Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

Published byEdgar Pierce Modified over 9 years ago

Similar presentations

Presentation on theme: "1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia."— Presentation transcript:

1 1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia

2 2 HEPKI-TAG Activities  Sponsors: EDUCAUSE, Internet2, NET@EDU  Charter – Technical Activities Group (TAG) Open-source PKI software Certificate profiles Directory / PKI interaction Validity periods Client customization issues Mobility Inter-institution test projects Private Key Protection Technical issues with cross-certification Communicate results  Process Biweekly conference calls Sessions at higher education events

3 3 Updates to PKI-Lite  PKI-Lite: using PKI technology at the LOA of the existing campus login/password system  Updated policy and practices documentdocument Changes based on feedback from NMI project, etc Clarifications to hierarchical CAs, language, etc Still 9 pages, fill in the blanks format Relationship to Citizen and Commerce (C4) Policy  FIPS-140 crypto, audits, CRL/OCSP required  New PKI-Lite certificate profiles End Entity  Bridge Environment (Authority and Subject key identifiers)  EAP-TLS Microsoft OID (SubjectAlt/OtherName/PrincipalName) Certification Authority  Authority and Subject Key Identifiers All profiles – more closely follow the RFCs for critical flags

4 4 S/MIME  Plan to update the S/MIME compatibility table with data for additional clients  HEPKI-TAG coordinated a letter to Qualcomm requesting S/MIME support for Eudoraletter Qualcomm was/is developing S/MIME support for EUDORA HEPKI-TAG developed a prioritized list of features of what we’d like to see in the clientlist Looking forward to being early testers

5 5 Introductory Materials Aiding Initial Campus Deployments  Recall our PKI-Lite framework Using PKI for “standard” applications where you likely would have used names/passwords in the past Standard Policy/Practices document and Profiles  Designed to support S/MIME, VPN, Web Authentication, etc  Validated on other apps (e.g. Globus, document signing applications, etc). Newer addition: PKI-Lite RecipePKI-Lite Recipe  by Steven Carmody at Brown

6 6 US Higher Education Root (USHER) and Policy  Background A hierarchical CA for Higher Education  Issue authority certificates to campus CAs  Replace and offer more than the old CREN hierarchy Initial discussions on LOA for USHER  Strong procedures for USHER operations  Strong process to identify campuses Discussions on requirements for schools  Something heavy, C4, PKI-Lite, less, etc?  Implications for when USHER cross-certifies with HEBCA?  Early focus decisions Strong procedures for USHER itself; use the InCommon I&A process for schools Architect for an USHER-heavier and an USHER-Lite Focus deployment on USHER-Lite

7 7 One older concept for the US Higher Education Root (USHER) USHER-Lite InCommon CA Shib Cert School CA USHER Basic/Medium School CA USHER Root

8 8 Current Thinking for USHER USHER-Lite Root InCommon CA Shib Cert School CA Future USHER Basic/Medium School CA Note: InCommon CA not related to USHER in a PKI sense HEBCA

9 9 USHER & Policy: Enter LionShare  LionShare needs a trust fabric that works logically like PKI-Lite Verify PKI-Lite OID in cert  Question: can/should USHER require at least PKI-Lite from campuses? Schools doing this anyway Strong pushback on TAG call  How does USHER certify campuses  Campus liability concerns  Why is a requirement needed? USHER Campus CA LionShare SASL CA Short-life user certificates

10 10 Current Thinking on USHER-Lite No requirements for what the campus can do using their USHER authority certificate LionShare will require the PKI-Lite Policy OID in certificates issued by the SASL-CA USHER CA profileCA  Profiles include AIA for bridge cert discovery in XP

11 11 Next Projects for HEPKI-TAG  Continue support for USHER  Maintain & update existing documents and services  Signing tools projectproject Document and web form signing tools  Update of S/MIME work Update compatibility matrix Eudora when ready  Campus CA Audits Preparation and documents for campus auditors  In the queue Windows smart card login Mobility and Hardware Token update Application integration (administrative and general) CA software More/better introductory materials Bridge application testing Grid integration & documentation Update hardware token work EAP-TLS documentation Look at SILC Insert your favorite item(s) here

12 12  If you are working on these topics, consider participating in HEPKI-TAG  Some references middleware.internet2.edu/hepki-tag  Links to other sites, CA software, etc NET@EDU PKI for Networked Higher Education  http://www.educause.edu/PKIforNetworkedHigherEdu cation/928 http://www.educause.edu/PKIforNetworkedHigherEdu cation/928 pkidev.internet2.edu PKI Labs  middleware.internet2.edu/pkilabs middleware.internet2.edu/pkilabs Questions - References

Download ppt "1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia."

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
CREN-Mellon conference, December 1, 2001 University of Texas PKI Status.

CREN-Mellon conference, December 1, 2001 University of Texas PKI Status.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.

1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Similar presentations

Ads by Google