HEPKI - PAG: An Update Ken Klingenstein Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder.

Slides:



Advertisements
Similar presentations
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Advertisements

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
David L. Wasley Office of the President University of California Higher Ed PKI – Draft Certificate Policy David L. Wasley University of California Common.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
+1 (801) Standards for Registration Practices Statements IGTF Considerations.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Configuring Directory Certificate Services Lesson 13.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
R & Ethinking Trust Ken Klingenstein, custodian, InCommon and the CREN CAt.
Of Security, Privacy, and Trust. Security Personal security is largely distinct from network security (modulo VPN’s and authentication to the network)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Identity in the Virtual World: Creating Virtual Certainty David L. Wasley Information Resources & Communications UC Office of the President.
Rethinking Privacy As Bob Blakley says, “It’s not about privacy, it’s about discretion.” Passive privacy - The current approach. A user passes identity.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Higher Education PKI Summit Meeting August 8, 2001 The ABA PAG Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information Technology.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Jimmy C. Tseng Assistant Professor of Electronic Commerce
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.
Fundamentals: Security, Privacy, Trust. Scenarios we’d like to see... Use of licensed library materials regardless of student’s location Signed .
HEBCA – The Operating Authority July 2005 Dartmouth PKI Summit.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Day 3 Roadmap and PKI Update. When do we get to go home? Report from the BoFs CAMP assessment, next steps PKI technical update Break Research Issues in.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
THE STEPS TO MANAGE THE GRID
Fed/ED December 2007 Jim Jokl University of Virginia
Appropriate Access InCommon Identity Assurance Profiles
“Ten Years Ago… on a cold dark night”
Presentation transcript:

HEPKI - PAG: An Update Ken Klingenstein Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder

Agenda Background: HEPKI-PAG and related activities Basics: Draft HE CP and other CP’s Advanced: FERPA, Grids, European efforts Trust issues for authentication and authorization Next steps: HEBCA CP and PMA Directory Policies Reconciliations

HEPKI PAG A partnership of Internet2, EDUCAUSE, and CREN Key players – David Wasley, Art Vandenberg Regular conference calls every other Thursday

HEPKI-PAG Trust issues and trust framework for PKI Lots of practical problems to grapple with Who do you trust? How much trust is enough? Attempt to compare trust models in education, research, government and commercial sectors All over the map! PKI “bridges” require trust mapping Attempt to identify trust requirements of apps

D. Wasley’s PKI Puzzle

Certificate Policy is … The basis for trust between unrelated entities Not a formal “contract” (but implied) A framework that both informs and constrains a PKI implementation A way of giving advice to Relying Parties One of a number of related documents, incl. Certification Practices Directory Policy

Goals A “generic” CP for higher ed PKI All implementation specific details deferred to associated Certification Practices Statement CP requirements intended to foster inter- domain trust Compatible with the Federal BCA policy Multiple “levels of assurance” “Rudimentary” level (PKI Lite, minimal overhead) “High” (requires photo IDs & smartcards)

PKI Players Policy Management Authority (PMA) Responsible for developing and enforcing policy Certificate Authority (CA) Operational unit(s) Term also applies to the entire set of functions Registration Authority (RA) Optional, delegated responsibility for I & A Subjects and Relying Parties

RFC 2527 CP Sections Introduction General Provisions Identification and Authentication Operational Requirements Physical, Procedural and Personnel Security Ctrls Technical Security Controls Certificate and CARL/CRL Profiles Specification Administration

Introduction Distinction between CP and CPS CP is transitive throughout the hierarchy Authorizing CA has responsibility for authorized CA Document identity OID for the CP and OIDs for each LOA Community served is defined in the CPS Relying Party can’t make assumptions unless so stated On-line copy of CP and CPS must be signed

Introduction (cont.) Applicability of the issued certificates based on Level of Assurance (LOA) Rudimentary - very low risk apps; data integrity Basic - for apps with minimal risk Medium - modest risk, including monetary loss High - secure apps; transactions of significant financial consequence CPS can proscribe specific application types In case liability is a concern

