1 / 8

11 th Fed/Ed PKI Meeting

11 th Fed/Ed PKI Meeting. Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl jaj@Virginia.EDU. US Higher Education Root (USHER) and Policy. Background A hierarchical CA for Higher Education Issue authority certificates to campus CAs

aizza
Download Presentation

11 th Fed/Ed PKI Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 11th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl jaj@Virginia.EDU

  2. US Higher Education Root(USHER) and Policy • Background • A hierarchical CA for Higher Education • Issue authority certificates to campus CAs • Replace and offer more than the old CREN hierarchy • Initial discussions on LOA for USHER • Strong procedures for USHER operations • Strong process to identify campuses • Discussions on requirements for schools • Something heavy, PKI-Lite, etc? • Implications for when USHER cross-certifies with HEBCA • Early focus decisions • Strong procedures for USHER itself; use the InCommon I&A process for schools • Architect for an USHER-heavy and an USHER-Lite • Focus deployment on USHER-Lite

  3. USHER Campus CA Campus CA LionShare SASL CA Short-life user certificates USHER & Policy: Enter LionShare • LionShare needs a trust fabric that works logically like PKI-Lite • Verify PKI-Lite OID in cert • Question: can/should USHER require at least PKI-Lite from campuses? • Schools doing this anyway • Strong pushback on TAG call • How does USHER certify campuses • Campus liability concerns • Why is a requirement needed?

  4. Grid Computing & PKI Bridges • Started in the NMI Testbed Grid project • Tradition in the grid community appeared to be to run a CA for each Grid or install root certificates for each site • We wanted an approach that scaled more easily, leveraged central campus authentication, and enabled researchers to get out of the identity management business • Logical solution • Attempt to leverage HEBCA with Globus • Project • Do the technical work needed to pilot this idea in parallel with the development of HEBCA

  5. Schematic of Original SURA NMI Testbed Grid PKI Integration Goal Testbed CA Testbed Bridge CA Campus F Grid User Certs Cross-cert pairs Campus E Grid A’s PKI B’s PKI C’s PKI Campus D Grid Campus A Grid Campus B Grid Campus C Grid

  6. Inter-campus NMI Testbed Globus Project Activity • Built simple Testbed Bridge CA • Off-line system • Used Linux and OpenSSL to build bridge • Stored securely when not is use • Cross-certifications • UVA • UAB • TACC • USC • LSU • Univ of Arkansas in progress • www.pki.virginia.edu/nmi-bridge

  7. Globus & PKI Bridges • Some issues • Globus uses OpenSSL which is not bridge-aware • Preload cross-certificates • Signing policy files • Certificate profiles used by some campus CAs caused problems • Continuing forward with the SURA Grid • Cross-certification of sites • Developing • Directory-based infrastructure to automate management of gridmap-file • Web-based tool for sites to easily add/remove their users • Tools to automatically deploy the cross-certificates and signing policy files

  8. HEPKI-TAG Update • New revision of PKI-Lite • Clarifications to Policy/Practices document • Profiles updated • Support for EAP-TLS wireless authentication recommending use of Microsoft OID • Specified Authority Key Identifier to be compatible with bridges • More specified with more notes for implementers • Supporting some other USHER topics • Signing tools project • Internet2 and Educause HEPKI-TAG site links

More Related