1 / 9

University of Texas PKI Status

University of Texas PKI Status. PKI TEAM. Gene Titus, Systems Architect (U.T. System Office of Telecommunication Services) Jim Lyons, Developer and DBA (U.T. Austin ITS/Telecommunications and Networking) Frank Sayre, Coordination, Policy (U.T. Austin ITS/Telecommunications and Networking)

kert
Download Presentation

University of Texas PKI Status

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. University of Texas PKI Status CREN-Mellon conference, December 1, 2001

  2. PKI TEAM • Gene Titus, Systems Architect (U.T. System Office of Telecommunication Services) • Jim Lyons, Developer and DBA (U.T. Austin ITS/Telecommunications and Networking) • Frank Sayre, Coordination, Policy (U.T. Austin ITS/Telecommunications and Networking) • U.T. System Associate Vice-Chancellor, Chief Information Officer • U.T. System System Audit Office • U.T. System Office of Information Resources • U.T. Austin Vice-President for Information Technology (ITS) • ITS Administrative Computing • ITS Security Office • U.T. Austin Office of Internal Audits CREN-Mellon conference, December 1, 2001

  3. Management of Community Data • Directory organized as X.500 hierarchy • Campus-wide, 100% coverage of entire community • Populated through daily ‘feeds’ from HR and Registrar • Managed via OpenLDAP v. 1.2x • Accessible via Richter/TU Chemnitz web500gw-2.1b3 at http://directory.utexas.edu/ • Operated on RedHat Linux 6.x on generic Pentium II 450 MHz rackmount system CREN-Mellon conference, December 1, 2001

  4. Current Network Authentication Scheme • Electronic ID (EID) -- pre-PKI • Campus-wide 100% of community using network-based electronic services (grades, transcript requests, class rosters, time sheets, bio updates, etc, etc) • Username/password credential providing single-sign-on for network-based services • Established at face-to-face presentation of identity credentials at University ID Center • User logon through HTTPS connection to HPUX systems tied in with central authorization records residing in MVS. Authorization data is passed inside RSA MD5-encrypted cookie • Viable authentication mechanism for end-user certificate requests through HTTPS-based PKI Registration Authority CREN-Mellon conference, December 1, 2001

  5. Planned Initial Uses, 2002/03 • SSL server certificates • Authentication for network-based services (to some degree replacing EID) • Digitally signed documents (S/MIME protocol) for special groups • Digitally signed and encrypted e-mail (S/MIME protocol) for special groups CREN-Mellon conference, December 1, 2001

  6. Current Deployment Status: U.T. System • Certification Authority implemented with PERL/OpenSSL tested • Private key storage in Chrysalis Luna CA3 (FIPS 140-1, level 3) HSM tested • CA certificate to be signed by CREN January, 2002 • System operated on RedHat Linux 6.x on generic Pentium II 450 MHz rackmount system • Issuance of Institutional CA certficates for U.T. component campuses Spring, 2002 • Policy governing CA certificate issuance due early Spring, 2002 CREN-Mellon conference, December 1, 2001

  7. Current Deployment Status: U.T. Austin • Certification Authority implemented with PERL/OpenSSLtested • HTTPS-accessible Registration Authority implemented in PERLtested • Registration Authority integrated with current EID network authenticationtested • Issuance of end-entity certificates to Schlumberger CyberFlex smartcardstested • Back-end storage and management of certficates in Unix dbmtested • Initial, informal testing of CRL publication to OCSP servercompleted • Initial, informal testing of PKI-enabled client applicationssignficant problems revealed • Operated on RedHat Linux 6.x on generic Pentium II 450 MHz rackmount system • CA certificate signed by U.T. System CASpring, 2002 • Policy governing issuance of SSL server certificates early Spring, 2002 • Issuance of SSL server certificates commenceSpring, 2002 • Policy for end-entity certificates for special groupsdrafted Spring, 2002 • Publication of end-entity certificates to Directoryneed additional testing in Spring, 2002 • Publication of CRLs to OCSP serverneed additional testing in Spring, 2002 • Formal testing of PKI-enabled client applicationscommence Summer, 2002 • Formal testing of OCSP client-server functionscommence Summer, 2002 • Preparation of user documentation and support procedurescommence Summer, 2002 • End-entity certificate issuance for special groupsFall, 2002, or Spring, 2003 CREN-Mellon conference, December 1, 2001

  8. Content Providers • Most widely used content providers include: Elsevier, OCLC, JSTOR, Bowker, Gale • Access allowed for campus IP address range and by scripted logon • Library staff would like ‘electronic library card’ to be implemented as part of U.T. Austin campus PKI. CREN-Mellon conference, December 1, 2001

  9. Readiness to Issue Certs to Select Groups • Fall, 2002, or Spring, 2003, at earliest • Significantadministrative effort in area of PKI policy • Identification of funds • Significantuser support for essential PKI concepts and for configuration and use of PKI-enabled client apps CREN-Mellon conference, December 1, 2001

More Related