Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI Activities at Virginia September 2000 Jim Jokl

Similar presentations


Presentation on theme: "PKI Activities at Virginia September 2000 Jim Jokl"— Presentation transcript:

1 PKI Activities at Virginia September 2000 Jim Jokl jaj@Virginia.EDU

2 Campus PKI Deployment l Targeted functions »UVa E-forms –Authentication / Signing? »Web applications –authentication –student mock election »S/MIME »Oracle ERP l Focus on Authentication and not Authorization

3 CA Plans l Standard Assurance CA »Easy to obtain cert »No serious business applications »Simple policy, practices, and subscriber agreement l High Assurance CA »Hard to obtain certificate »Good for business apps, grades, etc »Authentication, signing only »More complicated policy, practices, and subscriber agreement l Now: an Anonymous CA too

4 Standard Assurance CA l Authentication: »Last Name, DoB, ID Number, Password on one of our major systems l Lifespan: »Faculty/Staff – one year »Students – mid-September of next year »Non-degree Continuing Education – end of semester l Uses: S/MIME, Web Auth, Library, some business apps, etc

5 High Assurance CA (Less Defined at Present) l Authentication: »Same as above, plus »RA function – some form(s) of ID checked l Lifespan: longer – a few years l Likely to require hardware token l Applications: »All of above plus ERP, real business transactions, grades, etc

6 Anonymous CA l Authentication: »Use any UVa certificate to authenticate l Truly anonymous – we keep no records l No way to revoke certificate l Lifespan: short (weeks)

7 Technical Infrastructure l Open source solution: OpenSSL on Solaris l Web site walks user through downloading root certificate l Apache Web authentication module l Publish into LDAP directory l mySQL database for cert store l Demo Apps: authentication, Home Directory browser, form signing

8 Technical Infrastructure Profile & Hierarchy l Profile »Use DC= naming for Issuer and Subject »Left E= in Subject and Issuer fields l CA Hierarchy »UVa Main »UVa Annual »EE Certificates

9 Technical Infrastructure Protection of Private Keys l UVa Main private key »Linux box – no network interface, removable hard disk, CD burner »Access only by two or more “systems” staff »Stored in vault - under non-IT control, logged, etc l UVa Annual private key »Locked rack in secure, manned machine room »All possible network services disabled »Two “systems” staff required for access »All access logged by operators

10 Technical Infrastructure Hardware Tokens and Issues l Hardware token work (mobility) »Smart cards, iButtons »Card services RFP »Biometrics l Browser timeout of password for key store for authentication and signing l Oracle ERP versions l Library concern about users l Dual keys, encryption, and the Standard Assurance CA

11 Project Team - Cost l Technical l Support staff & Publications l Non-central computing »library & sponsored programs »Audit Department l Overall methodology helps »User documentation »Subscriber agreements »Policy and Practices statements l Probably 1½ person years to date


Download ppt "PKI Activities at Virginia September 2000 Jim Jokl"

Similar presentations


Ads by Google