Presentation is loading. Please wait.

Presentation is loading. Please wait.

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education.

Published bySuzan Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education."— Presentation transcript:

1 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education Bridge Certificate Authority Michael R Gettes Georgetown University gettes@Georgetown.EDU

2 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Technical Policy PKI is 1/3 Technical and 2/3 Policy?

3 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Multiple CAs in FBCA Membrane Survivable PKI Cross Certificates allow for “one- way policy” Directories are critical in BCA world.

4 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) A Snapshot of the U.S. Federal PKI Federal Bridge CA NFC PKI Higher Education Bridge CA NASA PKI DOD PKI Illinois PKI University PKI CANADA PKI

5 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) EMA Challenge Architecture

6 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) What is Cross Certification? A Bridge signs a site PKI and vice-versa Cross Certificates are published in directories and discovered via the network. BCA/CA may remain off-line. Policy OIDs and Name Constraint controls are in the cross certificates Policy OIDs could map to XML documents describing the policy (processed per Carmody)

7 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Path Validation Application receives a Certificate Finds a path back to signer of Certificate validating the path for policy mappings and name constraints. Policy Mappings can be LOA (levels of assurance) or “we agree to be in club shib” or whatever Name Constraints controls subjectName name space. I.E. a CA can only sign within dc=U,dc=edu

8 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) On Policy We have a draft HEBCA Certificate Policy The HE CP and HEBCA CP are congruent The HEBCA CP and FBCA CP are congruent We need a HEPKI PA – EDUCAUSE is working this problem – granted “power” from ACE

9 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) NIH- Educause PKI Pilot: Phase Two Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office of Extramural Research

10 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) The Goals 1.Receive NIH research grant application in electronic form signed with two different digital certificates each; digital certificates issued by Institution, several different vendors represented; 2.Verify and validate digital signatures through ACES Certificate Arbitration Module (CAM). 3.(EDUCAUSE Funding and Administrative Support, Coordination and Marketing.)

11 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Intermediate Requirements 1.Stand up a Higher Education Bridge Certification Authority (HEBCA); 2.Cross-certify the Federal Bridge CA with the Higher Education Bridge CA; 3.Cross-certify Institutions with HEBCA;

12 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Participating Institutions University of Alabama-BirminghamUniversity of Alabama-Birmingham University of Wisconsin-MadisonUniversity of Wisconsin-Madison University of California, Office of the PresidentUniversity of California, Office of the President University of Texas – HoustonUniversity of Texas – Houston Dartmouth CollegeDartmouth College (Georgetown University – HEBCA issues)(Georgetown University – HEBCA issues)

13 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) The Problem Picture/s of piles of grant applications –About 20,000 6 ft high standing people of paper. 1 forest per year just grant apps. The Solution: signed, electronic grant application –Of course!

14 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Phase Two Concept of Operations (CONOPS) NIH OER Recipient E-Lock Assured Office Digital Signed Grant Appl E-Lock Assured Office CAM-enabled NIH CAM Server FBCA HEBCA Cert Status Cert Status Certificate Validation University B Certificate Validation University A Certificate Validation University C

15 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) HEBCA Proof of Concept Architecture NIH User NIH Trust Domain NIH Test CA Directory Higher Education Trust Domain iPlanet CA Alabama RSA CA i500 Directory DST ARP Test CA California Verisign CA Wisconsin Firewall Prototype Federal Bridge Certificate Authority Cross Certified CAs Directory System Agent Cross certificates CRL FIP 140-1 L3 Crypto Cross certificates CRL Cross certificates ARL RSA CA Entrust CA

16 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) HEBCA Proof of Concept CA Interoperability Configuration Entrust CARSA CA Prototype Federal Bridge Certification Authority NIH NIH Test CA Client California Verisign CA Client Alabama DST ARP Test CA Client Wisconsin iPlanet CA Client Higher Education Bridge Certification Authority RSA CA

17 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) HEBCA Proof of Concept Directory Interoperability Configuration c=US; o=U.S. Government;ou=FBCA IP address:198.76.35.155 DSP port:102 LDAP port:389 TSEL: TCP/IP Prototype FBCA (Peerlogic) cn=FBCA_Directory NIH c=US; o=U.S. Government; ou=NIH IP address: 207.123.140.5 DSP port:102 LDAP port: 389 TSEL:TCP/IP cn=nihstandin Chaining c=US; o=edu; ou=HEBCA IP address: 207.123.140.5 DSP port:102 LDAP port:389 TSEL:TCP/IP HEBCA (Critical Path) cn=HEBCA Alabama c=US; o=Digital Signature Trust Co; ou=ARP Testing IP address: 208.30.65.30 DAP/DSP port:102 LDAP port:389 cn= ARP Test Client CA California c= ; o= ; ou= IP address: DAP/DSP port: LDAP port: cn= Wisconsin c= ; o= ; ou= IP address: DAP/DSP port: LDAP port: cn= Chaining

18 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) NIH ca trust anchor “DAVE” (Discovery and Validation Engine) sender (UA) receiver (NIH) NIH directory FBCA dir cross cert cross cert DAVECAME-Lock software ca directory HEBCA dir cross cert UA ca UA dir issued get Cert,CRL via directory chaining New LDAP Registry of Directories for BCAs

19 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) DAVE Components CML Libraries [Getronics] ASN1 parsing (SNACC) S/MIME parsing (SFL) Cryptographic engine LDAP and local directory retrieval (SFL) Path discovery engine (CPL) DAVE Functions Perform proper sequential calling of CML functions (i.e., the business logic) Provide call-back functions needed by CML functions Provide all CAM communications and protocol transformations Wraps CML functions into an NT service (multithreaded, failure and recovery modes, logging, etc.)

20 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Verification & Validation Details CAM Server Certificate Authority/ Validation Request CAM/CA OCSP Msg Data Discovery and Validation Engine (DAVE) Agency App/ CAM Search for issuer to validate CRL OSCP Responder If chained, path reverses If not chained, LDAP queries Agency App = E-Lock Assured Office CAM-enabled Passing Certificate E-Lock Assured Office verifies the signature Verifies the document has not been changed Verifies the validity period of the certificate Once verified, the certificate is sent to the CAM for certificate validation to ensure that it has not been revoked

21 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)

22 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Bridge CA vs. Shibboleth PKI is hard to deploy to end users Shib should use BCA aware PKI between servers Club Shib will then scale using Policies and Relationships established by Bridge CA world ONE Club Shib managed by policy Java 1.4 is Bridge aware. Whistler supposed to be.

Download ppt "Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education."

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Federal PKI Architecture Update

Federal PKI Architecture Update
The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council 202-622-1552.

The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council
Stanley J. Choffrey (202) 708-7943 The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.

Stanley J. Choffrey (202) The Federal Bridge Certification Authority Evolving Issues in Electronic Data Collection January.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,

Uncle Sam, Meet The PKI! Richard Guida Chair, Federal PKI Steering Committee Michèle Rubenstein Department of the Treasury,
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.
NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.

NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.
Federal Bridge Certification Authority n Background n Overview n EMA Challenge Test structure n Participants n Results n Conclusions and lessons learned.

Federal Bridge Certification Authority n Background n Overview n EMA Challenge Test structure n Participants n Results n Conclusions and lessons learned.

Similar presentations

Ads by Google