Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education.

Slides:



Advertisements
Similar presentations
NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
Advertisements

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Federal PKI Architecture Update
The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council
Stanley J. Choffrey (202) The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
The U.S. Federal PKI and the Federal Bridge Certification Authority
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.
NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.
Federal Bridge Certification Authority n Background n Overview n EMA Challenge Test structure n Participants n Results n Conclusions and lessons learned.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee.
The U.S. Federal PKI, 2004: Report to EDUCAUSE Peter Alterman, Ph.D. Assistant CIO for E-Authentication National Institutes of Health.
1 Digital Credential for Higher Education John Gardiner August 11, 2004.
NIH-Educause PKI Pilot: Phase Two Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office of.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
EDUCAUSE PKI Working Group Where Are We and Where are We Going.
Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
HEBCA Overview Internet2 Meeting, Fall 2002 Michael R Gettes Georgetown University
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
X.509/PKI There is progress.... Topics Why PKI? Why not PKI? The Four Stages of X.509/PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other.
The Evolving U.S. Federal PKI Richard Guida Chair, Federal PKI Steering Committee Federal Chief Information Officers Council
Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
The NIH PKI Pilots Peter Alterman, Ph.D. … again.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Module 9: Fundamentals of Securing Network Communication.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.
Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000.
PKI and the U.S. Federal E- Authentication Architecture Peter Alterman, Ph.D. Assistant CIO for e-Authentication National Institutes of Health Internet2.
Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University
HEBCA Overview CSG, uWash, 2002 Michael R Gettes Georgetown University
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.
PKI Summit August 2004 Technical Issues to Deploying PKI on Campuses.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
The Evolving Federal PKI Gary Moore Entrust Technologies Richard Guida Chair, Federal PKI Steering Committee.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
HEBCA – The Operating Authority July 2005 Dartmouth PKI Summit.
Public-Key Infrastructure for Higher Education Mark Luker EDUCAUSE.
Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.
Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.
Interoperability and the Evolving Federal PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering.
Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.
Higher Education Bridge Certification Authority
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
U.S. Federal e-Authentication Initiative
Inter-institutional Trust Fabric Overview and Synergies
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Sixth Annual PKI Summit at Snowmass, Colorado August 2004.
Presentation transcript:

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education Bridge Certificate Authority Michael R Gettes Georgetown University

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Technical Policy PKI is 1/3 Technical and 2/3 Policy?

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Multiple CAs in FBCA Membrane Survivable PKI Cross Certificates allow for “one- way policy” Directories are critical in BCA world.

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) A Snapshot of the U.S. Federal PKI Federal Bridge CA NFC PKI Higher Education Bridge CA NASA PKI DOD PKI Illinois PKI University PKI CANADA PKI

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) EMA Challenge Architecture

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) What is Cross Certification? A Bridge signs a site PKI and vice-versa Cross Certificates are published in directories and discovered via the network. BCA/CA may remain off-line. Policy OIDs and Name Constraint controls are in the cross certificates Policy OIDs could map to XML documents describing the policy (processed per Carmody)

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Path Validation Application receives a Certificate Finds a path back to signer of Certificate validating the path for policy mappings and name constraints. Policy Mappings can be LOA (levels of assurance) or “we agree to be in club shib” or whatever Name Constraints controls subjectName name space. I.E. a CA can only sign within dc=U,dc=edu

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) On Policy We have a draft HEBCA Certificate Policy The HE CP and HEBCA CP are congruent The HEBCA CP and FBCA CP are congruent We need a HEPKI PA – EDUCAUSE is working this problem – granted “power” from ACE

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) NIH- Educause PKI Pilot: Phase Two Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office of Extramural Research

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) The Goals 1.Receive NIH research grant application in electronic form signed with two different digital certificates each; digital certificates issued by Institution, several different vendors represented; 2.Verify and validate digital signatures through ACES Certificate Arbitration Module (CAM). 3.(EDUCAUSE Funding and Administrative Support, Coordination and Marketing.)

