170 likes | 360 Views
Getting Started with Digital Certificates: Is PKI-Lite Real PKI? . Internet2 Spring Meeting 2002 Wash, DC. Panel . Intro to PKI- Lite Judith Boettcher, CREN Minnesota story Frank Grewe Columbia Vace Kundacki Alan Crosswell .
E N D
Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC
Panel • Intro to PKI- Lite • Judith Boettcher, CREN • Minnesota story • Frank Grewe • Columbia • Vace Kundacki • Alan Crosswell
What is PKI-Lite? PKI-Lite — “Full-featured PKI technology deployed with existing campus standards for identification and authentication (I&A) and security”
Is PKI-Lite Real? Developed by the HEPKI-TAG and HEPKI-PAG groups and it is under review and implementation Why did PKI-Lite evolve?
Policy Swamp - for 18 months PKI-Lite Environment - At last!
PKI-Lite Trust Environment - What is it? • “Trust Documents” • Certificate policy • Certificate practice statement • Certificate profiles for institutional and end-entity certificates (x.509 v3, IETF) • Relying party statement • for content providers, publishers, etc • Existing Campus Registration Authority • Registrar, HR • Certification Authority • IT dept with systems and software
PKI-Lite Technology Environment - What is it? • “Good enough” to move forward • Provides Level of Assurance (LOA) • Rudimentary for client certificates • Basic/ Medium for Campus Certificates
PKI-Lite Environment • Available now • Combined PKI-Lite Certificate Policy and Certification Practices Statement Template • middleware.internet2.edu/hepki-tag/pki-lite/pki-lite-policy-practices.htm • Certificate Profiles • For Campus CA and for End-Entity/client certificates • PKI-Lite CP/CPS is being sent to various higher education groups for review • Reviewed by two content providers in late 2001 • Request to keep certificates validity period to maximum of 12.5 months
The CREN CA at MIT • SafeKeyper HSM Box with the CREN CA This box signs Certificate Signing Requests (CSRs)
Five Types of Certificates - It’s easy to get confused! • Root Certificates • “Self-signed certs” (Authenticate themselves) • Institutional Certificates • Also called campus certs • Organizational Certificates • Also called department certs, association certs • Web server certificates • Also called server-side certs • End-Entity Certificates • Also called end-user certs, client certs, individual certs, personal certs, or entity certs • Client certs.. Different ones for signing email and encrypting email, web authentication
What Do Individuals Use Certificates for? • Authenticating oneself to server • Signing email • The same certificate can be used for these two purposes of signing email and authenticating oneself to server • Encrypting email • Individuals will designate one specific certificate for encrypting email
CREN Certificate Services for Higher Education • Hierarchy of Institutional Certificates • CREN CA Certificates • Operational since 11/99 • Web server certificates • CREN.net CA for client certificates • CREN.Net CA for staff, members and pilot projects • Potentially for individuals at campuses without CAs who must meet federal mandates
What are Higher Ed Organizations Doing? • HEPKI-TAG (Internet2, CREN, Educause) • Higher Education PKI - Technical Advisory Group • Developing the PKI -Lite environment • Now doing some pilot testing with S/MIME • HEPKI-PAG (Internet2, CREN, Educause) • Higher Education PKI - Policy Advisory Group • Developing the PKI -Lite environment • Internet2 • Leading the Middleware initiative, including Shibboleth Project • Check out www.internet2.edu/middleware • EDUCAUSE • Leading the Higher Ed Bridge CA
Who is Doing or Planning PKI Use on Campus? • Two major classes of applications • Web-based applications • Electronic Mail (S/MIME) • Plus authentication for network access, such as VPN and wireless • Campuses that are working with PKI • MIT Georgia Tech • Princeton U of Virginia • Cornell U of Wisconsin • U of MN U of Alabama • U of Mass Columbia • Penn State U of Tennessee Source: J.Jokl/HEPKI-TAG
Examples of Web-Based Apps and Electronic Mail • Authentication • Business services • Access to class materials • Access to remote databases • HR self service • Telecom requests • Electronic mail (S/MIME) • general individual use • submission of service orders • submission of timesheets, travel reports • More detail is at... • www.cren.net/crenca/icertpages/why.html • middleware.internet2.edu/hepki-tag/TAG-PKI-Apps3.xls Source: J.Jokl/HEPKI-TAG
On to Campus Stories… Frank and Vace and Alan
PKI-Lite Environment • Standard PKI-Lite Cert Profiles • Certificate Profile for Root Certificates • middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-root-profile-2.html • Certificate Profile for End-entity Certificates • middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-profile-6.html • These profiles come with implementor notes discussing extensions and fields to be filled out at campus level CA