1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl jaj@Virginia.EDU September 21, 2005.

  • Published on

  • View

  • Download

Embed Size (px)


<ul><li><p>PKI &amp; USHER/HEBCA </p><p>Fall 2005 Internet2 Member Meeting Jim Jokljaj@Virginia.EDUSeptember 21, 2005</p></li><li><p>PKI and USHER/HEBCA(How) do all of these PKI pieces fit together?USHER US Higher Education Root CAHEBCA Higher Education Bridge CACampus Certification AuthoritiesEDUCAUSE contract for outsourced certificates</p><p>What should a campus be doing?Wheres the glue?</p></li><li><p>Fundamental Decision: Build or BuyBuilding your own PKICertification Authority (CA)Developing or installing CA softwareOperating it in a secure environmentImplementing the Registration Authority (RA) functionIdentity proofing of individualsHandling requests for revocation, etc.Some considerationsEarly investment in staff time, likely lower per-certificate costs for large deployments in the long runUsers can have as many certificates as they needSoftware examples at: http://middleware.internet2.edu/hepki-tag/opensrc.html </p></li><li><p>Fundamental Decision: Build or BuyBuying PKI servicesCertification Authority (CA)Provided by the outsource companyOperated remotely in a secure environmentImplementing the Registration Authority (RA) functionIdentity proofing of individualsHandling requests for revocation, etc.Some considerationsQuick start-upAnnual costs bounded by the number of certificates issuedRoot certificate likely already trusted by your browsers and installed in your operating systemsMay limit the number of certificates that each user can haveExample: http://www.educause.edu/imsp</p></li><li><p>Some Interesting PKI ApplicationsThe build vs. buy decision may be influenced by your PKI applicationsElectronic mail (S/MIME)VPN (IPSec), Wireless (EAP-TLS), &amp; SSH authenticationWeb authenticationGrids (Globus toolkit)LionShareDigital signatures on documentsApplications with large numbers of users may tip the balance towards the build optionNote that certificate management (getting the same certificate/key on multiple computers) can be hard for users</p></li><li><p>Inter-organizational TrustUSHER CACampus CACampus CACampus CACampus CACampus CAUserUserUserUser</p></li><li><p>A Higher-level View of Inter-organizational TrustCampus CACampus CACampus CAEducause Verisign CA USHER CACampus CACampus CACampus CACampus UsersCampus UsersCampus Users</p></li><li><p>One Strategy: University of VirginiaHEBCACross-certify our UVa High Assurance CAUses hardware tokens for private key protection and mobilityPhoto-id identity verification~600 users now with a couple hundred more in progressApplications: access to critical systems, medical research data, etcUSHERSubordinate our UVa Standard Assurance CAUses operating system/browser key storeCertificates issued on-line via database check~13,000 users with ~28,000 certsApplications: wireless auth, VPNs, Globus</p></li><li><p>Some Helpful ProjectsPKI-LiteHEPKI Model Certification PolicyDigital signature tools projectS/MIME</p><p>Software CA packagesInvestigating a project to create a campus make install CA availableInclude software, tuned for PKI-Lite certificate profilesDocument integration with campus AuthN</p><p>SAFE Pharmaceutical; Commercial - aerospace and defense; FBCA Federal Bridge; HEBCA Higher Ed; http://www.opengroup.org/messaging/public/Jul_2004/tues_bridges/tues_pm_4_spencer.pdf</p></li></ul>


View more >