Upload
poppy-copeland
View
214
Download
1
Embed Size (px)
Citation preview
2
PKI and USHER/HEBCA (How) do all of these PKI pieces fit
together? USHER – US Higher Education Root CA HEBCA – Higher Education Bridge CA Campus Certification Authorities EDUCAUSE contract for outsourced certificates
What should a campus be doing? Where’s the glue?
3
Fundamental Decision: Build or Buy
Building your own PKI Certification Authority (CA)
Developing or installing CA software Operating it in a secure environment
Implementing the Registration Authority (RA) function Identity proofing of individuals Handling requests for revocation, etc.
Some considerations Early investment in staff time, likely lower per-certificate
costs for large deployments in the long run Users can have as many certificates as they need
Software examples at: http://middleware.internet2.edu/hepki-tag/opensrc.html
4
Fundamental Decision: Build or Buy Buying PKI services
Certification Authority (CA) Provided by the outsource company Operated remotely in a secure environment
Implementing the Registration Authority (RA) function Identity proofing of individuals Handling requests for revocation, etc.
Some considerations Quick start-up Annual costs bounded by the number of certificates issued Root certificate likely already trusted by your browsers and
installed in your operating systems May limit the number of certificates that each user can
have Example: http://www.educause.edu/imsp
5
Some Interesting PKI Applications
The build vs. buy decision may be influenced by your PKI applications Electronic mail (S/MIME) VPN (IPSec), Wireless (EAP-TLS), & SSH authentication Web authentication Grids (Globus toolkit) LionShare Digital signatures on documents
Applications with large numbers of users may tip the balance towards the “build” option Note that certificate management (getting the same
certificate/key on multiple computers) can be hard for users
6
Inter-organizational TrustUSHER CA
Campus CA
Campus CA
Campus CA
Campus CA
Campus CA
Campus A
Mid-A
User
User
Campus B Campus n
Mid-B
User
User
HEBCABridge
Cross-certificate pairs
User
User
User
User
7
A Higher-level View of Inter-organizational Trust
FBCA
HEBCASAFE
Commercial
Others
Campus CA
Campus CA
Campus CA
Educause Verisign CA
USHER CA
Campus CA
Campus CA
Campus CA
Campus Users
Campus Users
Campus Users
8
One Strategy: University of Virginia HEBCA
Cross-certify our UVa High Assurance CA Uses hardware tokens for private key protection and
mobility Photo-id identity verification ~600 users now with a couple hundred more in progress
Applications: access to critical systems, medical research data, etc
USHER Subordinate our UVa Standard Assurance CA
Uses operating system/browser key store Certificates issued on-line via database check ~13,000 users with ~28,000 certs
Applications: wireless auth, VPNs, Globus
9
Some Helpful Projects PKI-Lite HEPKI Model Certification Policy Digital signature tools project S/MIME
Software CA packages Investigating a project to create a campus
“make install” CA available Include software, tuned for PKI-Lite certificate
profiles Document integration with campus AuthN