Presentation is loading. Please wait.

Presentation is loading. Please wait.

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education.

Similar presentations


Presentation on theme: "Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education."— Presentation transcript:

1 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education Bridge Certificate Authority Michael R Gettes Georgetown University gettes@Georgetown.EDU

2 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Technical Policy PKI is 1/3 Technical and 2/3 Policy?

3 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Multiple CAs in FBCA Membrane Survivable PKI Cross Certificates allow for “one- way policy” Directories are critical in BCA world.

4 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) A Snapshot of the U.S. Federal PKI Federal Bridge CA NFC PKI Higher Education Bridge CA NASA PKI DOD PKI Illinois PKI University PKI CANADA PKI

5 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) EMA Challenge Architecture

6 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) What is Cross Certification? A Bridge signs a site PKI and vice-versa Cross Certificates are published in directories and discovered via the network. BCA/CA may remain off-line. Policy OIDs and Name Constraint controls are in the cross certificates Policy OIDs could map to XML documents describing the policy (processed per Carmody)

7 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Path Validation Application receives a Certificate Finds a path back to signer of Certificate validating the path for policy mappings and name constraints. Policy Mappings can be LOA (levels of assurance) or “we agree to be in club shib” or whatever Name Constraints controls subjectName name space. I.E. a CA can only sign within dc=U,dc=edu

8 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) On Policy We have a draft HEBCA Certificate Policy The HE CP and HEBCA CP are congruent The HEBCA CP and FBCA CP are congruent We need a HEPKI PA – EDUCAUSE is working this problem – granted “power” from ACE

9 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) NIH- Educause PKI Pilot: Phase Two Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office of Extramural Research

10 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) The Goals 1.Receive NIH research grant application in electronic form signed with two different digital certificates each; digital certificates issued by Institution, several different vendors represented; 2.Verify and validate digital signatures through ACES Certificate Arbitration Module (CAM). 3.(EDUCAUSE Funding and Administrative Support, Coordination and Marketing.)

11 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Intermediate Requirements 1.Stand up a Higher Education Bridge Certification Authority (HEBCA); 2.Cross-certify the Federal Bridge CA with the Higher Education Bridge CA; 3.Cross-certify Institutions with HEBCA;

12 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Participating Institutions University of Alabama-BirminghamUniversity of Alabama-Birmingham University of Wisconsin-MadisonUniversity of Wisconsin-Madison University of California, Office of the PresidentUniversity of California, Office of the President University of Texas – HoustonUniversity of Texas – Houston Dartmouth CollegeDartmouth College (Georgetown University – HEBCA issues)(Georgetown University – HEBCA issues)

13 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) The Problem Picture/s of piles of grant applications –About 20,000 6 ft high standing people of paper. 1 forest per year just grant apps. The Solution: signed, electronic grant application –Of course!

14 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Phase Two Concept of Operations (CONOPS) NIH OER Recipient E-Lock Assured Office Digital Signed Grant Appl E-Lock Assured Office CAM-enabled NIH CAM Server FBCA HEBCA Cert Status Cert Status Certificate Validation University B Certificate Validation University A Certificate Validation University C

15 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) HEBCA Proof of Concept Architecture NIH User NIH Trust Domain NIH Test CA Directory Higher Education Trust Domain iPlanet CA Alabama RSA CA i500 Directory DST ARP Test CA California Verisign CA Wisconsin Firewall Prototype Federal Bridge Certificate Authority Cross Certified CAs Directory System Agent Cross certificates CRL FIP 140-1 L3 Crypto Cross certificates CRL Cross certificates ARL RSA CA Entrust CA

16 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) HEBCA Proof of Concept CA Interoperability Configuration Entrust CARSA CA Prototype Federal Bridge Certification Authority NIH NIH Test CA Client California Verisign CA Client Alabama DST ARP Test CA Client Wisconsin iPlanet CA Client Higher Education Bridge Certification Authority RSA CA

17 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) HEBCA Proof of Concept Directory Interoperability Configuration c=US; o=U.S. Government;ou=FBCA IP address:198.76.35.155 DSP port:102 LDAP port:389 TSEL: TCP/IP Prototype FBCA (Peerlogic) cn=FBCA_Directory NIH c=US; o=U.S. Government; ou=NIH IP address: 207.123.140.5 DSP port:102 LDAP port: 389 TSEL:TCP/IP cn=nihstandin Chaining c=US; o=edu; ou=HEBCA IP address: 207.123.140.5 DSP port:102 LDAP port:389 TSEL:TCP/IP HEBCA (Critical Path) cn=HEBCA Alabama c=US; o=Digital Signature Trust Co; ou=ARP Testing IP address: 208.30.65.30 DAP/DSP port:102 LDAP port:389 cn= ARP Test Client CA California c= ; o= ; ou= IP address: DAP/DSP port: LDAP port: cn= Wisconsin c= ; o= ; ou= IP address: DAP/DSP port: LDAP port: cn= Chaining

18 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) NIH ca trust anchor “DAVE” (Discovery and Validation Engine) sender (UA) receiver (NIH) NIH directory FBCA dir cross cert cross cert DAVECAME-Lock software ca directory HEBCA dir cross cert UA ca UA dir issued get Cert,CRL via directory chaining New LDAP Registry of Directories for BCAs

19 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) DAVE Components CML Libraries [Getronics] ASN1 parsing (SNACC) S/MIME parsing (SFL) Cryptographic engine LDAP and local directory retrieval (SFL) Path discovery engine (CPL) DAVE Functions Perform proper sequential calling of CML functions (i.e., the business logic) Provide call-back functions needed by CML functions Provide all CAM communications and protocol transformations Wraps CML functions into an NT service (multithreaded, failure and recovery modes, logging, etc.)

20 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Verification & Validation Details CAM Server Certificate Authority/ Validation Request CAM/CA OCSP Msg Data Discovery and Validation Engine (DAVE) Agency App/ CAM Search for issuer to validate CRL OSCP Responder If chained, path reverses If not chained, LDAP queries Agency App = E-Lock Assured Office CAM-enabled Passing Certificate E-Lock Assured Office verifies the signature Verifies the document has not been changed Verifies the validity period of the certificate Once verified, the certificate is sent to the CAM for certificate validation to ensure that it has not been revoked

21 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)

22 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Bridge CA vs. Shibboleth PKI is hard to deploy to end users Shib should use BCA aware PKI between servers Club Shib will then scale using Policies and Relationships established by Bridge CA world ONE Club Shib managed by policy Java 1.4 is Bridge aware. Whistler supposed to be.


Download ppt "Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education."

Similar presentations


Ads by Google