General Provisions Obligations of the parties CA, RA, Subscriber, Relying Party, Repository RP is problematic since there is no “contract” –“Requirements” e.g. checking CRL, are advice –In some cases a contract may be needed, e.g. FERPA Liability – limited to $1,000 Considered necessary to indicate trustworthiness Audit requirements Must be performed by qualified third party

Identification and Authentication Types of Subject names If included, must be meaningful Must be unique for all time Different requirements for each LOA Photo ID required for Medium or High LOA Document ID marks must be recorded and archived CA rekey requirements Must notify PKC Subjects …

Operational Requirements CA may not generate key pairs for Subjects For encryption certs, an intermediary might… PKC acceptance for Med/High require signature PKC Suspension or Revocation Suspension not used Revocation required at Basic or higher LOA –Requires standard CRL; allows for OCSP –Relying Party required to check for revocation

Operational Requirements (cont.) Security Audit Procedure Everything that might affect the CA or RA Simpler for Rudimentary Records Archival Up to 20+ years for High LOA (Electronic archive is an activity unto itself) Disaster Recovery Requirements CA Termination Process

Physical, Procedural and Personnel Security Controls CA Roles Administrator - sysadmin; installs & configures Officer - approves issuance and revocation of PKCs Operator - routine system operation & backup Auditor - reviews syslogs; oversees external audit Separation of roles required at least 2 people (Admin./Op. & Officer/Auditor) at least 3 at higher LOAs Some tasks require action by 2 out of 4 persons

Technical Security Controls FIPS 140 Technical Security Level depends on LOA Key sizes and private key protection requirements Escrow of end-entity decryption (private) key CA must have possession of key before issuing PKC Must NOT escrow any other private key Computer platform and network controls Engineering and development controls

Certificate and CARL/CRL Profiles Certificate profile is x.509v3 or higher Details in CPS CertPolicyID is the LOA OID CPSuri points to the on-line signed CPS –CPS specifies CP OID and URL for on-line copy Certificate serial number must be unique across all PKCs issued by this CA Considering adding URI to authorityKeyIdentifier CARL/CRL is x.509v2 or higher

Specification Administration Framework for how the PMA changes or updates this policy document Notifying Subjects is hard –Publication is considered sufficient Notifying Relying Parties is impossible –Policy in force at time of issue prevails Significant change requires new OID(s) See also the Bibliography and Glossary

Other Policy Documents Certification Practices Statement All specific details, e.g. community, I&A, etc. HE draft example begun … Directory Policy Statement As critical as the credential Includes access controls, element definitions, etc… Local campus Business Policy Provisions The basis for the institution to issue credentials

Similar CPs for Comparison Federal BCA Certificate Policy European PKI certificate policy Globus Grid CP Draft Model Interstate Certificate Policy Commercial PKI CPs (very different) CP for the State of Washington NACHA CARAT guidelines

HE CP Acknowledgements Richard Guida, Federal PKI Council Ken Klingenstein and the I2 HEPKI-PAG Judith Boettcher and Dan Burke, CREN Scott Fullerton, Wisconsin-Madison Art Vandenburg, Georgia State Ed Feustel, Dartmouth College Support: Renee Frost, Ellen Vaughan, Nate Klingenstein (I2), Michelle Gildea (CREN)

Advanced Issues Student issues what is needed for a student loan signature? what is needed for viewing student loan information? what is permitted in the release of information by certificates and directories? Proliferation of CA’s Euro Issues TF-PKICOORD morphs into TF-AACE

WP6 CACG 11 DataGrid Testbed1 CA’s See WP6 web Much effort to run these – growing number of cert requests Several moving to OpenCA US DOE ScienceGrid CA Operational since January 2002 Approved as a DataGrid “trusted” CA (& vice-versa!) First test of transatlantic authentication last month Karlsruhe CA (CrossGrid and HEP Germany) To be incorporated later Seems to attract Grid CA issues that should have gone to GGF!

