Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl

Published byDale Simpson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl"— Presentation transcript:

1 1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl jaj@Virginia.EDU

2 2 US Higher Education Root (USHER) and Policy  Background A hierarchical CA for Higher Education  Issue authority certificates to campus CAs  Replace and offer more than the old CREN hierarchy Initial discussions on LOA for USHER  Strong procedures for USHER operations  Strong process to identify campuses Discussions on requirements for schools  Something heavy, PKI-Lite, etc?  Implications for when USHER cross-certifies with HEBCA  Early focus decisions Strong procedures for USHER itself; use the InCommon I&A process for schools Architect for an USHER-heavy and an USHER-Lite Focus deployment on USHER-Lite

3 3 USHER & Policy: Enter LionShare  LionShare needs a trust fabric that works logically like PKI-Lite Verify PKI-Lite OID in cert  Question: can/should USHER require at least PKI-Lite from campuses? Schools doing this anyway Strong pushback on TAG call  How does USHER certify campuses  Campus liability concerns  Why is a requirement needed? USHER Campus CA LionShare SASL CA Short-life user certificates

4 4 Grid Computing & PKI Bridges  Started in the NMI Testbed Grid project Tradition in the grid community appeared to be to run a CA for each Grid or install root certificates for each site We wanted an approach that scaled more easily, leveraged central campus authentication, and enabled researchers to get out of the identity management business  Logical solution Attempt to leverage HEBCA with Globus  Project Do the technical work needed to pilot this idea in parallel with the development of HEBCA

5 5 Schematic of Original SURA NMI Testbed Grid PKI Integration Goal Campus E Grid A’s PKI Testbed Bridge CA Testbed CA Campus B Grid Campus C Grid Campus D Grid Campus A Grid Campus F Grid B’s PKI C’s PKI Cross-cert pairs User Certs

6 6 Inter-campus NMI Testbed Globus Project Activity  Built simple Testbed Bridge CA Off-line system Used Linux and OpenSSL to build bridge Stored securely when not is use  Cross-certifications UVA UAB TACC USC LSU Univ of Arkansas in progress  www.pki.virginia.edu/nmi- bridge www.pki.virginia.edu/nmi- bridge

7 7 Globus & PKI Bridges  Some issues Globus uses OpenSSL which is not bridge-aware  Preload cross-certificates  Signing policy files Certificate profiles used by some campus CAs caused problems  Continuing forward with the SURA Grid Cross-certification of sites Developing  Directory-based infrastructure to automate management of gridmap-file  Web-based tool for sites to easily add/remove their users  Tools to automatically deploy the cross-certificates and signing policy files

8 8 HEPKI-TAG Update  New revision of PKI-Lite Clarifications to Policy/Practices document Profiles updated  Support for EAP-TLS wireless authentication recommending use of Microsoft OID  Specified Authority Key Identifier to be compatible with bridges  More specified with more notes for implementers  Supporting some other USHER topics  Signing tools project  Internet2 and Educause HEPKI-TAG site links Internet2Educause

Download ppt "1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl"

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
December 8 & 9, 2005, Austin, TX SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide Authentication, Authorization, & Identity Issues.

December 8 & 9, 2005, Austin, TX SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide Authentication, Authorization, & Identity Issues.
1 NMI Testbed Activities at Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl

1 NMI Testbed Activities at Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

Similar presentations

Ads by Google