Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.

Published byRaven Keith Modified over 10 years ago

Similar presentations

Presentation on theme: "PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado."— Presentation transcript:

1 PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder

2 Agenda  Fundamentals - Components and Contexts  The missing pieces - in the technology and in the community  Current Activities - feds, chime, anx, overseas, pkiforum, etc.  Higher Ed Activities (CREN, HEPKI-TAG, HEPKI-PAG, Net@edu, PKIlabs)

3 PKI : A few observations  Think of it as wall jack connectivity, except it’s connectivity for individuals, not for machines, and there’s no wall or jack…But it is that ubiquitous and important  Does it need to be a single infrastructure? What are the costs of multiple solutions? Subnets and ITP’s...  Options breed complexity; managing complexity is essential

4 A few more...  IP connectivity was a field of dreams. We built it and then the applications came.. Unfortunately, here the applications have arrived before the infrastructure, making its development much harder.  Noone seems to be working on the solutions for the agora.

5 Uses for PKI and Certificates  authentication and pseudo-authentication  signing docs  encrypting docs and mail  non-repudiation  secure channels across a network  authorization and attributes  and more...

6 A framework  PKI Components - hardware, software, processes, policies  Contexts for usage - community of interests  Implementation options (in-source, out-source, roll- your-own,etc.)  Note changes over time...

7 PKI Components  X.509 v3 certs - profiles and uses  Validation - Certificate Revocation Lists, OCSP, path construction  Cert management - generating certs, using keys, archiving and escrow, mobility, etc.  Directories - to store certs, and public keys and maybe private keys  Trust models and I/A  Cert-enabled apps

8 PKI Contexts for Usage  Intracampus  Within the Higher Ed community of interest  In the Broader World

9 PKI Implementation Options  In-source - with public domain or campus unique  In-source - with commercial product  Bring-in-source - with commercial services  Out-source - a spectrum of services and issues  what you do depends on when you do it...

10 Cert-enabled applications  Browsers  Authentication  S/MIME email  IPsec and VPN  Globus  Secure multicast

11 X.509 certs  purpose - bind a public key to a subject  standard fields  extended fields  profiles  client and server cert distinctions

12 Standard fields in certs  cert serial number  the subject, as x.500 DN or …  the subject’s public key  the validity field  the issuer, as id and common name  signing algorithm  signature info for the cert, in the issuer’s private key

13 Extension fields  Examples - auth/subject subcodes, key usage, LDAP URL, CRL distribution points, etc  Key usage is very important - for digsig, non-rep, key or data encipherment, etc.  Certain extensions can be marked critical - if an app can’t understand it, then don’t use the cert  Requires profiles to document, and great care...

14 Cert Management  Certificate Management Protocol - for the creation and management of certs  Revocation Options - CRL, OCSP  Storage - where (device, directory, private cache, etc.) and how - format  escrow and archive - when, how, and what else needs to be kept  Cert Authority Software or outsource options  Authority and policies

15 Certificate Management Systems  Homebrews  OpenSSL and OpenCA  Baltimore, Entrust, etc.  W2K, Netscape, etc.

16 Directories  to store certs  to store CRL  to store private keys, for the time being  to store attributes  implement with border directories, or acls within the enterprise directory, or proprietary directories

17 Inter-organizational trust model components  Certificate Policy- uses of particular certs, assurance levels for I/A, audit and archival requirements  Certificate Practices Statement- the nitty gritty operational issues  Hierarchies vs Bridges a philosopy and an implementation issue the concerns are transitivity and delegation hierarchies assert a common trust model bridges pairwise agree on trust models and policy mappings

18 Certificate Policies Address (CP)  Legal responsibilities and liabilities (indemnification issues)  Operations of Certificate Management systems  Best practices for core middleware  Assurance levels - varies according to I/A processes and other operational factors

19 Certificate Practice Statements (CPS)  Site specific details of operational compliance with a Cert Policy  A single practice statement can support several policies (Chime)  A Policy Management Authority (PMA) determines if a CPS is adequate for a given CP.

20 Trust chains  Path construction to determine a path from the issuing CA to a trusted CA heuristics to handle branching that occurs at bridges  Path validation uses the path to determine if trust is appropriate should address revocation, key usage, basic constraints, policy mappings

21 Trust chains  When and where to validate off-line on a server at the discretion of the application depth of chain  some revocations better than others - major (disaffiliation, key compromise, etc.) and minor (name change, attribute change)  sometimes the CRL can’t be found or hasn’t been updated

22 Mobility Options  smart cards  usb dongles  passwords to download from a store or directory  proprietary roaming schemes abound - Netscape, Verisign, etc  SACRED within IETF recently formed for standards  integration of certificates from multiple stores

23 More current activities  HEPKI  the Grid

24 Current Activities  PKIX (http://www.ietf.org/html.charters/pkix- charter.html)  Federal PKI work (http://csrc.nist.gov/pki/twg/)  State Govs (http://www.ec3.org/)  Medical community (Tunitas, CHIME, HIPAA)  Automobile community (ANX)  Overseas Euro government - qualifying certs EuroPKI for Higher Ed (http://www.europki.org/ca/root/cps/en_index.html)

25 All the stuff we don’t know…  Revocation approaches  Policy languages  Standard profiles  Mobility  Path math  User interface

26 PKI and Higher Ed  ah, the public sector life…  Key issues  Current activities

27 ah, the public sector…  almost universal community of interests  cross-agency relationships  complex privacy and security issues  limited budgets and implementation options  sometimes ahead of the crowd and the obligation to build a marketplace

28 Key issues  trust relationships among autonomous organizations  interoperability of profiles and policies  interactions with J.Q. Public  international governance issues

29

Download ppt "PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado."

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

Similar presentations

Ads by Google