1

PKI & USHER/HEBCA

Fall 2005 Internet2 Member Meeting

Jim Jokljaj@Virginia.EDU

September 21, 2005

2

PKI and USHER/HEBCA (How) do all of these PKI pieces fit

together? USHER – US Higher Education Root CA HEBCA – Higher Education Bridge CA Campus Certification Authorities EDUCAUSE contract for outsourced certificates

What should a campus be doing? Where’s the glue?

3

Fundamental Decision: Build or Buy

Building your own PKI Certification Authority (CA)

Developing or installing CA software Operating it in a secure environment

Implementing the Registration Authority (RA) function Identity proofing of individuals Handling requests for revocation, etc.

Some considerations Early investment in staff time, likely lower per-certificate

costs for large deployments in the long run Users can have as many certificates as they need

Software examples at: http://middleware.internet2.edu/hepki-tag/opensrc.html

4

Fundamental Decision: Build or Buy Buying PKI services

Certification Authority (CA) Provided by the outsource company Operated remotely in a secure environment

Implementing the Registration Authority (RA) function Identity proofing of individuals Handling requests for revocation, etc.

Some considerations Quick start-up Annual costs bounded by the number of certificates issued Root certificate likely already trusted by your browsers and

installed in your operating systems May limit the number of certificates that each user can

have Example: http://www.educause.edu/imsp

5

Some Interesting PKI Applications

The build vs. buy decision may be influenced by your PKI applications Electronic mail (S/MIME) VPN (IPSec), Wireless (EAP-TLS), & SSH authentication Web authentication Grids (Globus toolkit) LionShare Digital signatures on documents

Applications with large numbers of users may tip the balance towards the “build” option Note that certificate management (getting the same

certificate/key on multiple computers) can be hard for users

6

Inter-organizational TrustUSHER CA

Campus CA

Campus CA

Campus CA

Campus CA

Campus CA

Campus A

Mid-A

User

User

Campus B Campus n

Mid-B

User

User

HEBCABridge

Cross-certificate pairs

User

User

User

User

7

A Higher-level View of Inter-organizational Trust

FBCA

HEBCASAFE

Commercial

Others

Campus CA

Campus CA

Campus CA

Educause Verisign CA

USHER CA

Campus CA

Campus CA

Campus CA

Campus Users

Campus Users

Campus Users

8

One Strategy: University of Virginia HEBCA

Cross-certify our UVa High Assurance CA Uses hardware tokens for private key protection and

mobility Photo-id identity verification ~600 users now with a couple hundred more in progress

Applications: access to critical systems, medical research data, etc

USHER Subordinate our UVa Standard Assurance CA

Uses operating system/browser key store Certificates issued on-line via database check ~13,000 users with ~28,000 certs

Applications: wireless auth, VPNs, Globus

9

Some Helpful Projects PKI-Lite HEPKI Model Certification Policy Digital signature tools project S/MIME

Software CA packages Investigating a project to create a campus

“make install” CA available Include software, tuned for PKI-Lite certificate

profiles Document integration with campus AuthN