240 likes | 591 Views
PKI Federations in Higher Education NIST PKI R&D Workshop #5, April 4-6 2006, Gaithersburg MD Contents Overview of PKI in Higher Education HEBCA Challenges and Opportunities Overview 5 Potential Killer Apps for PKI in Higher Education S/MIME Paperless Office workflow Shibboleth
E N D
PKI Federations in Higher EducationNIST PKI R&D Workshop #5, April 4-6 2006, Gaithersburg MD
Contents • Overview of PKI in Higher Education • HEBCA • Challenges and Opportunities
Overview • 5 Potential Killer Apps for PKI in Higher Education • S/MIME • Paperless Office workflow • Shibboleth • GRID Computing Enabled for Federations • E-grants facilitation
Overview • PKI Initiatives in US Higher Education Community • HEBCA (Higher Education Bridge Certificate Authority) • USHER (US Higher Education Root) • InCommon • Grid based PKIs • Campus based PKIs
OverviewHigher Education Bridge Certificate Authority - HEBCA • HEBCA facilitates a trust fabric across all of US Higher Education so that credentials issued by participating institutions can be used (and trusted) globally e.g. signed and/or encrypted email, digitally signed documents (paperless office), etc can all be trusted inter-institutionally and not just intra-institutionally • Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension • Single credential accepted globally • Uses Levels of Assurance to indicate strength of Identification and Authentication procedures, audit/separation of duty requirements, and key protection measures • Potential for stronger authentication and possibly authorization of participants in grid based applications
OverviewUnited States Higher Education Root – USHER • USHER is a public key infrastructure (PKI) supported by the higher education community to facilitate emerging deployments in research, education, and transactions in higher education that require PKI and allows subscribers to base PKI applications and services in a common root with peers and collaborative partners • USHER is the Trusted Root of a hierarchical PKI for US Higher Education – the root only signs subordinate CA certificates, and the service is designed to bootstrap institutional PKIs by providing policy infrastructure and a CA • USHER Foundation is the first service offered and is designed to be a broadly adoptable PKI with easy implementation by leveraging most existing campus identity practices • USHER Foundation does not audit or in any other way validate the policy or practice that a subscriber uses to issue certificate credentials to its users, instead, USHER has developed a set of Expected Practices for campus CA operators to consider • Other USHER services are anticipated with stronger levels of assurance and auditable policies
OverviewInCommon • The mission of the InCommon Federation is to create and support a common framework for trustworthy shared management of access to on-line resources in support of education and research in the United States. • InCommon will facilitate development of a community-based common trust fabric sufficient to enable participants to make appropriate decisions about access control information provided to them by other participants • InCommon is intended to enable production-level end-user access to a wide variety of protected resources and uses Shibboleth® as its federating software • InCommon® eliminates the need for researchers, students, and educators to maintain multiple, password-protected accounts • Although this system is assertion based, there is still a need for PKI credentials to protect the server infrastructure, and PKI can also be used as the authentication mechanism.
OverviewGrid based PKIs • Some higher education institutions operate production level Grid CAs approved by TAGPMA • TeraGrid (Illinois, Purdue) • Open Science Grid (California) • Texas High Energy Grid (Texas) • San Diego Supercomputing Center • Many institutions run experimental grid CAs to investigate the potential of this activity • Dartmouth College • University of Virginia • … • …
OverviewCampus PKIs • Managed PKIs from Commercial vendors • CA operations outsourced to vendor • CyberTrust • DST/Identrus • GeoTrust • VeriSign • Vendor based Policy • Local RAs • Internal Campus PKI operations • CA & RA operations run on campus • Campus based Policy • EDUCAUSE has programs for reducing cost through Identity Management Services Program • http://www.educause.edu/IMSP • Open Source options e.g. OpenCA, CA-in-a-box, etc. etc.
HEBCA : Higher Education Bridge Certificate Authority • Bridge Certificate Authority for US Higher Education • Modeled on FBCA • Provides cross-certification between the subscribing institution and the HEBCA root CA • Flexible policy implementations through the mapping process • The HEBCA root CA and infrastructure hosted at Dartmouth College • Facilitates inter-institutional trust between participating schools • Facilitates inter-federation trust between US Higher Education community and external entities
HEBCA Project • What will it provide? • The HEBCA Project will create and maintain three new Certificate Authority (CA) systems for EDUCAUSE and will also house the existing HEBCA Prototype CA • The three CA systems to be created are: • HEBCA Test CA • HEBCA Development CA • HEBCA Production CA • The HEBCAs will be used to cross-certify Higher Education PKI trust anchors to create a bridged trust network • The HEBCA Test CA will also be cross-certified with the Prototype FBCA (other emerging Bridge CAs are also targets) and the HEBCA production CAs will be cross-certified with the production FBCA.
