Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, 2001. Amsterdam.

Slides:

Advertisements

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Advertisements

Chapter 14 – Authentication Applications

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

21 mai 2015 Bridges between Certification Authorities.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

PKI Administration Using EJBCA and OpenCA

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

The U.S. Federal PKI and the Federal Bridge Certification Authority

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

The EC PERMIS Project David Chadwick

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee.

1 Grids and PKI Bridges (Globus Toolkit) EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Shelley Henderson - USC Jim Jokl - Virginia.

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.

PKI Robin Burke ECT 582. Outline Discussion Review The need for PKI PKI hierarchical PKI networked PKI bridging Certificate policies rationale examples.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

PAPI Points of Access to Providers of Information.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

The NIH PKI Pilots Peter Alterman, Ph.D. … again.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Module 9: Fundamentals of Securing Network Communication.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

15.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Key Management.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

PKI and the U.S. Federal E- Authentication Architecture Peter Alterman, Ph.D. Assistant CIO for e-Authentication National Institutes of Health Internet2.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Jimmy C. Tseng Assistant Professor of Electronic Commerce

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Public Key Activities in the Spanish Academic Network PKI-COORD (PKI Coordination for Europe) December 6, Amsterdam.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

The FBCA Architecture: Lessons Learned Tim Polk, NIST March 9, 2001.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

PAPI-PERMIS Integration Project Proposal David Chadwick

Federal PKI Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

PAPI 2 Distributed trust model and AA interoperability.

1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

ICC eTerms Repository Supporting the PKI infrastructure and secure electronic commerce Janjaap Bos Dublin, June 2000.

The Trusted Network · · · LEFIS PKI · · · 2 nd June, 2006 · Sofia by Leonardo Catalinas · May 2006

Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.

Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.

Technical Approach Chris Louden Enspier

Install AD Certificate Services

Presentation transcript:

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam

PKI-COORD Outline IRIS-PCA  New members and evolution  Policy update  Integration into EuroPKI PKCS#11 libraries  UmPKCS11 timestamp server  Development just started PAPI  Current status  PAPI v1.1  The pilot PAPI mesh The case for BCAs in Europe

PKI-COORD IRIS-PCA Four new candidate organizations  Expected to be fully integrated before the end of the year  Problems for already established PKIs Contacts with other Spanish initiatives in PKIs  Governmental: CERES  Private: ACE (has become VeriSign) Still looking for the PKI killer application

PKI-COORD IRIS-PCA: Policy update New version of the policy document  OID: iris-pca/docs/politica.html An English translation is available iris-pca/docs/politica-pca-ingles.rtf Submitted to EuroPKI for acceptance

PKI-COORD PKCS#11 Library Developed by the University of Murcia for their internal PKI project  Available for Unix/Linux and Windows  Thoroughly tested in an operational environment More than 15,000 users Acces control, clock-in, facility reservation,... Available under GPL  Source and RPM formats  Full documentation under development

PKI-COORD PAPI Current version available is  Point of Access based on Apache mod_perl  Configurable using Apache directives inside httpd.conf Authentication hooks for  Internal database  POP-3  LDAP Includes a set of enhanced documentation  FAQ FAQ  Guide for Beginners Guide for Beginners

PKI-COORD PAPI Version is under test Problem: PoAs using the same policy must load different tokens to the user’s browser  Lack of scalability for large services Solution: PoAs with the same policy are grouped into a GPoA  Tokens are assigned hierarchically Better managenent of tokens  Registered by the PoA once all contents are received by the user’s browser Simplified installation and operation

PKI-COORD PAPI V1.1 implementation of GPoAs Browser Authentication Server Keys Hcook- Lcook GPoA GPoAPoA Hcook- Lcook PoA 302+ Hcook data

PKI-COORD The PAPI pilot mesh Using PAPI ASs and PoAs  Remote access to restricted services  Inter-institutional trust relationships A fairly complete cocktail  Three universities (one virtual)  Two commercial information providers  One library consortium  A public content provider More organizations to join in the near future  So we can erase the “pilot” PAPI is under test in other academic networks  We now about three of you

PKI-COORD Bridge CAs Integrate existing PKIs which may implement different architectures, security policies, and cryptographic suites  Address the shortcomings of the two basic PKI integration methods: mesh and hierarchical Are not root CAs  Connect trust domains through cross certificate pairs creating a “bridge of trust” Do not issue certificates directly to users Are not used as a trust point by the users of the PKIs involved  User keep their natural trust point Based on the PKIX standards

PKI-COORD Bridge CA Architecture Bridge Principal CA Bridge of trust

PKI-COORD The Federal Bridge CA Principal CAs cross-certificate with the FBCA membrane  The FBCA is built using several cross-certified commercial CAs  The membrane offers a common boundary for them Certification Policy mapping  extension Directory Services  All certificates issued by any node of the FBCA  All certificates issued to any node of the FBCA  All cross certificates pairs containing certificates held or issued by the FBCA  A CARL from each node of the FBCA covering certificates issued by that node Libraries for certificate path discovery and validation

PKI-COORD The experience at RedIRIS Problems in a bottom-up approach Theoretically, hierarchical PKIs are scalable...  Found problems when testing the integration of the RedIRIS PKI directly under another root CA < openssl  The first certificate whose subject name matched the issuer of the current certificate was assumed to be the issuer certificate >= openssl  All certificates whose subject name matches the issuer name of the current certiticate are subject to further tests  One of these tests (applied to the Authority Key Identifier) fails when a new CA is introduced at the top of the hierarchy Solution: cross-certification  Why not at a BCA?

PKI-COORD Bridge CAs Pros and cons More flexible and extensible than either mesh or hierarchical structures Support a bottom-up approach  Integration of already existing PKIs  Maintain policy independence Require certificate path discovery and validation software  There is a (public) library available Put stress on directory services  Other approaches possible Not much tested (scalability, performance,...)  More experiments are required