120 likes | 235 Views
HEPKI-TAG Update. EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia. HEPKI-TAG Activities. Sponsors: EDUCAUSE, Internet2, NET@EDU Charter – Technical Activities Group (TAG) Open-source PKI software Certificate profiles Directory / PKI interaction Validity periods
E N D
HEPKI-TAG Update EDUCAUSE/Dartmouth PKI SummitJuly 26, 2005Jim JoklUniversity of Virginia
HEPKI-TAG Activities • Sponsors: EDUCAUSE, Internet2, NET@EDU • Charter – Technical Activities Group (TAG) • Open-source PKI software • Certificate profiles • Directory / PKI interaction • Validity periods • Client customization issues • Mobility • Inter-institution test projects • Private Key Protection • Technical issues with cross-certification • Communicate results • Process • Biweekly conference calls • Sessions at higher education events
Updates to PKI-Lite • PKI-Lite: using PKI technology at the LOA of the existing campus login/password system • Updated policy and practices document • Changes based on feedback from NMI project, etc • Clarifications to hierarchical CAs, language, etc • Still 9 pages, fill in the blanks format • Relationship to Citizen and Commerce (C4) Policy • FIPS-140 crypto, audits, CRL/OCSP required • New PKI-Lite certificate profiles • End Entity • Bridge Environment (Authority and Subject key identifiers) • EAP-TLS Microsoft OID (SubjectAlt/OtherName/PrincipalName) • Certification Authority • Authority and Subject Key Identifiers • All profiles – more closely follow the RFCs for critical flags
S/MIME • Plan to update the S/MIME compatibility table with data for additional clients • HEPKI-TAG coordinated a letter to Qualcomm requesting S/MIME support for Eudora • Qualcomm was/is developing S/MIME support for EUDORA • HEPKI-TAG developed a prioritized list of features of what we’d like to see in the client • Looking forward to being early testers
Introductory MaterialsAiding Initial Campus Deployments • Recall our PKI-Lite framework • Using PKI for “standard” applications where you likely would have used names/passwords in the past • Standard Policy/Practices document and Profiles • Designed to support S/MIME, VPN, Web Authentication, etc • Validated on other apps (e.g. Globus, document signing applications, etc). • Newer addition: PKI-Lite Recipe • by Steven Carmody at Brown
US Higher Education Root(USHER) and Policy • Background • A hierarchical CA for Higher Education • Issue authority certificates to campus CAs • Replace and offer more than the old CREN hierarchy • Initial discussions on LOA for USHER • Strong procedures for USHER operations • Strong process to identify campuses • Discussions on requirements for schools • Something heavy, C4, PKI-Lite, less, etc? • Implications for when USHER cross-certifies with HEBCA? • Early focus decisions • Strong procedures for USHER itself; use the InCommon I&A process for schools • Architect for an USHER-heavier and an USHER-Lite • Focus deployment on USHER-Lite
One older concept for the US Higher Education Root (USHER) USHER Root USHER-Lite InCommon CA USHER Basic/Medium School CA Shib Cert School CA Shib Cert School CA Shib Cert Shib Cert School CA School CA School CA
Current Thinking for USHER USHER-Lite Root Future USHER Basic/Medium HEBCA InCommon CA School CA Shib Cert School CA Shib Cert Shib Cert School CA Shib Cert School CA School CA Note: InCommon CA not related to USHER in a PKI sense School CA
USHER Campus CA Campus CA LionShare SASL CA Short-life user certificates USHER & Policy: Enter LionShare • LionShare needs a trust fabric that works logically like PKI-Lite • Verify PKI-Lite OID in cert • Question: can/should USHER require at least PKI-Lite from campuses? • Schools doing this anyway • Strong pushback on TAG call • How does USHER certify campuses • Campus liability concerns • Why is a requirement needed?
Current Thinking on USHER-Lite • No requirements for what the campus can do using their USHER authority certificate • LionShare will require the PKI-Lite Policy OID in certificates issued by the SASL-CA • USHER CA profile • Profiles include AIA for bridge cert discovery in XP
Next Projects for HEPKI-TAG • Continue support for USHER • Maintain & update existing documents and services • Signing tools project • Document and web form signing tools • Update of S/MIME work • Update compatibility matrix • Eudora when ready • Campus CA Audits • Preparation and documents for campus auditors • In the queue • Windows smart card login • Mobility and Hardware Token update • Application integration (administrative and general) • CA software • More/better introductory materials • Bridge application testing • Grid integration & documentation • Update hardware token work • EAP-TLS documentation • Look at SILC • Insert your favorite item(s) here
Questions - References • If you are working on these topics, consider participating in HEPKI-TAG • Some references • middleware.internet2.edu/hepki-tag • Links to other sites, CA software, etc • NET@EDU PKI for Networked Higher Education • http://www.educause.edu/PKIforNetworkedHigherEducation/928 • pkidev.internet2.edu • PKI Labs • middleware.internet2.edu/pkilabs