Presentation is loading. Please wait.

Presentation is loading. Please wait.

Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris.

Published byJair Lifsey Modified over 10 years ago

Similar presentations

Presentation on theme: "Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris."— Presentation transcript:

1 Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris

2 10/12/2000www.cren.net2 What is CREN in Year 2000?  A non-profit higher education member organization - 230 members  Mission - Support higher education and research organizations with strategic IT knowledge services and communication tools for infrastructure  Evolving from BITNET launched in 1984 (Visit us at www.cren.net)  “Corporation for Research and Educational Networking”

3 10/12/2000www.cren.net3 Certificate Authority - Topics (3)  Operations and Status l As many questions as we have answers..:-)  EvolvingTrust Models l Hierarchical model -Trust Anchor l Bridge model - Trust Conduit l Cross-certification Plans  Evolving Documents l Certificate Policies - with cert profile info l Certificate Practice Statements l IETF RFC 2527 as guide to doc development

4 10/12/2000www.cren.net4 Certificate Authority by CREN  Goal is to simplify connection to a trust community  Serve as a trusted third party and to facilitate trust relationships l Among institutions l Between higher education and other communities  Provide a link to other validated, trusted institutions without a separate pair-wise trust relationship between each pair of institutions

5 10/12/2000www.cren.net5 Certificate Authority by CREN  Primary initial use is a focus on supporting inter - institutional resource sharing l Among institutions l Between institutions and content providers l Primarily for academic content and research resources  Goal - map to basic or medium assurance with Federal Bridge Certificate Authority  Operate under a Certificate Practices Statement of 1/27/2000 Version 3.0

6 10/12/2000www.cren.net6 Higher Education CA by CREN Hierarchical CA Trust Community Minn HeHRCA (CREN) UT-Austin Princeton MIT GaTech UTenn Penn State HeHRCA Group shares “close enough” CP, CPS Hierarchy as “Trust Anchor.”

7 10/12/2000www.cren.net7 Operations - Higher Ed CA (1)  CA Subscriber process  Two page Application Form completed by Institution’s CREN member rep  Signed by an executive officer of institution  Once registration is complete, the technical contact l Issues request for certificate l Accepts the certificate on behalf of institution

8 10/12/2000www.cren.net8 Operations - Higher Ed CA (2)  CREN Office l Serves as the Registration Authority (RA) l Receives, approves, and manage the applications and issuance of institutional certificates l Validates institutional contacts for the institutional CA certificate l Sends message to MIT approving and initiating secure contact with institution

9 10/12/2000www.cren.net9 Operations - Higher Ed CA (3)  MIT l Operates the CREN CA under contract for CREN l Receives the certificate request message directly from technical contact at institution l Generates the institutional certificate l Sends the institutional certificate back to technical contact and to CREN RA Contact l Updates the repository of certificates

10 10/12/2000www.cren.net10 CREN Root Key Cutting Ceremony at MIT 11/17/99

11 10/12/2000www.cren.net11 Certificate Authority Status  Institutional certificates issued and accepted l MIT, Georgia Tech, Princeton l U of Minnesota, UT-Austin, Penn State  Testing with JSTOR is underway l Success with remote access using U of MN CREN -issued certificate - 9/19/00 l One next step: test with U Minn directory query based on https embedded in certificate

12 10/12/2000www.cren.net12 Applications  Registration process complete - U Tenn & U Mass - Amherst  Applications received - in various stages of process l Johns Hopkins University l Florida State University  Other applications received, but folks wanted something else

13 10/12/2000www.cren.net13 Relationship of CREN within Higher Education (1)  Working closely with HEPKI-TAG and PAG l TAG- Technical Issues Group l PAG - Policy Issues Group  HEPKI is a loose federation of Internet2, EDUCAUSE and CREN and community folks  Led by Ken Klingenstein - Internet2 and many others...

