1 / 19

USHER Update

USHER Update. Fed/ED December 2007 Jim Jokl University of Virginia. USHER - US Higher Education Root CA. Much discussion about our community Needs for a PKI-based trust mechanism A replacement for the old CREN CA Quick convergence on a set of anticipated applications Web authentication

emmly
Download Presentation

USHER Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. USHER Update Fed/ED December 2007 Jim JoklUniversity of Virginia

  2. USHER - US Higher Education Root CA • Much discussion about our community • Needs for a PKI-based trust mechanism • A replacement for the old CREN CA • Quick convergence on a set of anticipated applications • Web authentication • Electronic mail (S/MIME) • VPN (IPSec), Wireless (EAP-TLS), & SSH authentication • LionShare – P2P sharing application • Grid Authentication (Globus) • Digital Signatures

  3. USHER Certification Authority USHER CA • A hierarchical PKI root for US Higher Education Campus A CA Campus B CA Campus D CA Campus C CA Campus A sub-CA User User User User User Campus E CA User User

  4. USHER - US Higher Education Root CA • However, also many questions • What types of CAs do campuses operate? • What LoA do their practices support? • Formal documentation and audit? • What LoA should the overall system provide? • What type of agreement can a campus sign? • State agencies vs. private schools • What is the potential liability of serving on the PA? • Eventual decision • Initially implement an USHER service that minimizes the campus-level requirements & contracts • An USHER CA that enforces higher levels of assurance will likely be implemented in the future

  5. USHER CA Commercial CA Remote Service Campus #1CA/RA Campus #3CA/RA Campus RA Campus #2CA/RA User Certs Machine Certs Authority Certs User Certs Machine Certs Authority Certs User Certs Machine Certs Authority Certs User Certs Machine Certs US Higher Education Root Technically, a Traditional Hierarchical CA

  6. USHER Implementation • USHER Philosophy • Leverage the InCommon infrastructure as much as practical • Use InCommon I&A process • If campus officials are same, no need to repeat the process • USHER CA/RA Process • Signed Participation Agreement • Signed by a campus official authorized to commit the university • Designates the operational campus entity • A strong process is used to validate the campus operator and establish a secure communications channel • The campus generates a request which is then signed by the USHER CA

  7. USHER Implementation & LoA • The USHER CA itself is operated at a relatively high level of assurance • Solid practices for protecting & operating CA • Strong process to identify designated campus official and establish secure out-of-band communications • Campus LoA: as determined by the campus • PKI-Lite type systems expected to be common • Likely some stronger LoA PKIs too • However, recall that few contractual requirements are imposed in the agreement signed by the campus official • Solution: detail expectations in a set of Expected Practices

  8. USHER Expected Practices • When campuses join USHER, they are expected to adhere to the set of Expected Practices • Campuses will not join USHER if they can not or will not meet the expected practices • Campuses areexpected to leave USHER if they are unable to continue to meet the expected practices • Action by the Policy Authority if ever needed • PA does not audit or review audits of campus CAs

  9. USHER Expected Practices • Will operate their PKI using processes that are at least as strong as how they manage central accounts for email, calendaring, etc, etc • The campus will actively maintain all services that are implied in their certificates, e.g., • CRLs & OCSP, etc • Policy and practices if Policy OID is present • Campuses may issue certificates to anyone affiliated with their institution • The campus definition of affiliation applies

  10. USHER Expected Practices • On campus delegation is permissible • If it matches existing campus policy and does not dilute the LoA of user identification • Campus will not issue 3rd party certs • Instead campus should sponsor the other entity for USHER membership • Campuses strongly encouraged to document their CP and CPS • How many have formally documented central password procedures? • Certificate naming • Will not issue certs intended to mislead or confuse relying parties • Security issues will be considered • CA operations • Notification of private key compromise • So, what is the overall resulting LoA • Relatively strong based on a community of trust as opposed to an audited foundation

  11. USHERCertificate Policies and Profiles • For USHER • See: usher.internet2.edu or www.usherca.org • Root and Campus certificate profiles are complete • For the campus • PKI-Lite is likely a good solution for campuses that have not already developed their own

  12. USHER: Current Status • General availability: now • Key signing ceremony completed • Business processes at Internet2 (leveraging the same people/processes from InCommon) • Campus Subscriber Agreement passed legal review • Expected Practices are finalized • CP and CPS are complete • Schools with authority certificates • Johns Hopkins • Penn State • University of Virginia • Discussions in progress with several more schools

  13. USHER: Some Q&A • Can a campus have multiple USHER CAs? • Yes, and some may do this for organizational reasons • Also, one campus USHER CA can issue an Authority Certificate to another as long this is consistent with existing campus ID management practices • Eligibility • US Higher Education Institutions • Other entities sponsored by a US Higher Education member • What will it cost? (same as InCommon) • $1,000 per year • Plus one-time institutional I&A

  14. USHER: Some Q&A • What is the minimum LOA that a relying party can assume? • A campus official designated a campus organization to operate the USHER CA • USHER used a strong process to validate the organization and establish a secure communications channel • The USHER CA signs campus authority certificates using a strong technical process • The Expected Practices document the commitment that the USHER community has agreed to make

  15. USHER: Some Q&A • Will USHER “be trusted by browsers?” • Not by default • Significant cost in the required audits • Perhaps some added operational costs • Commercial server certificates are no longer expensive • A new root is not hard for your users to install • Deliver it with their end entity certificate • http://pkidev.internet2.edu/rootcerts/

  16. HEBCABridge Cross-certificate pairs Campus A Campus B Campus n Mid-A Mid-B User User User User USHER Q&A:Where does USHER fit in overall? USHER CA Campus CA Campus CA User Campus CA Campus CA Campus CA User User User

  17. FBCA HEBCA SAFE Commercial Others One View: Higher Education PKI Space Educause Verisign CA Campus CA Campus Users Campus CA Campus CA Campus Users Campus Users USHER CA Campus CA Campus CA Campus CA

  18. Questions & DiscussionSome References • Main URLhttp://usher.internet2.edu/http://www.usherca.org • USHER information sheethttp://usher.internet2.edu/docs/USHER_Infosheet_200604.pdf • Also feel free to contact the members of the PAhttp://www.usherca.org/pa.html • http://middleware.internet2.edu/hepki-tag • PKI-Lite, other higher education PKI technical activities

  19. Other PKI Topics? • UVa’s conversion from CREN to USHER • Windows Vista issues, back to school • We are developing of a tool that will download and install user certificates, configure wireless, and windows firewall, etc • HEPKI-TAG • Focus now is on a survey of PKI implementers to help determine what their needs are

More Related