HEBCA Project - Overview LDAP Based Directory Utilizing the Registry of Directories Utilizing LDAP Referrals X.500 Based Directory Directories Interconnect via Chaining (X.500 DSP)
HEBCA Policy Authority • The HEBCA PA establishes policy for and oversees operation of the HEBCA. HEBCA PA activities include… • approve and certify the Certificate Policy (CP) and Certification Practices Statement (CPS) for the HEBCA • set policy for accepting applications for cross-certification and interoperation with the HEBCA • certify the mapping of policy between the HEBCA CP and applicants’ CP’s • establish any needed constraints in cross-certification documents • represent the HEBCA in establishing its own cross-certification with other PKI bridges • set policy governing operation of the HEBCA • oversee the HEBCA Operational Authority • keep the HEBCA Membership and the HEPKI Council informed of its decisions and activities.
HEBCA Operating Authority • The HEBCA OA is the organization that is responsible for the issuance of HEBCA certificates when so directed by the HEBCA PA, the posting of those certificates and any Certificate Revocation Lists (CRLs) or Certificate Authority Revocation Lists (CARLs) into the HEBCA repository, and maintaining the continued availability of the repository to all parties relying on HEBCA certificates. • Specific responsibilities of the HEBCA OA include: • Management and operation of the HEBCA infrastructure; • Management of the registration process; • Completion of the applicant identification and authentication process; and • Complying with all requirements and representations of the Certificate Policy. • Key personnel from the Dartmouth PKI Laboratory were chosen as the HEBCA Operating Authority by the HEBCA PA under the direction of EDUCAUSE (the project sponsor).
HEBCA Project - Progress • What’s been done so far? • Operational Authority (OA) contractor engaged (Dartmouth PKI Lab) • MOA with commercial vendor for infrastructure hardware (Sun) • MOA with commercial vendor for CA software and licenses (RSA) • Policy Authority formed • Prototype HEBCA operational and cross-certified with the Prototype FBCA (new Prototype instantiated by HEBCA OA) • Prototype Registry of Directories (RoD) deployed at Dartmouth • Draft of Production HEBCA CP produced • Draft of Production HEBCA CPS produced • Preliminary Policy Mapping completed with FBCA • Test HEBCA CA deployed and cross-certified with the Prototype FBCA • Test HEBCA RoD deployed • Production HEBCA development phase complete • Infrastructure has passed interoperability testing with FBCA • Some minor documentation to finalize • Ready for audit and production operations
Solving Silos of Trust Institution FBCA Dept-1 Dept-1 Dept-1 HEBCA CAUDIT PKI USHER CA CA CA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA SubCA
Proposed Inter-federations CA-2 CA-1 CA-2 CA-3 HE BR CA-1 AusCert CAUDIT PKI CA-n HE JP FBCA Cross-cert Cross-certs DST ACES NIH Texas Dartmouth HEBCA Cross-certs Wisconsin UVA Univ-N USHER CertiPath SAFE CA-4 CFPKIB CA-1 CA-2 CA-3
Challenges and Opportunities • Operational restraints: Offline CA with 6 hourly CRLs requiring dually authenticated sneaker-net with limited staffing • Pre-generate CRLs • AirGap: USB based switch • Audit • What standard? • Cost barriers • Support for Bridge PKIs in current applications • Cross-certificates, path discovery, path validation support is limited in COTS products
Challenges and Opportunities • Community applicability • If we build it they will come • Chicken & Egg profile for infrastructure and applications • An appropriate business plan • Consolidation and synergy • Are USHER & HEBCA competing initiatives? • Benefits of a common infrastructure • Alignment with policies of complimentary communities • Shibboleth / InCommon • Grids (TAGPMA)
Challenges and Opportunities • Open Tasks • Re-evaluate operating LOA • Audit • Updated Business Plan • Mapping Grid Profiles • Classic PKI • SLCS • Promotion of PKI Test bed • Validation Authority service • Cross-certification with FBCA • Cross-certification with other HE PKI communities • CAUDIT PKI (AusCERT) • HE JP • HE BR
Proposed Inter-federations CA-2 CA-1 CA-2 CA-3 HE BR CA-1 AusCert CAUDIT PKI CA-n HE JP FBCA Cross-cert Cross-certs DST ACES NIH Texas Dartmouth HEBCA Cross-certs Wisconsin UVA Univ-N USHER CertiPath SAFE CA-4 CFPKIB CA-1 CA-2 CA-3
For More Information • HEBCA Website: http://www.educause.edu/HEBCA/623 • EDUCAUSE IMSP: http://www.educause.edu/IMSP Scott Rea - Scott.Rea@dartmouth.edu