240 likes | 258 Views
PKI 150: PKI Parts Policy & Progress Part 2. Jim Jokl University of Virginia. David Wasley University of California. Activities in other Communities. PKIX – IETF Standards for PKI www.ietf.org/html.charters/pkix-charter.html Federal PKI work csrc.nist.gov/pki/twg State Governments
E N D
PKI 150:PKI Parts Policy & ProgressPart 2 Jim Jokl University of Virginia David Wasley University of California
Activities in other Communities • PKIX – IETF Standards for PKI • www.ietf.org/html.charters/pkix-charter.html • Federal PKI work • csrc.nist.gov/pki/twg • State Governments • www.ec3.org • national electronic commerce coordinating council • Medical community & HIPAA • HIPAA – Health Insurance Portability & Accountability Act • aspe.os.dhhs.gov/admnsimp/ • CHIME - Connecticut Hospital Association CA • www.chime.org/chime/chimetrust.asp • HealthKey – Replicable PKI model for health care • www.healthkey.org • Tunitas – Consulting group • www.tunitas.com/pages/PKI/pki.htm
Activities in other Communities • PKI Forum – Vendor alliance to promote PKI • www.PKIForum.org • Overseas • EuroPKI for Higher Ed • www.europki.org/ca/root/cps/en_index.html • Open source software • OpenSSL, OpenCA • Much open-source work done outside of US for export restriction reasons.
Federal Government Activities • ACES Certificates • Access Certificates for Electronic Services • hydra.gsa.gov/aces • Citizen / Government interaction: student loans, change of address… • User authentication RA • Financial model
Federal Government ActivitiesBridge Certification Authority • Highly decentralized organization • Hierarchy more difficult • CA trust list does not scale well • Bridge Certification Authority (BCA) solves these problems • Prototype: February 2000 • Production planned first quarter 2001
Higher Education Activities • CREN CA • www.cren.net/ca • NET@EDU PKI for Networked Higher Ed • www.educause.edu/netatedu/groups/pki • PKI Labs • middleware.internet2.edu/pkilabs
Internet2 PKI Labs • Dartmouth and Wisconsin • computer science departments and IT staff • Performing deep research - two to five years out • Policy languages, path construction, attribute certificates, etc. • National Advisory Board of leading academic and corporate PKI experts provides direction • Catalyzed by startup funding from ATT
Higher Education PKI Activities - HEPKI • Sponsors • Internet2, CREN, and EDUCAUSE • HEPKI - Technical Activities Group (TAG) • Open-source PKI software • Certificate profiles • Directory / PKI interaction • Validity periods • Client customization issues • Mobility • Inter-institution test projects • Technical issues with cross-certification
Higher Education PKI Activities - HEPKI • HEPKI - Policy Activities Group (PAG) • Certificate policy drafts • Sharing RFPs, vendor relations • State government activity, state laws • Federal agency interaction • Open records acts, FERPA • Campus educational materials • HEPKI Group Information • www.educause.edu/hepki
Certificate Profiles • A per-field description of certificate contents • Standard and extension fields • Criticality flags • Syntax of values permitted per field • Spreadsheet format by R. Moskowitz • XML and ASN.1 alternatives for machine use • Higher education profile repository • http://www.educause.edu/hepki
Certificate Profiles • Assortment of EE/CA certificates • From eight institutions • Most certificates kept relatively simple • No one is doing CRLs, etc yet • Certificates are Version 3 • Signing algorithms are RSA/MD5 or RSA/SHA-1
Certificate Profiles • Validity Period • Wide variation from per-session to one year • Long term: expiration synchronized to semester • Long term: time zone hack • Assurance level indicator • Explicit extension • Policy OID • Key usage • Some certificates employ Key Usage field • Variation on criticality setting • General agreement on no encryption without escrow • Grid
Certificate Profiles • Issuer/Subject field naming • X.500-style Distinguished Names • FERPA & certificate contents • Subject fields with real names • Anonymous names • What about signing email? • Little use of constraint extensions • basic, name, policy • Addition of CA serial number
Certificate ProfilesDomain Component Naming • Some certificates also use DC naming • Encode domain names into X.500-type name fields (dc=Internet2, dc=edu) (rfc-2247) • Issuer and Subject fields • Example: given a certificate, how to find authorization info and other data • Recommendation via Consensus Process • Use DC naming in the Subject and Issuer fields • Place DC components in most significant part of the name • Use more specific pointers to information before using DC names in applications
Certificate Profiles: Some Issues • Profile Convergence • Shared desire to minimize the number of profiles in the community • Ease policy mapping • Promote interoperability • What is the right number of profiles? • What are the applications? • Recommendations for new implementations • HEPKI: work for consensus on some set of common profile recommendations • More profiles would be useful
Mobility Options • Hardware tokens • Smart cards, USB devices, iButtons • Key-pair generation location • Driver software quality • Session timeout support • Software-based Mobility • passwords to download from a store or directory • proprietary roaming schemes - Netscape, VeriSign, .. • IETF SACRED working group established • HEPKI-TAG Scenarios • Non-repudiation questions • Difficulty in integration of certificates from multiple stores (hard drive, directory, hardware token, etc.)
HEPKI-TAGOther Areas of Work • Web site update • Recommendations • Information for those starting on PKI • References • How-to information • Minutes and survey data • www.educause.edu/hepki/ • What else would be useful?
CA Private Key Protection Issues • CA Private Key is the root of all trust • Storage options • Clear text on disk • Encrypted storage on disk • On hardware device • Physical protection of CA • Locked doors and racks • OS Configuration • Multi-level solution • Collection of information for new PKI sites
Discussions and Projects • PKI Applications Table • Higher Education Distributed Root Certificate Deployment (heDRCD) • Problem: how to load root certificates into browsers • DNS SRV records, HTTP, browser code • Protection via “phone home” concept • Certificate Repository • A mechanism for users to safely obtain root certificates from other institutions • SSL or signed objects • High assurance process – like CREN CA
Discussions and Projects • Higher Education Bridge Certification Authority (heBCA) • Higher education has many of the same issues as the federal government • Adapt the federal model for use in higher ed • The bridge could: • Interconnect multiple Higher Ed hierarchical CA services • Interoperate with the federal bridge • Work with other industry groups
PKI Application IssuesAn Example • Goal: VPN Authentication via PKI • Equipment: VPN Concentrator • Device uses ou of Subject DN for group membership • Moral • Code only what you need into the certificate • Get the remainder from a directory • Think first
Some thoughts on open source solutions • We are doing this at Virginia • Good points • Great control • Easily tied into our existing Web authentication for issuing certificates • Issues • No complete kit • You can’t just type Configure; make; make install • Time • Lots of little details • SCEP • CRL via LDAP v.s. HTTP
Will it fly? • Well, it has to… • Scalability • Performance • “With enough thrust, anything can fly”
Where to watch • middleware.internet2.edu • www.educause.edu/hepki • www.cren.org • www.pkiforum.org