290 likes | 413 Views
PKI: A High Level View from the Trenches. Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder. Agenda. Fundamentals - Components and Contexts The missing pieces - in the technology and in the community
E N D
PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder
Agenda • Fundamentals - Components and Contexts • The missing pieces - in the technology and in the community • Current Activities - feds, chime, anx, overseas, pkiforum, etc. • Higher Ed Activities (CREN, HEPKI-TAG, HEPKI-PAG, Net@edu, PKIlabs)
PKI : A few observations • Think of it as wall jack connectivity, except it’s connectivity for individuals, not for machines, and there’s no wall or jack…But it is that ubiquitous and important • Does it need to be a single infrastructure? What are the costs of multiple solutions? Subnets and ITP’s... • Options breed complexity; managing complexity is essential
A few more... • IP connectivity was a field of dreams. We built it and then the applications came. . Unfortunately, here the applications have arrived before the infrastructure, making its development much harder. • Noone seems to be working on the solutions for the agora.
Uses for PKI and Certificates • authentication and pseudo-authentication • signing docs • encrypting docs and mail • non-repudiation • secure channels across a network • authorization and attributes • and more...
A framework • PKI Components - hardware, software, processes, policies • Contexts for usage - community of interests • Implementation options (in-source, out-source, roll-your-own,etc.) • Note changes over time...
PKI Components • X.509 v3 certs - profiles and uses • Validation - Certificate Revocation Lists, OCSP, path construction • Cert management - generating certs, using keys, archiving and escrow, mobility, etc. • Directories - to store certs, and public keys and maybe private keys • Trust models and I/A • Cert-enabled apps
PKI Contexts for Usage • Intracampus • Within the Higher Ed community of interest • In the Broader World
PKI Implementation Options • In-source - with public domain or campus unique • In-source - with commercial product • Bring-in-source - with commercial services • Out-source - a spectrum of services and issues • what you do depends on when you do it...
Cert-enabled applications • Browsers • Authentication • S/MIME email • IPsec and VPN • Globus • Secure multicast
X.509 certs • purpose - bind a public key to a subject • standard fields • extended fields • profiles • client and server cert distinctions
Standard fields in certs • cert serial number • the subject, as x.500 DN or … • the subject’s public key • the validity field • the issuer, as id and common name • signing algorithm • signature info for the cert, in the issuer’s private key
Extension fields • Examples - auth/subject subcodes, key usage, LDAP URL, CRL distribution points, etc • Key usage is very important - for digsig, non-rep, key or data encipherment, etc. • Certain extensions can be marked critical - if an app can’t understand it, then don’t use the cert • Requires profiles to document, and great care...
Cert Management • Certificate Management Protocol - for the creation and management of certs • Revocation Options - CRL, OCSP • Storage - where (device, directory, private cache, etc.) and how - format • escrow and archive - when, how, and what else needs to be kept • Cert Authority Software or outsource options • Authority and policies
Certificate Management Systems • Homebrews • OpenSSL and OpenCA • Baltimore, Entrust, etc. • W2K, Netscape, etc.
Directories • to store certs • to store CRL • to store private keys, for the time being • to store attributes • implement with border directories, or acls within the enterprise directory, or proprietary directories
Inter-organizational trust model components • Certificate Policy- uses of particular certs, assurance levels for I/A, audit and archival requirements • Certificate Practices Statement- the nitty gritty operational issues • Hierarchies vs Bridges • a philosopy and an implementation issue • the concerns are transitivity and delegation • hierarchies assert a common trust model • bridges pairwise agree on trust models and policy mappings
Certificate Policies Address (CP) • Legal responsibilities and liabilities (indemnification issues) • Operations of Certificate Management systems • Best practices for core middleware • Assurance levels - varies according to I/A processes and other operational factors
Certificate Practice Statements (CPS) • Site specific details of operational compliance with a Cert Policy • A single practice statement can support several policies (Chime) • A Policy Management Authority (PMA) determines if a CPS is adequate for a given CP.
Trust chains • Path construction • to determine a path from the issuing CA to a trusted CA • heuristics to handle branching that occurs at bridges • Path validation • uses the path to determine if trust is appropriate • should address revocation, key usage, basic constraints, policy mappings
Trust chains • When and where to validate • off-line on a server at the discretion of the application • depth of chain • some revocations better than others - major (disaffiliation, key compromise, etc.) and minor (name change, attribute change) • sometimes the CRL can’t be found or hasn’t been updated
Mobility Options • smart cards • usb dongles • passwords to download from a store or directory • proprietary roaming schemes abound - Netscape, Verisign, etc • SACRED within IETF recently formed for standards • integration of certificates from multiple stores
More current activities • HEPKI • the Grid
Current Activities • PKIX (http://www.ietf.org/html.charters/pkix-charter.html) • Federal PKI work (http://csrc.nist.gov/pki/twg/) • State Govs (http://www.ec3.org/) • Medical community (Tunitas, CHIME, HIPAA) • Automobile community (ANX) • Overseas • Euro government - qualifying certs • EuroPKI for Higher Ed (http://www.europki.org/ca/root/cps/en_index.html)
All the stuff we don’t know… • Revocation approaches • Policy languages • Standard profiles • Mobility • Path math • User interface
PKI and Higher Ed • ah, the public sector life… • Key issues • Current activities
ah, the public sector… • almost universal community of interests • cross-agency relationships • complex privacy and security issues • limited budgets and implementation options • sometimes ahead of the crowd and the obligation to build a marketplace
Key issues • trust relationships among autonomous organizations • interoperability of profiles and policies • interactions with J.Q. Public • international governance issues