1 / 15

CAMP PKI UPDATE August 2002

CAMP PKI UPDATE August 2002. Jim Jokl jaj@Virginia.EDU. Higher Education PKI Activities - HEPKI. Sponsors Internet2, EDUCAUSE, CREN, NET@EDU HEPKI - Technical Activities Group (TAG) Open-source PKI software Certificate profiles Directory / PKI interaction Validity periods

Download Presentation

CAMP PKI UPDATE August 2002

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CAMP PKI UPDATEAugust 2002 Jim Jokl jaj@Virginia.EDU

  2. Higher Education PKI Activities - HEPKI • Sponsors • Internet2, EDUCAUSE, CREN, NET@EDU • HEPKI - Technical Activities Group (TAG) • Open-source PKI software • Certificate profiles • Directory / PKI interaction • Validity periods • Client customization issues • Mobility • Inter-institution test projects • Technical issues with cross-certification

  3. PKI-liteFull function but lightweight A normal PKI technical infrastructure • Authenticate users • Issue certificates, perhaps revoke certificates • A comparatively simple certificate profile • Support applications, directories, etc A lightweight administrative/policy structure • Supports applications without high assurance needs • One or two page certification policy • Assurance levels per existing campus practice Campus evolution towards full featured PKI

  4. PKI-lite Project Status • PKI-lite certificate profiles completed • Designed to support web authentication & S/MIME • End Entity profile • CA certificate profile • PKI-lite Policy and Practices Statement • Individual documents prepared – then merged • Reviewed by many people • Template-based fill in the blanks approach • HEPKI Demo CA • Source code available for examination • Certificate repository

  5. S/MIME Project Charter • Why S/MIME • Support in many email clients • Why not PGP • A business driver for PKI • Chicken & egg problem • Project goals • Demonstrate the technology • Show intercampus interoperability • Leverage the effort of multiple institutions working together

  6. S/MIME Project Plan • Phase 1 • Client interoperability testing • Certificate management • Documentation for users • Phase 2 • Real campus users • PKI-lite profile certificates & assurance • User-to-application trials • Application-to-user trials • Goal: make S/MIME easy to deploy

  7. S/MIME Project:Some Early Results • Email client interoperability testing results • Common signing algorithms: SHA-1 & MD5 • Common encryption algorithms: DES, 3DES, RC4 • Default client configurations basically just work • SHA-1 & 3DES • Interesting issues • Messages stored in folders are encrypted • Key escrow issues • Opaque signing • Outlook & encryption certificate

  8. S/MIME Project • Mailing List Software • List management software and signatures • Strong authentication for private email lists • www.sympa.org • User-to-machine interactions • Software library for developers • Documentation on website • Project plan • S/MIME clients • Test CA pointers and the start of a FAQ

  9. Possible S/MIME-based Applications • Travel expense reports • Notification of direct deposits • Online forms routing – signed workflow • Trouble ticket submissions • Password resets • Library notices – guard circulation data • Student debit card statement privacy • Timesheet submission • Long distance billing privacy • FERPA opt-in/opt-out • Sysadmin confirmation of batch jobs • List server expansion of encrypted messages

  10. HEPKI-TAG: next stepsThe Mobility Problem • Private key access in a mobile environment • Hardware tokens • Smart Cards & USB devices • For mobility, enhanced assurance, non-repudiation • On-device key generation v.s. memory • Pin Protection Schemes • Dual user/admin PIN systems • Card locks after x user-pin attempts • Fuse opens after y admin pin attempts • Single PIN/Reinitialize systems • Card blocks after x user-pin attempts • Card can be reset back to factory state and reused

  11. HEPKI-TAG: next stepsCertificate-based SSH Authentication • Motivation • Solves the initial key authentication problem • Enables use of smart cards/USB devices for two-factor authentication • SSH.com (commercial server) • Load CA certificate chain • Issue cert to server • Build file to map Unix users to certificate fields • Fixed fields • Regular expressions and substitution • Interoperability • SSH.com server & clients, VanDyke SecureCRT

  12. HEPKI-TAG: next steps • Document and form signing tools • The active content problem • Web-based • Client tools • Windows XP bridge functionality • Path construction & validation • Support for name and policy constraints • Applications • S/MIME Project continued • Browser Issues & Usability

  13. HEPKI-TAG Resources • PKI-Lite • EE certificate profile • CA certificate profile • Policy and Practices statement • Demonstrations • HEPKI-CA • Client authentication • Certificate Repository • Certificate profile repository • S/MIME client interoperability testing chart • Certificate Profile Maker • DC Naming Recommendation

  14. And, old problems don’t go away …. • Trusted Root problem • An old issue • That isn’t fixed yet • Complete with intuitive user interfaces • Large support question • Get the whole campus to download? • Support users one at a time? • Other options? • Who knows a lot about keystore access?

  15. References • Main HEPKI Site • http://www.educause.edu/hepki • HEPKI-TAG • http://middleware.internet2.edu/hepki-tag • S/MIME Project Site • http://middleware.internet2.edu/hepki-tag/smime • Demonstration Site • http://pkidev.internet2.edu • Many other links at the above sites

More Related