Download presentation
Presentation is loading. Please wait.
Published bySimon Burke Modified over 9 years ago
1
PKI Session Overview 1:30 pm edt - Welcome, etiquette, session outline 1:40 pm edt - HEPKI-TAG Update (Jim Jokl, Virginia) 2:00 pm edt - HEPKI-PAG Update (David Wasley, UCOP) 2:20 pm edt - FBCA and NIH Pilot Update (Peter Alterman, NIH) 2:40 pm edt - Discussion 3:00 pm Break 3:15 pm edt - Sean Smith, Dartmouth PKI Lab 3:30 pm edt - Keith Hazelton, Wisconsin PKI Lab 3:45 pm - Discussion
2
Some general comments There are campus and corporate successes Corporations use internally for VPN, some authentication, signed email (with homogenous client base) MIT, UT medical, soon VA, UCOP Key is limited application use, lightweight policy approaches There is very limited interrealm, community of interest or general interoperable work going on Federal efforts Healthkey Higher Ed Some European miches
3
Why X.509/PKI? Single infrastructure to provide all security services Established technology standards, though little operational experience Elegant technical underpinnings Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption Low cost in mass numbers
4
Why Not X.509/PKI? High legal barriers Lack of mobility support Challenging user interfaces, especially with regard to privacy and scaling Persistent technical incompatibilities Overall complexity
5
D. Wasley’s PKI Puzzle
6
The Four Planes of PKI on the road to general purpose interrealm PKI the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKI simplifications in policies, technologies, applications, scope each plane provides experience and value
7
The Four Planes are Full interrealm PKI - (Boeing 777) - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues Simple interrealm PKI - (Regional jets) - multipurpose within a community, operating under standard policies and structured hierarchical directory services PKI-light - (Corporate jets) - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; can be extended within selected communities PKI-ultralight (Ultralights) - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane...
8
Examples of Areas of Simplification Spectrum of Assurance Levels Signature Algorithms Permitted Range of Applications Enabled Revocation Requirements and Approaches Subject Naming Requirements Treatment of Mobility...
9
PKI-Light example (HEPKI) CP: Wasley, etal. Draft HE CP stubbed to basic/rudimentary CRL: ? Applications: (Signed email) Mobility: Password enabled Signing: md5RSA Thumbprint: sha1 Naming: dc Directory Services needed: Inetorgperson
10
PKI-Light example (Texas- Houston) CP: Verisign CRL: Verisign Applications: authentication Mobility: USB dongl;e Signing: md5RSA Thumbprint: sha1 Naming: X>500 Directory Services needed: I? Deployment: 5,000 medical students
11
PKI-Ultralight (MIT) CP: none CRL: limit lifetime Applications: Internal web authentication Mobility: one per system; also password enabled Signing: md5RSA Thumbprint: sha1 Naming: X,500 Directory Services needed: none Deployment: approximately 350,000 over five years
12
Healthkey snippets Organizational commitment to pilot is difficult without more senior level support. Have had significant staff turnover. Biggest concern is impact of system on users ("non-transparency). Given lessons learned, will be investigating "encryption at the border and organizational certificates" rather than encryption and certificates at the desktop.
13
Healthkey snippets · Managing individual digital certificates can be expensive · Digital certificates on the desk top can be vulnerable · Organizations can lose some control with individual certificates · Organizations may not want to accept pre-issued certificates · Checking for revoked certificates puts a burden on e- mail correspondents · Current implementations of digital certificates are not transparent to e-mail users · Vendor contracts do not support community initiatives
14
Interesting recent developments Microsoft bundled root program RSA buys Securant...
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.