Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California.

Published byErik Dalton Modified over 9 years ago

Similar presentations

Presentation on theme: "PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California."— Presentation transcript:

1

2 PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California

3 2 Activities in other Communities PKIX – IETF Standards for PKI www.ietf.org/html.charters/pkix-charter.html Federal PKI work csrc.nist.gov/pki/twg State Governments www.ec3.org national electronic commerce coordinating council Medical community & HIPAA HIPAA – Health Insurance Portability & Accountability Act –aspe.os.dhhs.gov/admnsimp/ CHIME - Connecticut Hospital Association CA –www.chime.org/chime/chimetrust.asp HealthKey – Replicable PKI model for health care –www.healthkey.orgwww.healthkey.org Tunitas – Consulting group –www.tunitas.com/pages/PKI/pki.htm

4 3 Activities in other Communities PKI Forum – Vendor alliance to promote PKI –www.PKIForum.org Overseas EuroPKI for Higher Ed –www.europki.org/ca/root/cps/en_index.htmlwww.europki.org/ca/root/cps/en_index.html Open source software –OpenSSL, OpenCA –Much open-source work done outside of US for export restriction reasons.

5 4 Federal Government Activities ACES Certificates Access Certificates for Electronic Services hydra.gsa.gov/aces Citizen / Government interaction: student loans, change of address… User authentication RA Financial model

6 5 Federal Government Activities Bridge Certification Authority Highly decentralized organization Hierarchy more difficult CA trust list does not scale well Bridge Certification Authority (BCA) solves these problems Prototype: February 2000 Production planned first quarter 2001

7 6 Higher Education Activities CREN CA www.cren.net/ca NET@EDU PKI for Networked Higher EdNET@EDU www.educause.edu/netatedu/groups/pki PKI Labs middleware.internet2.edu/pkilabs

8 7 Internet2 PKI Labs Dartmouth and Wisconsin computer science departments and IT staff Performing deep research - two to five years out Policy languages, path construction, attribute certificates, etc. National Advisory Board of leading academic and corporate PKI experts provides direction Catalyzed by startup funding from ATT

9 8 Higher Education PKI Activities - HEPKI Sponsors Internet2, CREN, and EDUCAUSE HEPKI - Technical Activities Group (TAG) Open-source PKI software Certificate profiles Directory / PKI interaction Validity periods Client customization issues Mobility Inter-institution test projects Technical issues with cross-certification

10 9 Higher Education PKI Activities - HEPKI HEPKI - Policy Activities Group (PAG) Certificate policy drafts Sharing RFPs, vendor relations State government activity, state laws Federal agency interaction Open records acts, FERPA Campus educational materials HEPKI Group Information www.educause.edu/hepki

11 10 Certificate Profiles A per-field description of certificate contents Standard and extension fields Criticality flags Syntax of values permitted per field Spreadsheet format by R. Moskowitz XML and ASN.1 alternatives for machine use Higher education profile repository http://www.educause.edu/hepki

12 11 Certificate Profiles Assortment of EE/CA certificates From eight institutions Most certificates kept relatively simple No one is doing CRLs, etc yet Certificates are Version 3 Signing algorithms are RSA/MD5 or RSA/SHA-1

13 12 Certificate Profiles Validity Period Wide variation from per-session to one year Long term: expiration synchronized to semester Long term: time zone hack Assurance level indicator Explicit extension Policy OID Key usage Some certificates employ Key Usage field Variation on criticality setting General agreement on no encryption without escrow Grid

14 13 Certificate Profiles Issuer/Subject field naming X.500-style Distinguished Names FERPA & certificate contents Subject fields with real names Anonymous names –What about signing email? Little use of constraint extensions basic, name, policy Addition of CA serial number

15 14 Certificate Profiles Domain Component Naming Some certificates also use DC naming Encode domain names into X.500-type name fields (dc=Internet2, dc=edu) (rfc-2247) Issuer and Subject fields Example: given a certificate, how to find authorization info and other data Recommendation via Consensus Process Use DC naming in the Subject and Issuer fields Place DC components in most significant part of the name Use more specific pointers to information before using DC names in applications

16 15 Certificate Profiles: Some Issues Profile Convergence Shared desire to minimize the number of profiles in the community –Ease policy mapping –Promote interoperability What is the right number of profiles? –What are the applications? Recommendations for new implementations HEPKI: work for consensus on some set of common profile recommendations More profiles would be useful

17 16 Mobility Options Hardware tokens Smart cards, USB devices, iButtons Key-pair generation location Driver software quality Session timeout support Software-based Mobility passwords to download from a store or directory proprietary roaming schemes - Netscape, VeriSign,.. IETF SACRED working group established –HEPKI-TAG Scenarios Non-repudiation questions Difficulty in integration of certificates from multiple stores (hard drive, directory, hardware token, etc.)

18 17 HEPKI-TAG Other Areas of Work Web site update Recommendations Information for those starting on PKI –References –How-to information –Minutes and survey data www.educause.edu/hepki/ What else would be useful?

19 18 CA Private Key Protection Issues CA Private Key is the root of all trust Storage options –Clear text on disk –Encrypted storage on disk –On hardware device Physical protection of CA –Locked doors and racks –OS Configuration Multi-level solution Collection of information for new PKI sites

20 19 Discussions and Projects PKI Applications Table Higher Education Distributed Root Certificate Deployment (heDRCD) Problem: how to load root certificates into browsers DNS SRV records, HTTP, browser code Protection via “phone home” concept Certificate Repository A mechanism for users to safely obtain root certificates from other institutions SSL or signed objects High assurance process – like CREN CA

21 20 Discussions and Projects Higher Education Bridge Certification Authority (heBCA) Higher education has many of the same issues as the federal government Adapt the federal model for use in higher ed The bridge could: –Interconnect multiple Higher Ed hierarchical CA services –Interoperate with the federal bridge –Work with other industry groups

22 21 PKI Application Issues An Example Goal: VPN Authentication via PKI Equipment: VPN Concentrator Device uses ou of Subject DN for group membership Moral Code only what you need into the certificate Get the remainder from a directory Think first

23 22 Some thoughts on open source solutions We are doing this at Virginia Good points Great control Easily tied into our existing Web authentication for issuing certificates Issues No complete kit –You can’t just type Configure; make; make install Time Lots of little details –SCEP –CRL via LDAP v.s. HTTP

24 23 Will it fly? Well, it has to… Scalability Performance “With enough thrust, anything can fly”

25 24 Where to watch middleware.internet2.edu www.educause.edu/hepki www.cren.org www.pkiforum.org

Download ppt "PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California."

Similar presentations

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.

PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.

PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

Similar presentations

Ads by Google