Upload
edmund-richard
View
213
Download
0
Embed Size (px)
Citation preview
Technical Issues that Challenge PKI Deployments
University of Virginia
NET@EDU PKI MeetingAugust 12, 2004
Hardware Tokens Uses
2-factor authentication System administrators, HiPAA data access
Mobility Public labs, work at home Old problems of OS registration are fixed
Issues Still expensive: ~$30 to ~$50 Token management system Generally must install client software for the
tokens that we actually use Token accessories are critical to acceptance
S/MIME Client support
Good: Outlook/Outlook Express, Netscape, Mozilla, etc
OK: Mulberry, CGatePro webmail None: Eudora
Seeking HEPKI-TAG letter endorsements
Other issues Main client issue: encryption in sentmail folder Webmail should at least verify signed email Root certificate problem
Signed email for official announcements “incompatibility” during the roll out
Some Generic Application Issues
(its not the PKI …..) SSH
Support available from ssh.com, VanDyke Server authorization stage well done
A couple of simple mechanisms, wildcard matching Certificate handoff to external application
Client certificate selection done well Tries all of the certs in the OS store
Not available in OpenSSL ($$$)
Some Generic Application Issues
(its not the PKI …..) 802.1x EAP-TLS wireless authentication
Usability Very clean for windows users OK for Macintosh users Linux?
Back-end infrastructure still somewhat painful Our authentication server
Does path validation fine, however users still need an account in the database
Should have LDAP search for authorization We have needs for different authorization for the
same user for different wireless VLANs Going to look at Funk Software radius servers
EAP-TLS and the Microsoft Clients
Microsoft field in certificate for AuthN Subject Alt Name / Other Name / Principal
Name OID 1.3.6.1.4.1.311.20.2.3
If not present, uses CN Uniqueness issues for our CA
Added OID to our certificate profile
Impact on the PKI-Lite certificate profiles Agreed to add this extension to EE cert profile
Some Generic Application Issues
(its not the PKI …..)
VPN Concentrators
Firewall
Firewall
LDAP AuthZ Servers
Oracle ERP
S1
S2
S3
Sn
Hospital Net
INOUT
Main Campus Network
OUT
IN
Operating System Support Windows
Good internal support Primarily user interface issues
Certificate import & export Root certificate installation (see HEPKI-TAG web site)
Root certificate program audits expensive Apple Macintosh
Personal and root certificate installation issues Need ties into Safari for key generation & cert import
Had to implement a PKCS-12 proxy for our campus CA Few applications use the emerging OS support
Linux? Bridge path validation
Certificate Profiles Profiles change to support new applications
Key Usage and the Outlook problem PKI-Lite
Spent a lot of time/effort to get it right at first Added AIA based on XP path validation work Added Microsoft OID for EAP-TLS support Add smart card login attribute next? What is next? new user certs needed each time
Could some of this type of authorization be done outside of the identity certificate?
Digital Signatures Document signing
The active content problem Interoperability between applications Key: choose the right tool for your application
Web form signing Want to sign the both the form and the data
that the user submitted Products are very expensive
Ease of Use Comes from Widespread PKI Enabling of
Applications All standard applications supporting and
using PKI for all aspects of their operation E.g., certificates for IMAP/SMTP authentication
instead of just for use with S/MIME All instead of some of the campus VPN services All instead of a few web-based applications
Is there a reason why clients shouldn’t simply try all available personal certificates?
Campus Globus Implementations
The Globus toolkit uses PKI for authentication of users and resources The PKI-Lite profile works well A proxy certificate is used internally A file maps certificates to login names
Campus CA integration is complicated by the Globus interface Campus CAs and OS-exported certificates are
generally in PKCS-12 format Globus expects raw PEM files for key and cert
Grids are often intercampus applications Most campuses not part of hierarchy now Bridges or PKI hierarchy needed
Schematic of Grid TestbedPKI Integration Goal
Campus E Grid
A’s PKI
Testbed Bridge CA
Shibbolized Testbed CA
Campus B Grid
Campus C Grid
Campus D GridCampus A
Grid
Campus F Grid
B’s PKI C’s PKI
Cross-cert pairsUser Certs
Globus and Bridges
2nd phase testing now Built “production” bridge for testbed
Dedicated laptop/OpenSSL Cross-certified UVa, UAB, USC, and TACC
Results (so far) Bridge path validation ok for EE certs Server certificate validation not working via bridge
Digging into OpenSSL interface Bridge itself is fine; e.g. XP validates both directions
Tools being created Chase down cross certificates via AIA pointer, populate
Globus certificate and signing policy directory Credential converter web site: PKCS12 to PEM
What is not a significant problem
Issuing certificates Deployed our own CAs
Standard: on-line, tied into our databases/AuthN, LDAP High assurance: tokens only, ID check, etc, etc
Available CAs Papyrus, OpenCA, kX509, etc See HEPKI-TAG web site
SSL Server Certificates Prices down to $39/server; $300/wildcard
Authentication apps with good ease of use Web applications VPN Wireless
HEPKI-TAG Projects(a list of other issues)
Must-do items Support the USHER / InCommon projects Maintain & update existing documents and services
Potential projects discussed and ranked at our meeting Update work on S/MIME Windows domain authentication CA Audits - preparing your internal audit department EAP-TLS for wireless authentication Update on hardware tokens
survey, documentation, recommendations Introductory materials for sites getting started (CA software,
applications, cookbook, etc) Other possibilities discussed more briefly
Grid integration survey bridge testing Document and webform signing
Profiles AIA, EPPN, Smart Card Login
middleware.internet2.edu/hepki-tag PKI-Lite documents (profiles, policy & practices),
S/MIME, links to other sites, CA software, etc, etc NET@EDU PKI for Networked Higher Ed
www.educause.edu/netatedu/groups/pki www.educause.edu/hepki pkidev.internet2.edu PKI Labs
middleware.internet2.edu/pkilabs
Some Reference URLs