1 / 24

PKI 150: PKI Parts Policy & Progress Part 2

PKI 150: PKI Parts Policy & Progress Part 2. Jim Jokl University of Virginia. David Wasley University of California. Activities in other Communities. PKIX – IETF Standards for PKI www.ietf.org/html.charters/pkix-charter.html Federal PKI work csrc.nist.gov/pki/twg State Governments

kathernt
Download Presentation

PKI 150: PKI Parts Policy & Progress Part 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI 150:PKI Parts Policy & ProgressPart 2 Jim Jokl University of Virginia David Wasley University of California

  2. Activities in other Communities • PKIX – IETF Standards for PKI • www.ietf.org/html.charters/pkix-charter.html • Federal PKI work • csrc.nist.gov/pki/twg • State Governments • www.ec3.org • national electronic commerce coordinating council • Medical community & HIPAA • HIPAA – Health Insurance Portability & Accountability Act • aspe.os.dhhs.gov/admnsimp/ • CHIME - Connecticut Hospital Association CA • www.chime.org/chime/chimetrust.asp • HealthKey – Replicable PKI model for health care • www.healthkey.org • Tunitas – Consulting group • www.tunitas.com/pages/PKI/pki.htm

  3. Activities in other Communities • PKI Forum – Vendor alliance to promote PKI • www.PKIForum.org • Overseas • EuroPKI for Higher Ed • www.europki.org/ca/root/cps/en_index.html • Open source software • OpenSSL, OpenCA • Much open-source work done outside of US for export restriction reasons.

  4. Federal Government Activities • ACES Certificates • Access Certificates for Electronic Services • hydra.gsa.gov/aces • Citizen / Government interaction: student loans, change of address… • User authentication RA • Financial model

  5. Federal Government ActivitiesBridge Certification Authority • Highly decentralized organization • Hierarchy more difficult • CA trust list does not scale well • Bridge Certification Authority (BCA) solves these problems • Prototype: February 2000 • Production planned first quarter 2001

  6. Higher Education Activities • CREN CA • www.cren.net/ca • NET@EDU PKI for Networked Higher Ed • www.educause.edu/netatedu/groups/pki • PKI Labs • middleware.internet2.edu/pkilabs

  7. Internet2 PKI Labs • Dartmouth and Wisconsin • computer science departments and IT staff • Performing deep research - two to five years out • Policy languages, path construction, attribute certificates, etc. • National Advisory Board of leading academic and corporate PKI experts provides direction • Catalyzed by startup funding from ATT

  8. Higher Education PKI Activities - HEPKI • Sponsors • Internet2, CREN, and EDUCAUSE • HEPKI - Technical Activities Group (TAG) • Open-source PKI software • Certificate profiles • Directory / PKI interaction • Validity periods • Client customization issues • Mobility • Inter-institution test projects • Technical issues with cross-certification

  9. Higher Education PKI Activities - HEPKI • HEPKI - Policy Activities Group (PAG) • Certificate policy drafts • Sharing RFPs, vendor relations • State government activity, state laws • Federal agency interaction • Open records acts, FERPA • Campus educational materials • HEPKI Group Information • www.educause.edu/hepki

  10. Certificate Profiles • A per-field description of certificate contents • Standard and extension fields • Criticality flags • Syntax of values permitted per field • Spreadsheet format by R. Moskowitz • XML and ASN.1 alternatives for machine use • Higher education profile repository • http://www.educause.edu/hepki

  11. Certificate Profiles • Assortment of EE/CA certificates • From eight institutions • Most certificates kept relatively simple • No one is doing CRLs, etc yet • Certificates are Version 3 • Signing algorithms are RSA/MD5 or RSA/SHA-1

  12. Certificate Profiles • Validity Period • Wide variation from per-session to one year • Long term: expiration synchronized to semester • Long term: time zone hack • Assurance level indicator • Explicit extension • Policy OID • Key usage • Some certificates employ Key Usage field • Variation on criticality setting • General agreement on no encryption without escrow • Grid

  13. Certificate Profiles • Issuer/Subject field naming • X.500-style Distinguished Names • FERPA & certificate contents • Subject fields with real names • Anonymous names • What about signing email? • Little use of constraint extensions • basic, name, policy • Addition of CA serial number

  14. Certificate ProfilesDomain Component Naming • Some certificates also use DC naming • Encode domain names into X.500-type name fields (dc=Internet2, dc=edu) (rfc-2247) • Issuer and Subject fields • Example: given a certificate, how to find authorization info and other data • Recommendation via Consensus Process • Use DC naming in the Subject and Issuer fields • Place DC components in most significant part of the name • Use more specific pointers to information before using DC names in applications

  15. Certificate Profiles: Some Issues • Profile Convergence • Shared desire to minimize the number of profiles in the community • Ease policy mapping • Promote interoperability • What is the right number of profiles? • What are the applications? • Recommendations for new implementations • HEPKI: work for consensus on some set of common profile recommendations • More profiles would be useful

  16. Mobility Options • Hardware tokens • Smart cards, USB devices, iButtons • Key-pair generation location • Driver software quality • Session timeout support • Software-based Mobility • passwords to download from a store or directory • proprietary roaming schemes - Netscape, VeriSign, .. • IETF SACRED working group established • HEPKI-TAG Scenarios • Non-repudiation questions • Difficulty in integration of certificates from multiple stores (hard drive, directory, hardware token, etc.)

  17. HEPKI-TAGOther Areas of Work • Web site update • Recommendations • Information for those starting on PKI • References • How-to information • Minutes and survey data • www.educause.edu/hepki/ • What else would be useful?

  18. CA Private Key Protection Issues • CA Private Key is the root of all trust • Storage options • Clear text on disk • Encrypted storage on disk • On hardware device • Physical protection of CA • Locked doors and racks • OS Configuration • Multi-level solution • Collection of information for new PKI sites

  19. Discussions and Projects • PKI Applications Table • Higher Education Distributed Root Certificate Deployment (heDRCD) • Problem: how to load root certificates into browsers • DNS SRV records, HTTP, browser code • Protection via “phone home” concept • Certificate Repository • A mechanism for users to safely obtain root certificates from other institutions • SSL or signed objects • High assurance process – like CREN CA

  20. Discussions and Projects • Higher Education Bridge Certification Authority (heBCA) • Higher education has many of the same issues as the federal government • Adapt the federal model for use in higher ed • The bridge could: • Interconnect multiple Higher Ed hierarchical CA services • Interoperate with the federal bridge • Work with other industry groups

  21. PKI Application IssuesAn Example • Goal: VPN Authentication via PKI • Equipment: VPN Concentrator • Device uses ou of Subject DN for group membership • Moral • Code only what you need into the certificate • Get the remainder from a directory • Think first

  22. Some thoughts on open source solutions • We are doing this at Virginia • Good points • Great control • Easily tied into our existing Web authentication for issuing certificates • Issues • No complete kit • You can’t just type Configure; make; make install • Time • Lots of little details • SCEP • CRL via LDAP v.s. HTTP

  23. Will it fly? • Well, it has to… • Scalability • Performance • “With enough thrust, anything can fly”

  24. Where to watch • middleware.internet2.edu • www.educause.edu/hepki • www.cren.org • www.pkiforum.org

More Related