Upload
edgar-pierce
View
212
Download
0
Embed Size (px)
Citation preview
1
HEPKI-TAG Update
EDUCAUSE/Dartmouth PKI SummitJuly 26, 2005
Jim JoklUniversity of Virginia
2
HEPKI-TAG Activities Sponsors: EDUCAUSE, Internet2, NET@EDU Charter – Technical Activities Group (TAG)
Open-source PKI software Certificate profiles Directory / PKI interaction Validity periods Client customization issues Mobility Inter-institution test projects Private Key Protection Technical issues with cross-certification Communicate results
Process Biweekly conference calls Sessions at higher education events
3
Updates to PKI-Lite PKI-Lite: using PKI technology at the LOA of the
existing campus login/password system Updated policy and practices document
Changes based on feedback from NMI project, etc Clarifications to hierarchical CAs, language, etc Still 9 pages, fill in the blanks format Relationship to Citizen and Commerce (C4) Policy
FIPS-140 crypto, audits, CRL/OCSP required New PKI-Lite certificate profiles
End Entity Bridge Environment (Authority and Subject key identifiers) EAP-TLS Microsoft OID (SubjectAlt/OtherName/PrincipalName)
Certification Authority Authority and Subject Key Identifiers
All profiles – more closely follow the RFCs for critical flags
4
S/MIME Plan to update the S/MIME compatibility
table with data for additional clients HEPKI-TAG coordinated a letter to
Qualcomm requesting S/MIME support for Eudora Qualcomm was/is developing S/MIME support
for EUDORA HEPKI-TAG developed a prioritized list of
features of what we’d like to see in the client Looking forward to being early testers
5
Introductory MaterialsAiding Initial Campus
Deployments Recall our PKI-Lite framework
Using PKI for “standard” applications where you likely would have used names/passwords in the past
Standard Policy/Practices document and Profiles
Designed to support S/MIME, VPN, Web Authentication, etc
Validated on other apps (e.g. Globus, document signing applications, etc).
Newer addition: PKI-Lite Recipe by Steven Carmody at Brown
6
US Higher Education Root(USHER) and Policy
Background A hierarchical CA for Higher Education
Issue authority certificates to campus CAs Replace and offer more than the old CREN hierarchy
Initial discussions on LOA for USHER Strong procedures for USHER operations Strong process to identify campuses
Discussions on requirements for schools Something heavy, C4, PKI-Lite, less, etc? Implications for when USHER cross-certifies with HEBCA?
Early focus decisions Strong procedures for USHER itself; use the InCommon
I&A process for schools Architect for an USHER-heavier and an USHER-Lite Focus deployment on USHER-Lite
7
One older concept for the US Higher Education Root
(USHER)
USHER-LiteInCommon CA
Shib Cert
Shib Cert
Shib Cert
Shib Cert
School CA
School CA
School CA
School CA
School CA
USHER Basic/Medium
School CA
USHER Root
8
Current Thinking for USHER
USHER-Lite Root
InCommon CA
Shib Cert
Shib Cert
Shib Cert Shib
Cert
School CA
School CA
School CA
School CA
School CA
Future USHER Basic/Medium
School CANote: InCommon CA not related to USHER in a PKI sense
HEBCA
9
USHER & Policy: Enter LionShare
LionShare needs a trust fabric that works logically like PKI-Lite Verify PKI-Lite OID in cert
Question: can/should USHER require at least PKI-Lite from campuses? Schools doing this anyway Strong pushback on TAG call
How does USHER certify campuses Campus liability concerns Why is a requirement needed?
USHER
Campus CA
Campus CA
LionShare SASL CA
Short-life user certificates
10
Current Thinking on USHER-Lite
No requirements for what the campus can do using their USHER authority certificate
LionShare will require the PKI-Lite Policy OID in certificates issued by the SASL-CA
USHER CA profile Profiles include AIA for bridge cert discovery in XP
11
Next Projects for HEPKI-TAG
Continue support for USHER Maintain & update existing documents and services Signing tools project
Document and web form signing tools Update of S/MIME work
Update compatibility matrix Eudora when ready
Campus CA Audits Preparation and documents for campus auditors
In the queue Windows smart card login Mobility and Hardware Token update Application integration (administrative and general) CA software More/better introductory materials Bridge application testing Grid integration & documentation Update hardware token work EAP-TLS documentation Look at SILC Insert your favorite item(s) here
12
If you are working on these topics, consider participating in HEPKI-TAG
Some references middleware.internet2.edu/hepki-tag
Links to other sites, CA software, etc NET@EDU PKI for Networked Higher Education
http://www.educause.edu/PKIforNetworkedHigherEducation/928
pkidev.internet2.edu PKI Labs
middleware.internet2.edu/pkilabs
Questions - References