120 likes | 133 Views
HEBCA Overview Internet2 Meeting, Fall 2002. Michael R Gettes Georgetown University Gettes@Georgetown.EDU. PKI is 1/3 Technical and 2/3 Policy?. Policy. Technical. A Snapshot of the U.S. Federal PKI. DOD PKI. Illinois PKI. CANADA PKI. Federal Bridge CA. NASA PKI.
E N D
HEBCAOverviewInternet2 Meeting, Fall 2002 Michael R Gettes Georgetown University Gettes@Georgetown.EDU
PKI is 1/3 Technical and 2/3 Policy? Policy Technical
A Snapshot of the U.S. Federal PKI DOD PKI Illinois PKI CANADA PKI Federal Bridge CA NASA PKI Higher Education Bridge CA University PKI NFC PKI
Multiple CAs in FBCA Membrane • Survivable PKI • Cross Certificates allow for “one/two-way policy” • Directories are critical in BCA world.
FBCA cross cert FBCA dir cross cert HEBCA HEBCA dir get Cert,CRL via directory chaining cross cert UA ca NIH ca UA dir NIH directory trust anchor ca DAVE issued CAM E-Lock directory sender (UA) receiver (NIH) software “DAVE” (Discovery and Validation Engine)
Medical P K I H i e r a r c h y The PKI Puzzle By David Wasley, UCOP
HEBCA linkage Euro PKI Weems’ Wacky World CREN Medical Healthkey State Bridges Inter- Directories FBCA HEBCA GRID NIH MitreTek E-Auth Shib Apache FDRM SEVIS Signed Email VidMid
(Top) dc=edu c=us c=japan dc=intl dc=edu c=us o=US Govt, c=us dc=uab o=US Govt dc=ucop o=HHS ou=FBCA (else sup) ou=A, o=NASA ou=agency7 (else sup) ou=FBCA, o=US Govt, c=us (else sup) ou=FBCA ou=agency7 <no else> Legend: a subordinate referral a superior referral “Registry of Directories” Structure Referral Directories Content Directories • “Else superior referral” clause exists to allow any LDAP client (or content directory) to have option of pointing to a referral directory and be able to construct a desired path • There is no “else” clause in content directories to prevent loops
HEBCA BID • Board of Instantiation and Development • 10-12 of CIO, Techies, Lawyers (usual suspects) • 1 Year to make HEBCA production • Governance • Stand up Policy/Operational Authorities • Service (Business plan, structure, fees, management) • Cross-certify with FBCA • Funding and Technical development issues • Application interfaces, discovery, blah blah blah
HEBCA Issues • Certificates in Directories • Gietz: Break out cert data in dir objects (searchable certs) • Chadwick: Certificate Parsing Server • Likely a major impact on Bridge CA model • OpenSSL/OpenCA to be “bridge aware” • Registry of Directories (Next-Gen)
HEBCA Issues • Deployment • Web Server plugin (apache) • Email validator (server based on receipt) • Bill Weems and crew; many apps • Application Integration • CAM/DAVE extensions (server validation) • OCSP, XKMS, SCVP, Novomodo, blah blah • Understanding Java 1.4 and WinXP • Develop appropriate APIs • Browser awareness!!!!