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Intermediate Requirements 1.Stand up a Higher Education Bridge Certification Authority (HEBCA); 2.Cross-certify the Federal Bridge CA with the Higher Education Bridge CA; 3.Cross-certify Institutions with HEBCA;

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Participating Institutions University of Alabama-BirminghamUniversity of Alabama-Birmingham University of Wisconsin-MadisonUniversity of Wisconsin-Madison University of California, Office of the PresidentUniversity of California, Office of the President University of Texas – HoustonUniversity of Texas – Houston Dartmouth CollegeDartmouth College (Georgetown University – HEBCA issues)(Georgetown University – HEBCA issues)

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) The Problem Picture/s of piles of grant applications –About 20,000 6 ft high standing people of paper. 1 forest per year just grant apps. The Solution: signed, electronic grant application –Of course!

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Phase Two Concept of Operations (CONOPS) NIH OER Recipient E-Lock Assured Office Digital Signed Grant Appl E-Lock Assured Office CAM-enabled NIH CAM Server FBCA HEBCA Cert Status Cert Status Certificate Validation University B Certificate Validation University A Certificate Validation University C

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA Proof of Concept Architecture NIH User NIH Trust Domain NIH Test CA Directory Higher Education Trust Domain iPlanet CA Alabama RSA CA i500 Directory DST ARP Test CA California Verisign CA Wisconsin Firewall Prototype Federal Bridge Certificate Authority Cross Certified CAs Directory System Agent Cross certificates CRL FIP L3 Crypto Cross certificates CRL Cross certificates ARL RSA CA Entrust CA

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA Proof of Concept CA Interoperability Configuration Entrust CARSA CA Prototype Federal Bridge Certification Authority NIH NIH Test CA Client California Verisign CA Client Alabama DST ARP Test CA Client Wisconsin iPlanet CA Client Higher Education Bridge Certification Authority RSA CA

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA Proof of Concept Directory Interoperability Configuration c=US; o=U.S. Government;ou=FBCA IP address: DSP port:102 LDAP port:389 TSEL: TCP/IP Prototype FBCA (Peerlogic) cn=FBCA_Directory NIH c=US; o=U.S. Government; ou=NIH IP address: DSP port:102 LDAP port: 389 TSEL:TCP/IP cn=nihstandin Chaining c=US; o=edu; ou=HEBCA IP address: DSP port:102 LDAP port:389 TSEL:TCP/IP HEBCA (Critical Path) cn=HEBCA Alabama c=US; o=Digital Signature Trust Co; ou=ARP Testing IP address: DAP/DSP port:102 LDAP port:389 cn= ARP Test Client CA California c= ; o= ; ou= IP address: DAP/DSP port: LDAP port: cn= Wisconsin c= ; o= ; ou= IP address: DAP/DSP port: LDAP port: cn= Chaining

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) NIH ca trust anchor “DAVE” (Discovery and Validation Engine) sender (UA) receiver (NIH) NIH directory FBCA dir cross cert cross cert DAVECAME-Lock software ca directory HEBCA dir cross cert UA ca UA dir issued get Cert,CRL via directory chaining New LDAP Registry of Directories for BCAs

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) DAVE Components CML Libraries [Getronics] ASN1 parsing (SNACC) S/MIME parsing (SFL) Cryptographic engine LDAP and local directory retrieval (SFL) Path discovery engine (CPL) DAVE Functions Perform proper sequential calling of CML functions (i.e., the business logic) Provide call-back functions needed by CML functions Provide all CAM communications and protocol transformations Wraps CML functions into an NT service (multithreaded, failure and recovery modes, logging, etc.)

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Verification & Validation Details CAM Server Certificate Authority/ Validation Request CAM/CA OCSP Msg Data Discovery and Validation Engine (DAVE) Agency App/ CAM Search for issuer to validate CRL OSCP Responder If chained, path reverses If not chained, LDAP queries Agency App = E-Lock Assured Office CAM-enabled Passing Certificate E-Lock Assured Office verifies the signature Verifies the document has not been changed Verifies the validity period of the certificate Once verified, the certificate is sent to the CAM for certificate validation to ensure that it has not been revoked

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island)

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Bridge CA vs. Shibboleth PKI is hard to deploy to end users Shib should use BCA aware PKI between servers Club Shib will then scale using Policies and Relationships established by Bridge CA world ONE Club Shib managed by policy Java 1.4 is Bridge aware. Whistler supposed to be.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.