1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

Slides:

Advertisements

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

December 8 & 9, 2005, Austin, TX SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide Authentication, Authorization, & Identity Issues.

The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure Ammar Hasayen ….

1 Digital Credential for Higher Education John Gardiner August 11, 2004.

1 Grids and PKI Bridges (Globus Toolkit) EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Shelley Henderson - USC Jim Jokl - Virginia.

Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004.

HEPKI-TAG Activities & Globus and Bridges Jim Jokl University of Virginia Fed/ED PKI Meeting June 16, 2004.

EDUCAUSE PKI Working Group Where Are We and Where are We Going.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

1 PKI Update September 2002 CSG Meeting Jim Jokl

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

HEPKI-TAG UPDATE Jim Jokl University of Virginia

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

CAMP PKI UPDATE August 2002 Jim Jokl

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004.

PKI Activities at Virginia September 2000 Jim Jokl

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.

Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

1 SURAGrid User/Host Certificate Authority SURAgrid Meeting MARCH 26, 2010 Jim Jokl University of Virginia.

1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.

Organized by governmental sector (National Institute　of information )

USHER U.S. Higher Education Root Certificate Authority

Public Key Infrastructure from the Most Trusted Name in e-Security

Inter-institutional Trust Fabric Overview and Synergies

Fed/ED December 2007 Jim Jokl University of Virginia

September 2002 CSG Meeting Jim Jokl

Presentation transcript:

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005

2 PKI and USHER/HEBCA  (How) do all of these PKI pieces fit together? USHER – US Higher Education Root CA HEBCA – Higher Education Bridge CA Campus Certification Authorities EDUCAUSE contract for outsourced certificates  What should a campus be doing?  Where’s the glue?

3 Fundamental Decision: Build or Buy  Building your own PKI Certification Authority (CA)  Developing or installing CA software  Operating it in a secure environment Implementing the Registration Authority (RA) function  Identity proofing of individuals  Handling requests for revocation, etc. Some considerations  Early investment in staff time, likely lower per-certificate costs for large deployments in the long run  Users can have as many certificates as they need Software examples at:

4 Fundamental Decision: Build or Buy  Buying PKI services Certification Authority (CA)  Provided by the outsource company  Operated remotely in a secure environment Implementing the Registration Authority (RA) function  Identity proofing of individuals  Handling requests for revocation, etc. Some considerations  Quick start-up  Annual costs bounded by the number of certificates issued  Root certificate likely already trusted by your browsers and installed in your operating systems  May limit the number of certificates that each user can have Example:

5 Some Interesting PKI Applications  The build vs. buy decision may be influenced by your PKI applications Electronic mail (S/MIME) VPN (IPSec), Wireless (EAP-TLS), & SSH authentication Web authentication Grids (Globus toolkit) LionShare Digital signatures on documents  Applications with large numbers of users may tip the balance towards the “build” option Note that certificate management (getting the same certificate/key on multiple computers) can be hard for users

6 Inter-organizational Trust USHER CA Campus CA Campus A Mid-A User Campus B Campus n Mid-B User HEBCA Bridge Cross-certificate pairs User

7 A Higher-level View of Inter-organizational Trust FBCA HEBCA SAFE Commercial Others Campus CA Educause Verisign CA USHER CA Campus CA Campus Users

8 One Strategy: University of Virginia  HEBCA Cross-certify our UVa High Assurance CA  Uses hardware tokens for private key protection and mobility  Photo-id identity verification  ~600 users now with a couple hundred more in progress Applications: access to critical systems, medical research data, etc  USHER Subordinate our UVa Standard Assurance CA  Uses operating system/browser key store  Certificates issued on-line via database check  ~13,000 users with ~28,000 certs Applications: wireless auth, VPNs, Globus

9 Some Helpful Projects  PKI-Lite PKI-Lite  HEPKI Model Certification Policy HEPKI Model Certification Policy  Digital signature tools projectproject  S/MIME S/MIME  Software CA packagespackages Investigating a project to create a campus “make install” CA available Include software, tuned for PKI-Lite certificate profiles Document integration with campus AuthN