A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)

The CA formerly known as CREN  Lots of discussion for a looong time – HEPKI- TAG, HEBCA-BID, PKI Labs  Plan is finally emerging A few related certificate services –USHER - Level 1 - soon –USHER – Level 2 - start detailed planning for implementation USHER CP –Others if warranted, eventually –All operate on high levels of assurance in I/A of the institution, and in their internal operation at both Internet2 and subcontractors –Place varying degrees of pain, and power, to the institutions Helping on a packaging of open-source low-cost CA servers Work with EDUCAUSE on their related initiatives

Usher-Level 1  Modeled after Federal Citizen and Commerce CP/CPS (  Issues only institutional certs  Those certs can be used for any purposes  CP will place few constraints on campus operations User identification and key management Campus CA/RA activities  Will be operated itself at high levels of confidence  Will recommend a profile for campus use  Good for building local expertise, insuring some consistency in approaches among campuses, and may be suitable for many campus needs and some inter-campus uses  Will not work for signing federal grants, etc…  Operational soon

Usher - Level 2  Modeled after FBCA Basic level CP  Issues only institutional certs  Those certs can be used for most purposes  CP will place more constraints on campus operations User identification and key management Campus CA/RA activities  Will be operated itself at high levels of confidence  Will recommend a profile for campus use  Good for many campus needs, many inter-campus uses, and many workings with the federal government  Will peer at the HEBCA  Detailed planning now starting; stand up sometime mid-next year

Interesting and Open Issues…  Policy Authority for USHER? Conservation of policy groups HEBCA PA? InCommon-Exec?  Final pricing and packaging Working numbers <$2K first year, <$1K renewal Includes strong institutional I/A, strong USHER operations Leverages InCommon operations  Applications and use

Interesting and Open Issues 2  Cost for Usher to peer at bridges  Ability to put Usher into various browsers  Relation to InCommon Distinguishing one from the other –To applications –To users Leveraging one with the other

+/- of Usher  Pluses Pricing and lack of usage constraints on campus roots Strong institutional I/A – external and for subdomains Community-consistent ???  Negatives Not easily in browsers Uncharted peering with feds, commercials, etc Places more emphasis on running your own campus CA. ??

Early version HEBCA FBCA USHER-Level 2 USHER -Level 1

Caveats  Progress has been very slow  On the other hand, good progress is being made with InCommon and much of that can be highly leveraged, at least operationally  HIPAA interpretations and priorities vary dramatically across campuses.  Terena has begun to set up a registry of national R&E CA’s root. It is not clear what leverage that offers.