150 likes | 175 Views
CAMP PKI UPDATE August 2002. Jim Jokl jaj@Virginia.EDU. Higher Education PKI Activities - HEPKI. Sponsors Internet2, EDUCAUSE, CREN, NET@EDU HEPKI - Technical Activities Group (TAG) Open-source PKI software Certificate profiles Directory / PKI interaction Validity periods
E N D
CAMP PKI UPDATEAugust 2002 Jim Jokl jaj@Virginia.EDU
Higher Education PKI Activities - HEPKI • Sponsors • Internet2, EDUCAUSE, CREN, NET@EDU • HEPKI - Technical Activities Group (TAG) • Open-source PKI software • Certificate profiles • Directory / PKI interaction • Validity periods • Client customization issues • Mobility • Inter-institution test projects • Technical issues with cross-certification
PKI-liteFull function but lightweight A normal PKI technical infrastructure • Authenticate users • Issue certificates, perhaps revoke certificates • A comparatively simple certificate profile • Support applications, directories, etc A lightweight administrative/policy structure • Supports applications without high assurance needs • One or two page certification policy • Assurance levels per existing campus practice Campus evolution towards full featured PKI
PKI-lite Project Status • PKI-lite certificate profiles completed • Designed to support web authentication & S/MIME • End Entity profile • CA certificate profile • PKI-lite Policy and Practices Statement • Individual documents prepared – then merged • Reviewed by many people • Template-based fill in the blanks approach • HEPKI Demo CA • Source code available for examination • Certificate repository
S/MIME Project Charter • Why S/MIME • Support in many email clients • Why not PGP • A business driver for PKI • Chicken & egg problem • Project goals • Demonstrate the technology • Show intercampus interoperability • Leverage the effort of multiple institutions working together
S/MIME Project Plan • Phase 1 • Client interoperability testing • Certificate management • Documentation for users • Phase 2 • Real campus users • PKI-lite profile certificates & assurance • User-to-application trials • Application-to-user trials • Goal: make S/MIME easy to deploy
S/MIME Project:Some Early Results • Email client interoperability testing results • Common signing algorithms: SHA-1 & MD5 • Common encryption algorithms: DES, 3DES, RC4 • Default client configurations basically just work • SHA-1 & 3DES • Interesting issues • Messages stored in folders are encrypted • Key escrow issues • Opaque signing • Outlook & encryption certificate
S/MIME Project • Mailing List Software • List management software and signatures • Strong authentication for private email lists • www.sympa.org • User-to-machine interactions • Software library for developers • Documentation on website • Project plan • S/MIME clients • Test CA pointers and the start of a FAQ
Possible S/MIME-based Applications • Travel expense reports • Notification of direct deposits • Online forms routing – signed workflow • Trouble ticket submissions • Password resets • Library notices – guard circulation data • Student debit card statement privacy • Timesheet submission • Long distance billing privacy • FERPA opt-in/opt-out • Sysadmin confirmation of batch jobs • List server expansion of encrypted messages
HEPKI-TAG: next stepsThe Mobility Problem • Private key access in a mobile environment • Hardware tokens • Smart Cards & USB devices • For mobility, enhanced assurance, non-repudiation • On-device key generation v.s. memory • Pin Protection Schemes • Dual user/admin PIN systems • Card locks after x user-pin attempts • Fuse opens after y admin pin attempts • Single PIN/Reinitialize systems • Card blocks after x user-pin attempts • Card can be reset back to factory state and reused
HEPKI-TAG: next stepsCertificate-based SSH Authentication • Motivation • Solves the initial key authentication problem • Enables use of smart cards/USB devices for two-factor authentication • SSH.com (commercial server) • Load CA certificate chain • Issue cert to server • Build file to map Unix users to certificate fields • Fixed fields • Regular expressions and substitution • Interoperability • SSH.com server & clients, VanDyke SecureCRT
HEPKI-TAG: next steps • Document and form signing tools • The active content problem • Web-based • Client tools • Windows XP bridge functionality • Path construction & validation • Support for name and policy constraints • Applications • S/MIME Project continued • Browser Issues & Usability
HEPKI-TAG Resources • PKI-Lite • EE certificate profile • CA certificate profile • Policy and Practices statement • Demonstrations • HEPKI-CA • Client authentication • Certificate Repository • Certificate profile repository • S/MIME client interoperability testing chart • Certificate Profile Maker • DC Naming Recommendation
And, old problems don’t go away …. • Trusted Root problem • An old issue • That isn’t fixed yet • Complete with intuitive user interfaces • Large support question • Get the whole campus to download? • Support users one at a time? • Other options? • Who knows a lot about keystore access?
References • Main HEPKI Site • http://www.educause.edu/hepki • HEPKI-TAG • http://middleware.internet2.edu/hepki-tag • S/MIME Project Site • http://middleware.internet2.edu/hepki-tag/smime • Demonstration Site • http://pkidev.internet2.edu • Many other links at the above sites