PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California.

Slides:



Advertisements
Similar presentations
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Advertisements

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004.
HEPKI-TAG Activities & Globus and Bridges Jim Jokl University of Virginia Fed/ED PKI Meeting June 16, 2004.
IDA Security Experts Workshop Olivier LIBON Vice President – GlobalSign November 2000.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001.
1 PKI Update September 2002 CSG Meeting Jim Jokl
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
PKI 150: PKI Parts Policy & Progress Jim Jokl. University of Virginia David Wasley University of California.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
HEPKI-TAG UPDATE Jim Jokl University of Virginia
1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
X.509/PKI There is progress.... Topics Why PKI? Why not PKI? The Four Stages of X.509/PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
CAMP PKI UPDATE August 2002 Jim Jokl
PKI 101 Ken Klingenstein Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder David Wasley Technology.
Co Chairs C. W. Goldsmith University of Alabama at Birmingham David L. Wasley University of California Office of the President.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Module 9: Fundamentals of Securing Network Communication.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
PKI Activities at Virginia September 2000 Jim Jokl
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.
Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
PKI Session Overview 1:30 pm edt - Welcome, etiquette, session outline 1:40 pm edt - HEPKI-TAG Update (Jim Jokl, Virginia) 2:00 pm edt - HEPKI-PAG Update.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
Some Technical Issues in PKI Deployment David Chadwick
Day 3 Roadmap and PKI Update. When do we get to go home? Report from the BoFs CAMP assessment, next steps PKI technical update Break Research Issues in.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;
Cryptography and Network Security
Fed/ED December 2007 Jim Jokl University of Virginia
September 2002 CSG Meeting Jim Jokl
Presentation transcript:

PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California

2 Activities in other Communities PKIX – IETF Standards for PKI Federal PKI work csrc.nist.gov/pki/twg State Governments national electronic commerce coordinating council Medical community & HIPAA HIPAA – Health Insurance Portability & Accountability Act –aspe.os.dhhs.gov/admnsimp/ CHIME - Connecticut Hospital Association CA – HealthKey – Replicable PKI model for health care – Tunitas – Consulting group –

3 Activities in other Communities PKI Forum – Vendor alliance to promote PKI – Overseas EuroPKI for Higher Ed – Open source software –OpenSSL, OpenCA –Much open-source work done outside of US for export restriction reasons.

4 Federal Government Activities ACES Certificates Access Certificates for Electronic Services hydra.gsa.gov/aces Citizen / Government interaction: student loans, change of address… User authentication RA Financial model

5 Federal Government Activities Bridge Certification Authority Highly decentralized organization Hierarchy more difficult CA trust list does not scale well Bridge Certification Authority (BCA) solves these problems Prototype: February 2000 Production planned first quarter 2001

6 Higher Education Activities CREN CA PKI for Networked Higher PKI Labs middleware.internet2.edu/pkilabs

7 Internet2 PKI Labs Dartmouth and Wisconsin computer science departments and IT staff Performing deep research - two to five years out Policy languages, path construction, attribute certificates, etc. National Advisory Board of leading academic and corporate PKI experts provides direction Catalyzed by startup funding from ATT

8 Higher Education PKI Activities - HEPKI Sponsors Internet2, CREN, and EDUCAUSE HEPKI - Technical Activities Group (TAG) Open-source PKI software Certificate profiles Directory / PKI interaction Validity periods Client customization issues Mobility Inter-institution test projects Technical issues with cross-certification

9 Higher Education PKI Activities - HEPKI HEPKI - Policy Activities Group (PAG) Certificate policy drafts Sharing RFPs, vendor relations State government activity, state laws Federal agency interaction Open records acts, FERPA Campus educational materials HEPKI Group Information

10 Certificate Profiles A per-field description of certificate contents Standard and extension fields Criticality flags Syntax of values permitted per field Spreadsheet format by R. Moskowitz XML and ASN.1 alternatives for machine use Higher education profile repository

11 Certificate Profiles Assortment of EE/CA certificates From eight institutions Most certificates kept relatively simple No one is doing CRLs, etc yet Certificates are Version 3 Signing algorithms are RSA/MD5 or RSA/SHA-1

12 Certificate Profiles Validity Period Wide variation from per-session to one year Long term: expiration synchronized to semester Long term: time zone hack Assurance level indicator Explicit extension Policy OID Key usage Some certificates employ Key Usage field Variation on criticality setting General agreement on no encryption without escrow Grid

13 Certificate Profiles Issuer/Subject field naming X.500-style Distinguished Names FERPA & certificate contents Subject fields with real names Anonymous names –What about signing ? Little use of constraint extensions basic, name, policy Addition of CA serial number

14 Certificate Profiles Domain Component Naming Some certificates also use DC naming Encode domain names into X.500-type name fields (dc=Internet2, dc=edu) (rfc-2247) Issuer and Subject fields Example: given a certificate, how to find authorization info and other data Recommendation via Consensus Process Use DC naming in the Subject and Issuer fields Place DC components in most significant part of the name Use more specific pointers to information before using DC names in applications

15 Certificate Profiles: Some Issues Profile Convergence Shared desire to minimize the number of profiles in the community –Ease policy mapping –Promote interoperability What is the right number of profiles? –What are the applications? Recommendations for new implementations HEPKI: work for consensus on some set of common profile recommendations More profiles would be useful

16 Mobility Options Hardware tokens Smart cards, USB devices, iButtons Key-pair generation location Driver software quality Session timeout support Software-based Mobility passwords to download from a store or directory proprietary roaming schemes - Netscape, VeriSign,.. IETF SACRED working group established –HEPKI-TAG Scenarios Non-repudiation questions Difficulty in integration of certificates from multiple stores (hard drive, directory, hardware token, etc.)

17 HEPKI-TAG Other Areas of Work Web site update Recommendations Information for those starting on PKI –References –How-to information –Minutes and survey data What else would be useful?

18 CA Private Key Protection Issues CA Private Key is the root of all trust Storage options –Clear text on disk –Encrypted storage on disk –On hardware device Physical protection of CA –Locked doors and racks –OS Configuration Multi-level solution Collection of information for new PKI sites

19 Discussions and Projects PKI Applications Table Higher Education Distributed Root Certificate Deployment (heDRCD) Problem: how to load root certificates into browsers DNS SRV records, HTTP, browser code Protection via “phone home” concept Certificate Repository A mechanism for users to safely obtain root certificates from other institutions SSL or signed objects High assurance process – like CREN CA

20 Discussions and Projects Higher Education Bridge Certification Authority (heBCA) Higher education has many of the same issues as the federal government Adapt the federal model for use in higher ed The bridge could: –Interconnect multiple Higher Ed hierarchical CA services –Interoperate with the federal bridge –Work with other industry groups

21 PKI Application Issues An Example Goal: VPN Authentication via PKI Equipment: VPN Concentrator Device uses ou of Subject DN for group membership Moral Code only what you need into the certificate Get the remainder from a directory Think first

22 Some thoughts on open source solutions We are doing this at Virginia Good points Great control Easily tied into our existing Web authentication for issuing certificates Issues No complete kit –You can’t just type Configure; make; make install Time Lots of little details –SCEP –CRL via LDAP v.s. HTTP

23 Will it fly? Well, it has to… Scalability Performance “With enough thrust, anything can fly”

24 Where to watch middleware.internet2.edu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.