fighter Program Rules of Engagement Citizenship, Legal, Technical, Policy & Process (Criteria & Methods, CP/CPS, Corporate Policy) Principal Parties US Higher Education FBCA Pharmaceutical Industry (SAFE) Commercial Aerospace (JSF) Internationally Driven and Participation

HEBCA/USHER Synergy Sun Hardware Donation RSA/Keon Software Donation License covers Cert issuance for all PKI ops High Level of Assurance Separation of Duties Admin, Operator, Officer, Auditor Revocation and Citizenship Issues Ops(Dartmouth); Store(Internet2) Need to interoperate with US Feds Sun Hardware Donation RSA/Keon Software Donation License covers Cert issuance for all PKI ops High Level of Assurance Separation of Duties Admin, Operator, Officer, Auditor Revocation and Citizenship Issues Ops(Dartmouth); Store(Internet2) Need to interoperate with US Feds

InCommon & eAuth Federation interop with Shib (PKI in SAML) To ultimately use Bridge PKI as means of validating and locating members of OTHER federations InCommon CA to X-Certify with HEBCA or be signed by USHER having been X- Certified with HEBCA Shib+Grid to address some Grid issues HEBCA+Grid considered but no work yet See next slide… Federation interop with Shib (PKI in SAML) To ultimately use Bridge PKI as means of validating and locating members of OTHER federations InCommon CA to X-Certify with HEBCA or be signed by USHER having been X- Certified with HEBCA Shib+Grid to address some Grid issues HEBCA+Grid considered but no work yet See next slide…

Global? Trust Diagram (TWD)

PKIs HEBCAFBCA InCommon eAuth/JSF Non-US Gov US-Centric View of PKI World Industry Federations USHER FedRoot Non-US ???