Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

Published byPoppy Copeland Modified over 9 years ago

Similar presentations

Presentation on theme: "1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005."— Presentation transcript:

1 1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl jaj@Virginia.EDU September 21, 2005

2 2 PKI and USHER/HEBCA  (How) do all of these PKI pieces fit together? USHER – US Higher Education Root CA HEBCA – Higher Education Bridge CA Campus Certification Authorities EDUCAUSE contract for outsourced certificates  What should a campus be doing?  Where’s the glue?

3 3 Fundamental Decision: Build or Buy  Building your own PKI Certification Authority (CA)  Developing or installing CA software  Operating it in a secure environment Implementing the Registration Authority (RA) function  Identity proofing of individuals  Handling requests for revocation, etc. Some considerations  Early investment in staff time, likely lower per-certificate costs for large deployments in the long run  Users can have as many certificates as they need Software examples at: http://middleware.internet2.edu/hepki-tag/opensrc.html http://middleware.internet2.edu/hepki-tag/opensrc.html

4 4 Fundamental Decision: Build or Buy  Buying PKI services Certification Authority (CA)  Provided by the outsource company  Operated remotely in a secure environment Implementing the Registration Authority (RA) function  Identity proofing of individuals  Handling requests for revocation, etc. Some considerations  Quick start-up  Annual costs bounded by the number of certificates issued  Root certificate likely already trusted by your browsers and installed in your operating systems  May limit the number of certificates that each user can have Example: http://www.educause.edu/imsphttp://www.educause.edu/imsp

5 5 Some Interesting PKI Applications  The build vs. buy decision may be influenced by your PKI applications Electronic mail (S/MIME) VPN (IPSec), Wireless (EAP-TLS), & SSH authentication Web authentication Grids (Globus toolkit) LionShare Digital signatures on documents  Applications with large numbers of users may tip the balance towards the “build” option Note that certificate management (getting the same certificate/key on multiple computers) can be hard for users

6 6 Inter-organizational Trust USHER CA Campus CA Campus A Mid-A User Campus B Campus n Mid-B User HEBCA Bridge Cross-certificate pairs User

7 7 A Higher-level View of Inter-organizational Trust FBCA HEBCA SAFE Commercial Others Campus CA Educause Verisign CA USHER CA Campus CA Campus Users

8 8 One Strategy: University of Virginia  HEBCA Cross-certify our UVa High Assurance CA  Uses hardware tokens for private key protection and mobility  Photo-id identity verification  ~600 users now with a couple hundred more in progress Applications: access to critical systems, medical research data, etc  USHER Subordinate our UVa Standard Assurance CA  Uses operating system/browser key store  Certificates issued on-line via database check  ~13,000 users with ~28,000 certs Applications: wireless auth, VPNs, Globus

9 9 Some Helpful Projects  PKI-Lite PKI-Lite  HEPKI Model Certification Policy HEPKI Model Certification Policy  Digital signature tools projectproject  S/MIME S/MIME  Software CA packagespackages Investigating a project to create a campus “make install” CA available Include software, tuned for PKI-Lite certificate profiles Document integration with campus AuthN

Download ppt "1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005."

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,

INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
December 8 & 9, 2005, Austin, TX SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide Authentication, Authorization, & Identity Issues.

December 8 & 9, 2005, Austin, TX SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide Authentication, Authorization, & Identity Issues.
The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.

The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.

Similar presentations

Ads by Google