Upload
candice-summers
View
212
Download
0
Embed Size (px)
Citation preview
2
Policy Technical
PKI is1/3 Technical
and 2/3 Policy?
Transforming Education Through Information Technologies
http://www.educause.edu/
3
Common Solutions Group, January, 2002 (Sanibel Island)
Multiple CAs in FBCA Membrane
• Survivable PKI
• Cross Certificates
allow for
“one/two-way
policy”
• Directories are
critical in BCA
world.
Transforming Education Through Information Technologies
http://www.educause.edu/
4
Common Solutions Group, January, 2002 (Sanibel Island)
A Snapshot of the U.S. Federal PKI
Federal Bridge CA
NFC PKI
Higher Education Bridge CA
NASA PKI
DOD PKI Illinois PKI
University PKI
CANADA PKI
5
UNIVERSITY
GeorgetownUniversity
NIH
Peer-to-peer
USA GovernmentFederal
BCA
DoD
NASA
Peer-to-peer
USAHigher Education
BCA
UNIVERSITY
. . .
UNIVERSITY
University ofWashington
Peer-to-peer
USA Health Care"Health Key"
BCA
NCHICA
Special Relationships
Peer-to-peer
EuropeanHigher Education
BCA
UNIVERSITY
University ofEdinburgh
UNIVERSITY
SpecialRelationships
MayoClinic
6
CampusSystems
The PKI Puzzle
Fed Bridge Educause HE Bridge
CREN Root CA
CampusSystems
CampusPKI
Directory
PKI provides:• Strong Authentication• Flexible Authorization• Secure Digital Signature• Powerful Data Security
CampusPKI
Directory
ServerCerts
VendorResources
CampusResources
Shib
By David Wasley, UCOP
EDUPKI
Hierarchy
COMPKI
Hierarchy
PKIHierarchy
Medical
7
HEBCA linkage
HEBCAFBCA
NIH
E-Auth Shib
CRENWeems’WackyWorld
MedicalHealthkey
MitreTek
Inter-Directories
EuroPKI
GRID
SEVISApacheSigned
EmailFDRM
StateBridges
VidMid
February 5, 2001 JA-SIG Winter Meeting
NIHca
trustanchor
““DAVE” DAVE” (Discovery and Validation Engine)(Discovery and Validation Engine)
sender(UA)
receiver(NIH)
NIHdirectory
FBCA
FBCAdir
crosscert
crosscert
DAVECAM
E-Lock
software
ca
directory
HEBCA HEBCAdir
crosscert
UAca
UAdir
issued
get Cert,CRLvia directory chaining
9ControlNumber
“Registry of Directories” Structure
Legend:
a subordinate referral
a superior referral
dc=educ=usc=japandc=intl
(Top)
dc=uabdc=ucop(else sup)
dc=edu
o=US Govto=HHSou=A, o=NASA(else sup)
c=us
ou=FBCAou=agency7(else sup)
o=US Govt, c=us
ou=FBCAou=agency7<no else>
ou=FBCA, o=US Govt, c=us
Content DirectoriesReferral Directories
• “Else superior referral” clause exists to allow any LDAP client (or content directory) to have option of pointing to a referral directory and be able to construct a desired path
• There is no “else” clause in content directories to prevent loops
10
HEBCA BID
Board of Instantation and Development 10-12 of CIO, Techies, Lawyers (usual suspects) 1 Year to make HEBCA production
– Governance
– Stand up Policy/Operational Authorities
– Service (structure, fees, management)
– Cross-certify with FBCA
– Funding and Technical development issues• Application interfaces, discovery, blah blah blah
11
HEBCA Issues
Certificates in Directories Gietz: Break out cert data in dir
objects (searchable certs) Chadwick: Certificate Parsing Server Likely a major impact on Bridge CA
model OpenSSL/OpenCA to be “bridge aware” Registry of Directories (Next-Gen)
12
HEBCA Issues
Deployment Web Server plugin (apache) Email validator (server based on receipt) Bill Weems and crew; many apps Application Integration CAM/DAVE extensions (server validation) XKMS, SCVP, Novomodo, blah blah Understanding Java 1.4 and WinXP Develop appropriate APIs Browser awareness!!!!