14 10/12/2000www.cren.net14 Relationship of CREN within Higher Education (2)  Issues with the certificate profile. l More detail on next two slides...  Other technical issues on table l Repositories, trust paths and revocation  Policy and practices work - again with HEPKI-PAG and TAG groups

15 10/12/2000www.cren.net15 Certificate Profile Issues  Validity Period - l CREN root renewed on 6/14/2000 is valid to 11/17/07 - Eight years l Institutional certificates are issued with five year validity period  DC naming in certificates - l Can include DC in “Subject Field” of Institutional Certificate following x.500 name l CREN cert “Subject field” will be x.500 only l HEPKI Recommendation - Jim Jokl paper in review

16 10/12/2000www.cren.net16 Certificate Profile Issues - More  Upgraded to Version 3 cert with extensions in 6/00  Continuing discussion on other attributes in the Basic Constraints and Key usage fields -- gathering input to January 2001.  Issue of hash - change to SHA1 from MD5 for the signature algorithm  Have an OID - 7091 - from IANA

17 10/12/2000www.cren.net17 Certificate Profile Issues - More  Principle - Profiles of CREN root certificate, institutional certificates, and client certificates can and probably will be different  Work by HEPKI-TAG is working towards more consistency rather than less with certificate profiles - again led by Ken Klingenstein

18 10/12/2000www.cren.net18 Policy Work : HEPKI and CREN  Certificate policy work l Mapping policies from FBCA, and Euro-PKI with RFC 2527 l HEPKI Goal - create generic higher ed certificate policy and CPS l Revise the existing CREN CPS and develop a Certificate Policy - need one for CREN CA Hierarchy and one for CREN CA Bridge l Evolving to a recommendation that Campus CAs need both CP and CPS

19 10/12/2000www.cren.net19 Possible PKI Infrastructure- Higher ED HeBCA/CREN Mn HeHRCA/CREN UCOP UT-Austin Princeton MIT GaTech UTenn Penn State HEPKI- PA UAB UWI MIT HeI GeorgeT HeBCA Group shares“close enough” CP, CPS- but might map to higher level of assurance or have different granularities of relationships Bridge acts as trust conduit or transport

20 10/12/2000www.cren.net20 Evolving PKI Infrastructure Higher ED and Links to Others FPKI-PA FBCA DOE DOJ ETC HeBCA/CRENHeHRCA/CREN HEPKI- PA HeI Relying Parties Community HeI Note: Not clear how vendors should be represented.

21 10/12/2000www.cren.net21 June 2000 CREN CA Pilot Meeting  Jeff demonstrated first version of CREN repository  Certificate profile work reviewed  Working Groups: l Validity period working group: Chair Michael Gettes l Protecting private keys: Co-Chairs are Jeff Schiller & Ariel Glenn l Vendor Solutions Group - Chair Kevin Unrue

22 10/12/2000www.cren.net22 CREN CA Continuing work Fall, 2000 (1)  Continue working the issues and issuing institutional certificates  Work on building community awareness and expertise via scenarios, FAQs, and workshops plus support of HEPKI activities  Examine feasibility of issuing server certificates to institutions with institutional certificates

23 10/12/2000www.cren.net23 CREN CA Continuing work Fall, 2000 (2)  FAQ on Directories is in review l Complement for FAQ on PKI l Complements the “LDAP Recipe”  CA Pilot Schools meeting in October with Internet2 in Atlanta  Planning for Seminars on Directories and Certificate Authorities in late January 2001  Plan for CREN CA Production Levels  Work on the browser challenge...

24 10/12/2000www.cren.net24 Continuing Open Questions  Certificate Profiles - Can we achieve a common profile? Also common CPs and CPs?  How will the CA relationships within higher education in the US evolve?  How to get the CREN Root in the Netscape and IE browsers?  What might the links to Euro-PKI look like?  What community of interest does the Euro- PKI Certificate Policy address?

25 10/12/2000www.cren.net25 For More Information…and to Get Involved...  HEPKI is the place to start l website: www.educause.edu/HEPKI  CA List at CREN l Send request to cren@cren.net  CREN Web site - www.cren.net l CA Section l Archived TechTalks l FAQ on PKI Infrastructure at web site l Campus scenarios

Download ppt "Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris."

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Petri Net1 :Abstract formal model of information flow Major use: Modeling of systems of events in which it is possible for some events to occur concurrently,

Petri Net1 :Abstract formal model of information flow Major use: Modeling of systems of events in which it is possible for some events to occur concurrently,
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.

PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

Similar presentations

Ads by Google