HEPKI-TAG UPDATE Jim Jokl University of Virginia

Slides:



Advertisements
Similar presentations
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Advertisements

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Lecture 23 Internet Authentication Applications
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Public Key Infrastructure from the Most Trusted Name in e-Security.
Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004.
HEPKI-TAG Activities & Globus and Bridges Jim Jokl University of Virginia Fed/ED PKI Meeting June 16, 2004.
Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed.
IDA Security Experts Workshop Olivier LIBON Vice President – GlobalSign November 2000.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
1 PKI Update September 2002 CSG Meeting Jim Jokl
PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
CAMP PKI UPDATE August 2002 Jim Jokl
PKI 101 Ken Klingenstein Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder David Wasley Technology.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
PKI Activities at Virginia September 2000 Jim Jokl
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
PKI Session Overview 1:30 pm edt - Welcome, etiquette, session outline 1:40 pm edt - HEPKI-TAG Update (Jim Jokl, Virginia) 2:00 pm edt - HEPKI-PAG Update.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Some Technical Issues in PKI Deployment David Chadwick
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
GRID-FR French CA Alice de Bignicourt.
Cryptography and Network Security
Public Key Infrastructure (PKI)
Fed/ED December 2007 Jim Jokl University of Virginia
September 2002 CSG Meeting Jim Jokl
Presentation transcript:

HEPKI-TAG UPDATE Jim Jokl University of Virginia

2 Higher Education PKI Activities - HEPKI Sponsors Internet2, EDUCAUSE, CREN, HEPKI - Technical Activities Group (TAG) Open-source PKI software Certificate profiles Directory / PKI interaction Validity periods Client customization issues Mobility Inter-institution test projects Technical issues with cross-certification

3 Certificate Profile Work A per-field description of certificate contents Standard and extension fields Criticality flags Syntax of values permitted per field Spreadsheet & text formats Higher education profile repository

4 Certificate Profiles Assortment of EE/CA certificates From eight institutions CRLs Issuer/Subject field naming X.500-style Distinguished Names Subject fields with real names Anonymous names Little use of constraint extensions

5 Certificate Profiles Validity Period Wide variation from per-session to one year Long term: expiration synchronized to semester Assurance level indicator Explicit extension Policy OID Key usage Some certificates employ Key Usage field Variation on criticality setting Encryption and private key escrow

6 Certificate Profiles Domain Component Naming Some certificates also use DC naming Encode domain names into X.500-type name fields (dc=Internet2, dc=edu) (rfc-2247) Issuer and Subject fields HEPKI-TAG Recommendation Use DC naming in the Subject and Issuer fields Place DC components in most significant part of the name Use more specific pointers to information before using DC names in applications Test for problems with devices

7 Certificate Profiles: Some Issues Profile Convergence Shared desire to minimize the number of profiles in the community –Aid new PKI implementations –Ease policy mapping –Promote interoperability What is the right number of profiles? –What are the applications? Importance of convergence? If you are issuing certificates, please one so that we can include it in the repository

8 PKI Complexity and Applications You often hear of PKI as a solution for: Authentication for high-assurance processes –Funds transfer –Medical records –Student grades Digital signatures –Contracts –Other legal documents But, can’t it also be a good fit as a technology that is better than passwords but less than a high- assurance CA?

9 PKI-Light Full function but lightweight  A normal PKI technical infrastructure  Authenticate EEs  Issue certificates, perhaps revoke certificates  A comparatively simple certificate profile  Support applications, directories, etc  A lightweight administrative/policy structure  Supports applications without high assurance needs  One or two paragraph certification policy

10 PKI-Light Project Assumptions Initial applications  Web application authentication  Secure S/MIME Operational issues  No requirement for revocation  No requirement for separate signing and encryption certificates  On-line CAs are acceptable  Single PKI-Light policy OID  Simple assurance level requirement

11 PKI-Light Certificate Profile  Version 3 certificates  Issuer: normal as per TAG DC Naming recommendation  Validity: one year  Subject  Name as per HEPKI-TAG DC Naming recommendation  Include  Other criteria such as name uniqueness, practices, etc  Basic Constraints: CA=false  Certificate Policy OID  CPS Pointer: yes  Subject Alt Name: address 

12 PKI-Light: next steps Learn from Pilot/Demonstration Projects Web authentication Electronic mail Directory interaction Insert your project here Participation Want more schools and more users Help break some of the myths that PKI is too hard or too costly to implement

13 PKI Mobility Options Hardware tokens Smart cards, USB devices, iButtons Key-pair generation location Drivers, software quality, cost Software-based Mobility passwords to download from a store or directory proprietary roaming schemes IETF SACRED working group established Integration

14 CA Private Key Protection Issues CA Private Key is the root of all trust Storage options –Clear text on disk –Encrypted storage on disk –On hardware device Physical protection of CA –Locked doors and racks –OS Configuration Multi-level solution Collection of information for new PKI sites

15 Discussions and Projects Higher Education PKI Applications General web authentication Access to course materials S/MIME etc middleware.internet2.edu/hepki-tag/TAG-PKI-Apps3.xls Certificate Profile Maker Web interface Generates XML PKI pilot and demonstration site

16 Discussions and projects HEPKI-TAG Website Recommendations Information for those starting on PKI –References –How-to information –Certificate profiles –Minutes and survey data Please feedback

17 Project Participation Much work remains Research and recommendations Pilot projects Mobility etc Consider participating in HEPKI-TAG if you are working on a PKI deployment

18 Where to watch middleware.internet2.edu PKI for Networked Higher PKI Labs middleware.internet2.edu/pkilabs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.