PKI Status @ Georgetown University or Whaassuuuup PKI?

1. PKI Status @ Georgetown UniversityorWhaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI” gettes@Georgetown.EDU

2. Policy • We don’t need no stinkin’ policy! • Covert warfare can be a valid tactic for IT deployments • Yes, this is a juicy rationalization with self-serving purpose • Verified no District (DC) Laws limiting PKI CSG PKI Workshop gettes@georgetown.edu

3. Middleware • If the goal is a PKI… • Identifiers • Identification process • Authentication systems • Directory • CA Deployment • Server Certificates • Authorizations • Client Certificates CSG PKI Workshop gettes@georgetown.edu

4. Server Config • CA Software • Netscape CMS 4 • Solaris, E250 • On Same physical hardware as Kerberos slave • Root key is simple PW protected. But, this is COTS! • Purchased 100 Certs • $30 each; your mileage may vary • All work done by 1 person • Get this going quickly for Network Services CSG PKI Workshop gettes@georgetown.edu

5. Netscape CMS 4.2 • Some Auth-n methods for end users • Really intended for LDAP integration • Forms for certificate enrollment • Web based for RA and Operator functions • Policies for governing the formulation of certificates • Managed by Netscape Console • Publishing of certificates and CRLs • LDAP, of course CSG PKI Workshop gettes@georgetown.edu

6. Netscape CMS 4.2 • Event-driven notifications • Backup and recovery (escrow) • See sproule@Princeton.EDU for more info • Database is LDAP as well… do we detect a pattern here? CSG PKI Workshop gettes@georgetown.edu

7. CA Certificate • Valid until 10/2001 • Simple profile • No special extensions • No special constraints or criticalities • Subject contains X.500 and DC names • O=Georgetown University • required because of Communicator • dc=georgetown,dc=edu • At end of subjectName in Certificates • Also root suffix for Enterprise Directory CSG PKI Workshop gettes@georgetown.edu

8. CA Issued Certificates • Client Certificates • NONE • Cost, Deployment, Policy • Server Certificates • On a limited basis, carefully considered • Valid until 10/2001 • No special constraints CSG PKI Workshop gettes@georgetown.edu

9. Expiry Rationale • Why 10/2001 for Expiry? • Force decision on future PKI vendor or continue “as is”. Hopefully a decision! • October implies a summer time redeployment with “misses” found in October when community is present. • Realization of the future of CREN CA • Validity period, fBCA model, browser deployments (maybe) CSG PKI Workshop gettes@georgetown.edu

10. CA Certificate Deployment • Netscape Communicator 4.7x • Customized Netscape for CA Cert deployment • Also needed for IMAP and other new services • Central IMAP and Directory only accessible with SSL • Internet Explorer • No custom distribution method developed. Would like to something in the future along with Win2K • Manual Configuration of CA Certificate • people can visit https://ca.georgetown.edu • Alumni and other public services: Verisign CSG PKI Workshop gettes@georgetown.edu

11. CA Certificate Deployment There must be a better way! MIT approach assumes client cert distribution like others, not a bad thing, just different • Microsoft seems willing to play ball • heDRCD (being discussed in HEPKI-TAG) CSG PKI Workshop gettes@georgetown.edu

12. Directories are part of the I in PKI • Directory (October, 1999) • Centralized, automated Name Space • VERY carefully controlled • Users modify very little • Priv’d access highly restricted • Control considered necessary step for PKI to trust the directory • Eventually, client, server and other certs will be published in the directory. • Hopefully a model campus for LDAP deployment • Internet2 Middleware 201 (others?) coursework CSG PKI Workshop gettes@georgetown.edu

13. Overall Plan • Best of all 3 worlds • LDAP + Kerberos + PKI • LDAP Authentication performs Kerberos Authentication out the backend. Started 9/2000 to finish NS plug-in. • Credential Caching handled by Directory. • All directory authentications SSL protected. Enforced with necessary exceptions • Use Kerberos to derive Certificates • One Userid/Password (single-signon vs. FSO) CSG PKI Workshop gettes@georgetown.edu

14. Overall Plan • AT&T Access Cards (Onecard project) • Vending, Building Access, Credit, etc • Mag-stripe only, no chip • Unfortunately, no smart-card plan by admin – at least nothing I have seen  • Schlumberger interested in HEPKI  CSG PKI Workshop gettes@georgetown.edu

15. CA Future • OpenCA (built on OpenSSL)? • Baltimore? • Casey Lide – DST? • Netscape/iPlanet/Sun? • Outsourcing? (parts is parts is parts) • Something else? (notaries) • Ken’s matrix should help with decision CSG PKI Workshop gettes@georgetown.edu

16. Georgetown Institute for Information Assurance • Recently formed: July 2000 • Research and practical deployment of Network Security, Internet2 Middleware and PKI • Joint work between Central IT, CompSci, Medical Center, Law Center, Public Policy Institute, Legal and other experts and faculty. • Focal point for University policy and practice • http://www.georgetown.edu/giia CSG PKI Workshop gettes@georgetown.edu

17. Georgetown Activities • Internet2 Middleware + EDUCAUSE, CREN • Directories, Dir of Dirs for Higher Ed, Shibboleth, PKI, CREN CA, LDAP-RECIPE, eduPerson • Professor Dorothy Denning, CS, info-warfare • Prof./Dr. Jeffrey Collmann, Sociology • Dr. Alan Zuckerman, biometrics • HEPKI TAG/PAG – Kathryn Baerwald, Georgetown Legal PAG involvement. CSG PKI Workshop gettes@georgetown.edu