Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University

Slides:



Advertisements
Similar presentations
NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
Advertisements

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council
Internet2 Middleware BASE CAMP slides Michael R. Gettes Principal Technologist Georgetown University
Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.
The U.S. Federal PKI and the Federal Bridge Certification Authority
PKI: Glue of Middleware Michael R Gettes, Duke University EuroCAMP March, 2005 Michael R Gettes, Duke University EuroCAMP March, 2005.
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.
David L. Wasley Office of the President University of California Higher Ed PKI – Draft Certificate Policy David L. Wasley University of California Common.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.
NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee.
HEPKI-TAG Activities & Globus and Bridges Jim Jokl University of Virginia Fed/ED PKI Meeting June 16, 2004.
NIH-Educause PKI Pilot: Phase Two Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office of.
EDUCAUSE PKI Working Group Where Are We and Where are We Going.
PKI: Glue of Middleware Michael R Gettes, Duke University CAMP Enterprise Authentication Michael R Gettes, Duke University CAMP Enterprise Authentication.
PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001.
1 PKI Update September 2002 CSG Meeting Jim Jokl
PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California.
F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.
Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
HEBCA Overview Internet2 Meeting, Fall 2002 Michael R Gettes Georgetown University
HEPKI-TAG UPDATE Jim Jokl University of Virginia
1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.
X.509/PKI There is progress.... Topics Why PKI? Why not PKI? The Four Stages of X.509/PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other.
CAMP PKI UPDATE August 2002 Jim Jokl
Co Chairs C. W. Goldsmith University of Alabama at Birmingham David L. Wasley University of California Office of the President.
The NIH PKI Pilots Peter Alterman, Ph.D. … again.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Federal and State PKI Bridge Evolution: Cutting Across Stovepipes EDUCAUSE 2000 October 12th, 2000.
HEBCA Overview CSG, uWash, 2002 Michael R Gettes Georgetown University
The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
PKI Session Overview 1:30 pm edt - Welcome, etiquette, session outline 1:40 pm edt - HEPKI-TAG Update (Jim Jokl, Virginia) 2:00 pm edt - HEPKI-PAG Update.
Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.
Public-Key Infrastructure for Higher Education Mark Luker EDUCAUSE.
Day 3 Roadmap and PKI Update. When do we get to go home? Report from the BoFs CAMP assessment, next steps PKI technical update Break Research Issues in.
Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.
Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.
Interoperability and the Evolving Federal PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.
Current Activities in Middleware
Higher Education Bridge Certification Authority
U.S. Federal e-Authentication Initiative
Internet2 Member Meeting
Inter-institutional Trust Fabric Overview and Synergies
Fed/ED December 2007 Jim Jokl University of Virginia
September 2002 CSG Meeting Jim Jokl
Presentation transcript:

Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University

HEPKI Sponsors: Internet2, EDUCAUSE, CREN TAG – Technical Activities Group Jim Jokl, Chair, Virginia Techonology, practicality, deployment, testbeds PAG – Policy Activities Group (Default Chair), Ken Klingenstein, Colorado Knee-deep in policy(CP), HEBCA, Campus, Subscribers and Relying Party issues. PKI Labs (AT&T)– Neal McBurnett, Avaya Wisconsin-Madison & Dartmouth Industry, Gov., Edu expert guidance

HEPKI-TAG Activities Charter – Technical Activities Group (TAG) Certificate profiles, CA software Private key protection Mobility, client issues Interactions with directories Testbed projects (PKI-Lite, S/MIME Interop, Profiles) Communicate results

HEPKI-PAG We don’t need no stinkin’ policy? Policy, Lawyers, documenting practice, what gives? Going outside the institution. Staying inside doesn’t require new policy (rather new practice) PKI seems to make authN / authZ a legitimate problem deserving legal attention Working with U.S. Gov’t on PKI Policy Moved the development of HEBCA Cert Policy Realized need for Campus Model Cert Policy Realized need to simplify policy for PKI-Lite

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education Bridge Certificate Authority Michael R Gettes Georgetown University

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Multiple CAs in FBCA Membrane Survivable PKI Cross Certificates allow for “one/two-way policy” Directories are critical in BCA world.

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) A Snapshot of the U.S. Federal PKI Federal Bridge CA NFC PKI Higher Education Bridge CA NASA PKI DOD PKI Illinois PKI University PKI CANADA PKI

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) What is Cross Certification? A Bridge signs a CA and CA signs bridge Policy OIDs and Name Constraint controls are in the cross certificates Cross Certificates are published in directories and discovered via the network. BCA/CA may remain off-line. Policy OIDs could map to XML documents describing the policy (processed per Carmody)

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Path Validation Application receives a Certificate Finds a path back to signer of Certificate validating the path for policy mappings and name constraints. Policy Mappings can be LOA (levels of assurance) or “we agree to be in club shib” or whatever Name Constraints controls subjectName name space. I.E. a CA can only sign within dc=U,dc=edu

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) On Policy We have a draft HEBCA Certificate Policy The HE CP and HEBCA CP are congruent The HEBCA CP and FBCA CP are congruent We need a HEPKI PA – EDUCAUSE is working this problem – granted “power” from ACE

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) NIH- Educause PKI Pilot: Phase Two Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office of Extramural Research

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Project Participants University of Alabama-BirminghamUniversity of Alabama-Birmingham University of Wisconsin-MadisonUniversity of Wisconsin-Madison University of California, Office of the PresidentUniversity of California, Office of the President University of Texas – Houston Health ScienceUniversity of Texas – Houston Health Science Dartmouth CollegeDartmouth College Georgetown University – HEBCA properGeorgetown University – HEBCA proper National Institutes of Health (NIH)National Institutes of Health (NIH) Mitretek ( (

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) The Problem Picture/s of piles of grant applications –About 20,000 5 ft high standing people of paper. 1 forest per year for just grant apps. The Solution: signed, electronic grant application –Of course!

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Phase Two Concept of Operations (CONOPS) NIH OER Recipient E-Lock Assured Office Digital Signed Grant Appl E-Lock Assured Office CAM-enabled NIH CAM Server FBCA HEBCA Cert Status Cert Status Certificate Validation University B Certificate Validation University A Certificate Validation University C

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) NIH ca trust anchor “DAVE” (Discovery and Validation Engine) sender (UA) receiver (NIH) NIH directory FBCA dir cross cert cross cert DAVECAME-Lock software ca directory HEBCA dir cross cert UA ca UA dir issued get Cert,CRL via directory chaining New LDAP Registry of Directories for BCAs

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) Bridge CA vs. Shibboleth PKI is hard to deploy to end users Shib should use BCA aware PKI between servers Club Shib will then scale using Policies and Relationships established by Bridge CA world ONE Club Shib managed by policy - globally Java 1.4 is Bridge aware. Whistler supposed to be.

The PKI Puzzle By David Wasley, UCOP PKI Hierarchy Medical

Technical Policy PKI is 1/3 Technical and 2/3 Policy?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.