1 / 17

PKI Status @ Georgetown University or Whaassuuuup PKI?

PKI Status @ Georgetown University or Whaassuuuup PKI?. Michael R. Gettes Lead Application Systems Integrator “LASI” gettes@Georgetown.EDU. Policy. We don’t need no stinkin’ policy! Covert warfare can be a valid tactic for IT deployments

amil
Download Presentation

PKI Status @ Georgetown University or Whaassuuuup PKI?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PKI Status @ Georgetown UniversityorWhaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI” gettes@Georgetown.EDU

  2. Policy • We don’t need no stinkin’ policy! • Covert warfare can be a valid tactic for IT deployments • Yes, this is a juicy rationalization with self-serving purpose • Verified no District (DC) Laws limiting PKI CSG PKI Workshop gettes@georgetown.edu

  3. Middleware • If the goal is a PKI… • Identifiers • Identification process • Authentication systems • Directory • CA Deployment • Server Certificates • Authorizations • Client Certificates CSG PKI Workshop gettes@georgetown.edu

  4. Server Config • CA Software • Netscape CMS 4 • Solaris, E250 • On Same physical hardware as Kerberos slave • Root key is simple PW protected. But, this is COTS! • Purchased 100 Certs • $30 each; your mileage may vary • All work done by 1 person • Get this going quickly for Network Services CSG PKI Workshop gettes@georgetown.edu

  5. Netscape CMS 4.2 • Some Auth-n methods for end users • Really intended for LDAP integration • Forms for certificate enrollment • Web based for RA and Operator functions • Policies for governing the formulation of certificates • Managed by Netscape Console • Publishing of certificates and CRLs • LDAP, of course CSG PKI Workshop gettes@georgetown.edu

  6. Netscape CMS 4.2 • Event-driven notifications • Backup and recovery (escrow) • See sproule@Princeton.EDU for more info • Database is LDAP as well… do we detect a pattern here? CSG PKI Workshop gettes@georgetown.edu

  7. CA Certificate • Valid until 10/2001 • Simple profile • No special extensions • No special constraints or criticalities • Subject contains X.500 and DC names • O=Georgetown University • required because of Communicator • dc=georgetown,dc=edu • At end of subjectName in Certificates • Also root suffix for Enterprise Directory CSG PKI Workshop gettes@georgetown.edu

  8. CA Issued Certificates • Client Certificates • NONE • Cost, Deployment, Policy • Server Certificates • On a limited basis, carefully considered • Valid until 10/2001 • No special constraints CSG PKI Workshop gettes@georgetown.edu

  9. Expiry Rationale • Why 10/2001 for Expiry? • Force decision on future PKI vendor or continue “as is”. Hopefully a decision! • October implies a summer time redeployment with “misses” found in October when community is present. • Realization of the future of CREN CA • Validity period, fBCA model, browser deployments (maybe) CSG PKI Workshop gettes@georgetown.edu

  10. CA Certificate Deployment • Netscape Communicator 4.7x • Customized Netscape for CA Cert deployment • Also needed for IMAP and other new services • Central IMAP and Directory only accessible with SSL • Internet Explorer • No custom distribution method developed. Would like to something in the future along with Win2K • Manual Configuration of CA Certificate • people can visit https://ca.georgetown.edu • Alumni and other public services: Verisign CSG PKI Workshop gettes@georgetown.edu

  11. CA Certificate Deployment There must be a better way! MIT approach assumes client cert distribution like others, not a bad thing, just different • Microsoft seems willing to play ball • heDRCD (being discussed in HEPKI-TAG) CSG PKI Workshop gettes@georgetown.edu

  12. Directories are part of the I in PKI • Directory (October, 1999) • Centralized, automated Name Space • VERY carefully controlled • Users modify very little • Priv’d access highly restricted • Control considered necessary step for PKI to trust the directory • Eventually, client, server and other certs will be published in the directory. • Hopefully a model campus for LDAP deployment • Internet2 Middleware 201 (others?) coursework CSG PKI Workshop gettes@georgetown.edu

  13. Overall Plan • Best of all 3 worlds • LDAP + Kerberos + PKI • LDAP Authentication performs Kerberos Authentication out the backend. Started 9/2000 to finish NS plug-in. • Credential Caching handled by Directory. • All directory authentications SSL protected. Enforced with necessary exceptions • Use Kerberos to derive Certificates • One Userid/Password (single-signon vs. FSO) CSG PKI Workshop gettes@georgetown.edu

  14. Overall Plan • AT&T Access Cards (Onecard project) • Vending, Building Access, Credit, etc • Mag-stripe only, no chip • Unfortunately, no smart-card plan by admin – at least nothing I have seen  • Schlumberger interested in HEPKI  CSG PKI Workshop gettes@georgetown.edu

  15. CA Future • OpenCA (built on OpenSSL)? • Baltimore? • Casey Lide – DST? • Netscape/iPlanet/Sun? • Outsourcing? (parts is parts is parts) • Something else? (notaries) • Ken’s matrix should help with decision CSG PKI Workshop gettes@georgetown.edu

  16. Georgetown Institute for Information Assurance • Recently formed: July 2000 • Research and practical deployment of Network Security, Internet2 Middleware and PKI • Joint work between Central IT, CompSci, Medical Center, Law Center, Public Policy Institute, Legal and other experts and faculty. • Focal point for University policy and practice • http://www.georgetown.edu/giia CSG PKI Workshop gettes@georgetown.edu

  17. Georgetown Activities • Internet2 Middleware + EDUCAUSE, CREN • Directories, Dir of Dirs for Higher Ed, Shibboleth, PKI, CREN CA, LDAP-RECIPE, eduPerson • Professor Dorothy Denning, CS, info-warfare • Prof./Dr. Jeffrey Collmann, Sociology • Dr. Alan Zuckerman, biometrics • HEPKI TAG/PAG – Kathryn Baerwald, Georgetown Legal PAG involvement. CSG PKI Workshop gettes@georgetown.edu

More Related