80 likes | 236 Views
CREN Certificate Authority Project: Update from Georgia Tech. Ron Hutchins 28 March 2000. Progress. Application for Certificate is done CREN certificate has been created and is installed in the Georgia Tech Certificate Authority offline
E N D
CREN Certificate Authority Project: Update from Georgia Tech Ron Hutchins 28 March 2000
Progress • Application for Certificate is done • CREN certificate has been created and is installed in the Georgia Tech Certificate Authority offline • Security Policy Committee for the campus has met two times to begin discussions. • Applications utilizing the certificates are under way • Document, document, document
Why Certificates? • Current apps have no common authentication and authorization model. • Need for a common layer of AAA to reduce complexity for growth. • Certificates in conjunction with SSL, IPSEC, and Kerberos provide a model for a significant number of applications both current and future
Plan • Create GT Certificate Authority - done • Interface with Kerberos to create initial instance of a Registration Authority - done • Create practices for managing the CA - in progress • Create classes of certificates and define use and appropriate lifetimes - soon • Define apps and appropriate cert model - coming • Create and document local policy - in parallel • Educate our constituency - forever
Applications • Remote Access - from any ISP into campus • Authenticated wireless and walk-up access • SSL encryption and logging via 2-way certs on web enabled apps (WebObjects, etc) • Secure E-mail? Via SSL or Kerberos? Or certs directly?
Middleware needed? • Interfacing with Kerberos as Registration Authority for class 3 cert issuing application via web - Jeff Schiller model - current but needs some hardening… Create our Registration Authority for other cert classes? • LDAP interfacing for CRL and Public Key storage/access • FreeSWAN mods to accept certs for VPNs on Linux? Other platforms?
Futures • Work with State governmental agencies in Georgia and beyond • Work with University System Board of Regents for Education model of security • Work with JSTOR for certificate based authentication for faculty access to databases
To Be Done... • Designate classes of certs for campus use: • Class 1 - business office and finance class? • Class 2 - general GT server certificates? • Class 3 - remote access and student general purpose only (if we issued a cert it’s good for something) • Designate lifetimes for these cert classes • Create CRLs and LDAP interfaces to complete the model (Middleware) • Create apps that really check expiration and CRLs • Policy stuff… and documentation