Technical Issues that Challenge PKI Deployments

Jim Jokljaj@Virginia.EDU

University of Virginia

NET@EDU PKI MeetingAugust 12, 2004

Hardware Tokens Uses

2-factor authentication System administrators, HiPAA data access

Mobility Public labs, work at home Old problems of OS registration are fixed

Issues Still expensive: ~$30 to ~$50 Token management system Generally must install client software for the

tokens that we actually use Token accessories are critical to acceptance

S/MIME Client support

Good: Outlook/Outlook Express, Netscape, Mozilla, etc

OK: Mulberry, CGatePro webmail None: Eudora

Seeking HEPKI-TAG letter endorsements

Other issues Main client issue: encryption in sentmail folder Webmail should at least verify signed email Root certificate problem

Signed email for official announcements “incompatibility” during the roll out

Some Generic Application Issues

(its not the PKI …..) SSH

Support available from ssh.com, VanDyke Server authorization stage well done

A couple of simple mechanisms, wildcard matching Certificate handoff to external application

Client certificate selection done well Tries all of the certs in the OS store

Not available in OpenSSL ($$$)

Some Generic Application Issues

(its not the PKI …..) 802.1x EAP-TLS wireless authentication

Usability Very clean for windows users OK for Macintosh users Linux?

Back-end infrastructure still somewhat painful Our authentication server

Does path validation fine, however users still need an account in the database

Should have LDAP search for authorization We have needs for different authorization for the

same user for different wireless VLANs Going to look at Funk Software radius servers

EAP-TLS and the Microsoft Clients

Microsoft field in certificate for AuthN Subject Alt Name / Other Name / Principal

Name OID 1.3.6.1.4.1.311.20.2.3

If not present, uses CN Uniqueness issues for our CA

Added OID to our certificate profile

Impact on the PKI-Lite certificate profiles Agreed to add this extension to EE cert profile

Some Generic Application Issues

(its not the PKI …..)

VPN Concentrators

Firewall

Firewall

LDAP AuthZ Servers

Oracle ERP

S1

S2

S3

Sn

Hospital Net

INOUT

Main Campus Network

OUT

IN

Operating System Support Windows

Good internal support Primarily user interface issues

Certificate import & export Root certificate installation (see HEPKI-TAG web site)

Root certificate program audits expensive Apple Macintosh

Personal and root certificate installation issues Need ties into Safari for key generation & cert import

Had to implement a PKCS-12 proxy for our campus CA Few applications use the emerging OS support

Linux? Bridge path validation

Certificate Profiles Profiles change to support new applications

Key Usage and the Outlook problem PKI-Lite

Spent a lot of time/effort to get it right at first Added AIA based on XP path validation work Added Microsoft OID for EAP-TLS support Add smart card login attribute next? What is next? new user certs needed each time

Could some of this type of authorization be done outside of the identity certificate?

Digital Signatures Document signing

The active content problem Interoperability between applications Key: choose the right tool for your application

Web form signing Want to sign the both the form and the data

that the user submitted Products are very expensive

Ease of Use Comes from Widespread PKI Enabling of

Applications All standard applications supporting and

using PKI for all aspects of their operation E.g., certificates for IMAP/SMTP authentication

instead of just for use with S/MIME All instead of some of the campus VPN services All instead of a few web-based applications

Is there a reason why clients shouldn’t simply try all available personal certificates?

Campus Globus Implementations

The Globus toolkit uses PKI for authentication of users and resources The PKI-Lite profile works well A proxy certificate is used internally A file maps certificates to login names

Campus CA integration is complicated by the Globus interface Campus CAs and OS-exported certificates are

generally in PKCS-12 format Globus expects raw PEM files for key and cert

Grids are often intercampus applications Most campuses not part of hierarchy now Bridges or PKI hierarchy needed

Schematic of Grid TestbedPKI Integration Goal

Campus E Grid

A’s PKI

Testbed Bridge CA

Shibbolized Testbed CA

Campus B Grid

Campus C Grid

Campus D GridCampus A

Grid

Campus F Grid

B’s PKI C’s PKI

Cross-cert pairsUser Certs

Globus and Bridges

2nd phase testing now Built “production” bridge for testbed

Dedicated laptop/OpenSSL Cross-certified UVa, UAB, USC, and TACC

Results (so far) Bridge path validation ok for EE certs Server certificate validation not working via bridge

Digging into OpenSSL interface Bridge itself is fine; e.g. XP validates both directions

Tools being created Chase down cross certificates via AIA pointer, populate

Globus certificate and signing policy directory Credential converter web site: PKCS12 to PEM

What is not a significant problem

Issuing certificates Deployed our own CAs

Standard: on-line, tied into our databases/AuthN, LDAP High assurance: tokens only, ID check, etc, etc

Available CAs Papyrus, OpenCA, kX509, etc See HEPKI-TAG web site

SSL Server Certificates Prices down to $39/server; $300/wildcard

Authentication apps with good ease of use Web applications VPN Wireless

HEPKI-TAG Projects(a list of other issues)

Must-do items Support the USHER / InCommon projects Maintain & update existing documents and services

Potential projects discussed and ranked at our meeting Update work on S/MIME Windows domain authentication CA Audits - preparing your internal audit department EAP-TLS for wireless authentication Update on hardware tokens

survey, documentation, recommendations Introductory materials for sites getting started (CA software,

applications, cookbook, etc) Other possibilities discussed more briefly

Grid integration survey bridge testing Document and webform signing

Profiles AIA, EPPN, Smart Card Login

middleware.internet2.edu/hepki-tag PKI-Lite documents (profiles, policy & practices),

S/MIME, links to other sites, CA software, etc, etc NET@EDU PKI for Networked Higher Ed

www.educause.edu/netatedu/groups/pki www.educause.edu/hepki pkidev.internet2.edu PKI Labs

middleware.internet2.edu/pkilabs

Some Reference URLs