1. 9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99

2. 9/20/2000www.cren.net2 Certificate Authority Update  Institutional certificates issued and accepted l MIT, Georgia Tech, Princeton l U of Minnesota, UT-Austin  Testing with JSTOR is underway l Frank G has update on this

3. 9/20/2000www.cren.net3 Applications  Registration process complete - U Tenn & U Mass - Amherst  Other applications in various stages of process l Penn State l Johns Hopkins University l Florida State University

4. 9/20/2000www.cren.net4 What’s Happening - Since May 2000  Issues with the certificate profile. l Validity Period of CREN Root Certificate l Domain Component Naming (DC Naming) l Extensions in Certificates (CREN, Institutions’)  Technical Issues l Roots, trust paths and revocation  Policy and Campus Issues l Private key Policies l Campus implementations l Trust model with higher ed and FBCA

5. 9/20/2000www.cren.net5 Certificate Profile Issues  Validity Period - Issued for five years for institutions; CREN root valid to 11/17/07 l Upgraded to Version 3 cert with extensions  DC Naming in certificates - l Can include in “Subject Field” of IC with x.509 l CREN cert “Subject field” will be x.509 only l HEPKI Recommendation - Jim Jokl paper  Other attributes in the Basic Constraints and Key usage fields -- gathering input until January 2001. l Now have an OID from IANA

6. 9/20/2000www.cren.net6 Continuing Issue /Question  How to achieve overall goal of interoperability  Ambiguity about the specific goal: find a CRL or other means to verify certificate validity or to find LDAP directory  IETF PKIX Working Group has defined an extension for the purpose of finding a CRL  Agreed on a six month period to “aggregate” recommended changes  Fog will clear … as we move forward

7. 9/20/2000www.cren.net7 Other Issues  Jeff completed first version of repository available at http:www.cren.net/ca/  Working Groups l Protecting private keys: Co-Chairs are Jeff Schiller and Ariel Glenn l Vendor Offering Group- Chair Kevin Unrue l Groups just formed Interest in joining? Contact chairs or Patty Gaul. l Coordinating with HEPKI groups

8. 9/20/2000www.cren.net8 CPs and CPSs: How are they Different?  A Certificate Policy (CP) is a “named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.” RFC 2527  A Certificate Practice Statement (CPS) “A CPS is a statement of the practices which a certification authority employs in issuing certificates.” ABA Guidelines, RFC 2527  Each campus will probably need both a CP and a CPS l CP - Tells what, where and for what purpose certificates are to be used for, building a common security framework or umbrella l CPS - Tells how a campus issues certificates - details the operational procedures

9. 9/20/2000www.cren.net9 CREN CA Documents  CREN currently has CPS version 3.0 dated 1/27/00 which details the operations and practices for the CREN CA.  CREN does not have a CP setting forth the the larger framework, although sections of the CPS are a good beginning. Work on this will parallel or follow the generic Higher Ed CP development by D Wasley  Note: CREN has a Step by Step document detailing each step of the Registration Authority process and the CA issuance of an Institutional Certificate.  In process of obtaining an OID from IANA.

10. 9/20/2000www.cren.net10 CPs and CPSs: Principle and example  4.4.3 Procedure for revocation request (EuroPKI CP)  The entity requesting the revocation SHALL be properly authenticated. The authentication method SHOULD be as strong as the one used in the issuing procedure. Conforming CA MUST accept as a revocation request a message digitally signed with a not expired and not previously revoked certificate issued under this policy.  An alternative procedure MAY require the entity to visit RA or CA and to present a viable identity document.  If the entity is a CA, the CA SHALL in addition: (1) Inform subscribers and cross-certifying CAs, and (2) Terminate the certificate and CRL distribution service for certificates/CRLs issued using the compromised private key.

11. 9/20/2000www.cren.net11 CPs and CPSs: Principle and example  4.4.9 CRL issuance frequency (if applicable)  CRLs MUST be issued at least every 40 days by a conforming CA.  Principle:  Exact boundaries between CP and CPS will be malleable for now.

12. 9/20/2000www.cren.net12 Overview of What’s Next? Fall, 2000  Continue working the issues  Work with groups on building community awareness and expertise via scenarios, FAQs and workshops plus support of HEPKI activities  FAQ on Basic Directory Information is in review  CA Schools meeting in October with Internet2 in Atlanta

13. 9/20/2000www.cren.net13 Overview of What’s Next? Fall 2000 and Spring 2001  CAs/Directories Workshops  Work with Michael and others on browsers  Explore with Jeff feasibility of issuing server certificates to institutions with institutional certificates  Plan the next group of content providers and how to work with them

14. 9/20/2000www.cren.net14 Continuing Issues/Questions  Should CREN Be a Bridge Certificate Authority? What trust model(s) make sense?  What else should CREN do to support, move forward the browser question?  Deployment strategies for the CREN root?  How do we move forward with content providers? What content providers are ready?  How do campuses get ready? What is the first step?

15. 9/20/2000www.cren.net15 For More Information and to Participate  CA List—send request to cren@cren.net  www.internet2.edu -- HEPKI groups, etc  www.educause.edu - for HEPKI web site  Call Ken … or Jim or Chairs of other working groups or me