Embed Size (px)
Citation preview
PKI 150:PKI Parts Policy & Progress
Part 2
Jim Jokl
University of Virginia
David Wasley
University of California
2
Activities in other Communities
•PKIX – IETF Standards for PKI• www.ietf.org/html.charters/pkix-charter.html
•Federal PKI work• csrc.nist.gov/pki/twg
•State Governments• www.ec3.org• national electronic commerce coordinating council
•Medical community & HIPAA• HIPAA – Health Insurance Portability & Accountability Act
– aspe.os.dhhs.gov/admnsimp/
• CHIME - Connecticut Hospital Association CA– www.chime.org/chime/chimetrust.asp
• HealthKey – Replicable PKI model for health care– www.healthkey.org
• Tunitas – Consulting group– www.tunitas.com/pages/PKI/pki.htm
3
Activities in other Communities
•PKI Forum – Vendor alliance to promote PKI– www.PKIForum.org
•Overseas• EuroPKI for Higher Ed
– www.europki.org/ca/root/cps/en_index.html
• Open source software– OpenSSL, OpenCA
– Much open-source work done outside of US for export restriction reasons.
4
Federal Government Activities
•ACES Certificates•Access Certificates for Electronic Services
•hydra.gsa.gov/aces•Citizen / Government interaction: student loans, change of address…
•User authentication RA•Financial model
5
Federal Government ActivitiesBridge Certification Authority
•Highly decentralized organization•Hierarchy more difficult•CA trust list does not scale well•Bridge Certification Authority (BCA) solves these problems
•Prototype: February 2000
•Production planned first quarter 2001
6
Higher Education Activities
•CREN CA• www.cren.net/ca
•NET@EDU PKI for Networked Higher Ed• www.educause.edu/netatedu/groups/pki
•PKI Labs• middleware.internet2.edu/pkilabs
7
Internet2 PKI Labs
•Dartmouth and Wisconsin• computer science departments and IT staff
•Performing deep research - two to five years out
•Policy languages, path construction, attribute certificates, etc.
•National Advisory Board of leading academic and corporate PKI experts provides direction
•Catalyzed by startup funding from ATT
8
Higher Education PKI Activities - HEPKI
•Sponsors• Internet2, CREN, and EDUCAUSE
•HEPKI - Technical Activities Group (TAG)• Open-source PKI software• Certificate profiles• Directory / PKI interaction• Validity periods• Client customization issues• Mobility• Inter-institution test projects• Technical issues with cross-certification
9
Higher Education PKI Activities - HEPKI
•HEPKI - Policy Activities Group (PAG)• Certificate policy drafts • Sharing RFPs, vendor relations • State government activity, state laws • Federal agency interaction • Open records acts, FERPA • Campus educational materials
•HEPKI Group Information• www.educause.edu/hepki
10
Certificate Profiles
•A per-field description of certificate contents• Standard and extension fields• Criticality flags
•Syntax of values permitted per field
•Spreadsheet format by R. Moskowitz• XML and ASN.1 alternatives for machine use
•Higher education profile repository• http://www.educause.edu/hepki
11
Certificate Profiles
•Assortment of EE/CA certificates• From eight institutions
•Most certificates kept relatively simple
•No one is doing CRLs, etc yet
•Certificates are Version 3
•Signing algorithms are RSA/MD5 or RSA/SHA-1
12
Certificate Profiles
Validity Period• Wide variation from per-session to one year
• Long term: expiration synchronized to semester
• Long term: time zone hack
Assurance level indicator• Explicit extension
• Policy OID
Key usage• Some certificates employ Key Usage field
• Variation on criticality setting
• General agreement on no encryption without escrow
• Grid
13
Certificate Profiles
Issuer/Subject field naming• X.500-style Distinguished Names
FERPA & certificate contents• Subject fields with real names• Anonymous names
–What about signing email?
Little use of constraint extensions• basic, name, policy
Addition of CA serial number
14
Certificate ProfilesDomain Component Naming
Some certificates also use DC naming• Encode domain names into X.500-type name fields
(dc=Internet2, dc=edu) (rfc-2247)• Issuer and Subject fields
Example: given a certificate, how to find authorization info and other data
Recommendation via Consensus Process• Use DC naming in the Subject and Issuer fields• Place DC components in most significant part of the name• Use more specific pointers to information before using DC
names in applications
15
Certificate Profiles: Some Issues
Profile Convergence• Shared desire to minimize the number of profiles in the
community– Ease policy mapping– Promote interoperability
• What is the right number of profiles?– What are the applications?
• Recommendations for new implementations
HEPKI: work for consensus on some set of common profile recommendations
More profiles would be useful
16
Mobility Options
Hardware tokens• Smart cards, USB devices, iButtons• Key-pair generation location• Driver software quality• Session timeout support
Software-based Mobility• passwords to download from a store or directory• proprietary roaming schemes - Netscape, VeriSign, ..• IETF SACRED working group established
– HEPKI-TAG Scenarios
• Non-repudiation questions
Difficulty in integration of certificates from multiple stores (hard drive, directory, hardware token, etc.)
17
HEPKI-TAGOther Areas of Work
Web site update• Recommendations• Information for those starting on PKI
–References–How-to information–Minutes and survey data
• www.educause.edu/hepki/
• What else would be useful?
18
CA Private Key Protection Issues
•CA Private Key is the root of all trust•Storage options
–Clear text on disk–Encrypted storage on disk–On hardware device
•Physical protection of CA–Locked doors and racks–OS Configuration
•Multi-level solution•Collection of information for new PKI sites
19
Discussions and Projects
PKI Applications Table
Higher Education Distributed Root Certificate Deployment (heDRCD)
• Problem: how to load root certificates into browsers• DNS SRV records, HTTP, browser code• Protection via “phone home” concept
Certificate Repository• A mechanism for users to safely obtain root certificates
from other institutions• SSL or signed objects• High assurance process – like CREN CA
20
Discussions and Projects
Higher Education Bridge Certification Authority (heBCA)
• Higher education has many of the same issues as the federal government
• Adapt the federal model for use in higher ed• The bridge could:
–Interconnect multiple Higher Ed hierarchical CA services–Interoperate with the federal bridge–Work with other industry groups
21
PKI Application IssuesAn Example
• Goal: VPN Authentication via PKI
• Equipment: VPN Concentrator
• Device uses ou of Subject DN for group membership
• Moral• Code only what you need into the certificate• Get the remainder from a directory• Think first
22
Some thoughts on open source solutions
•We are doing this at Virginia
•Good points• Great control• Easily tied into our existing Web authentication for issuing
certificates
•Issues• No complete kit
– You can’t just type Configure; make; make install
• Time• Lots of little details
– SCEP– CRL via LDAP v.s. HTTP
23
Will it fly?
Well, it has to…
Scalability
Performance
“With enough thrust, anything can fly”
24
Where to watch
•middleware.internet2.edu
•www.educause.edu/hepki
•www.cren.org
•www.pkiforum.org