Authentication (2) One of the EDG CA’s (CNRS) acts as a “catch-all” CA CP/CPS will get explicit statements about RA’s Matrix of Trust (work ongoing) – much work! Feature matrix Acceptance matrix (WP6 CA Mgrs check each other against min. requirements) BUT: Still another 7 CrossGrid countries with no CA And many other LHC countries Scaling problems! Automate the feature checking Continue to work with GGF in the GridCP group

Authentication (3) DataGrid CA Features matrix

Interrealm Trust Structures Federated administration basic bilateral (origins and targets in web services) complex bilateral (videoconferencing with external MCU’s, digital rights management with external rights holders) multilateral Hierarchies may assert stronger or more formal trust requires bridges and policy mappings to connect hierarchies appear larger scale Virtual organizations Grids, digital library consortiums, Internet2 VideoCommons, etc. Share real resources among a sparse set of users Requirements for authentication and authorization, resource discovery, etc need to leverage federated and hierarchical infrastructures.

The Continuum of Trust Collaborative trust at one end… can I videoconference with you? you can look at my calendar You can join this computer science workgroup and edit this computing code Students in course Physics Brown can access this on-line sensor Members of the UWash community can access this licensed resource Legal trust at the other end… Sign this document, and guarantee that what was signed was what I saw Encrypt this file and save it Identifiy yourself to this high security area

Dimensions of the Trust Continuum Collaborative trust handshake consequences of breaking trust more political (ostracism, shame, etc.) fluid (additions and deletions frequent) shorter term structures tend to clubs and federations privacy issues more user-based Legal trust contractual consequences of breaking trust more financial (liabilities, fines and penalties, indemnification, etc.) more static (legal process time frames) longer term (justify the overhead) tends to hierarchies and bridges privacy issues more laws and rules

The Trust Continuum, Applications and their Users Applications and their user community must decide where their requirements fit on the trust continuum Some apps can only be done at one end of the continuum, and that might suggest a particular technical approach. Many applications fit somewhere in the middle and the user communities (those that trust each other) need to select a approach that works for them.

Integrating Security and Privacy Balance between weak identity, strong identity, and attribute- based access (without identity) Balance between privacy and accountability – keeping the identity known only within the security domain

Reconciling Humans and Lawyers Non-repudiation has had a very high bar set… Human nature has been “refined” over a long time We tend to talk globally, think locally and act inconsistently…

Of Security, Privacy, and Trust Is it security or is it liability? Liability has other remedies, including disclaimers, contractual sharing of responsibilities, indemnification, etc… Is it privacy or is it discretion? Privacy can only be degraded. How can privacy loss be managed? Should privacy be an active or passive service? When do we want our privacy given up? Is it trust or is it risk management (contracts)? Our notions of trust are soft, contradictory, volatile, intuitive, and critical to how we act in the world. Contracts and current computational approaches are hard and slow to change.

The Architecture of Authentication Identification/Authentication has two components the initial determination that a particular subject should be provided a specific credential (identification). i.e. “getting a credential” the continuing processes of that subject establishing their electronic presence (authentication) “using a credential” Examples two forms of photo id in person to be issued a computer account, and then Kerberos to authenticate providing a name and social security number to receive a PIN, and being able to view student loan data with that PIN The “strength” of authentication depends on both processes The need for strong authentication depends on the resources that are being offered to the authenticator

The Architecture of Authorization Should the authorization decision be made by the user’s domain, based on business rules provided by the target or by the target, based upon attributes provided by the user’s domain? If at the target, should the user’s domain pass all attributes about a user to a target, to protect the privacy of the target, or a minimal set of attributes, to protect the privacy of the user? The answers depend on point of view, scalability, manageability, and performance

We Need A Strong Authentication Service Identity in the real world is very hard. There are some legitimate needs that need formal and high levels of security services Documents must be notarized There are cases where be signed and encrypted Authentication is in general a “local” service that can be conveyed globally

We Need a Flexible Interrealm Authorization Service We are only beginning to understand authorization Permissions are much more volatile than identity Delegation and non-determinism are hard Privacy rests here, and we don’t understand privacy Expressions of permissions require complex data structures

Authentication and Authorization On occasion, a screwdriver can be used to drive nails, especially if there is not a hammer handy. Some inter-realm authentication systems can be used for authorization (e.g. Kerberos, X.509) Some inter-realm attribute exchanges can pass identifiers and thus be used for inter-realm “authentication” (e.g. Shibboleth)

Next Steps HEBCA CP and PMA Directory Policies Reconciliations of formats and trust

Where to watch