1 / 20

NET@EDU

NET@EDU. Co Chairs C. W. Goldsmith University of Alabama at Birmingham David L. Wasley University of California Office of the President. PKI Workshop. Tempe, AZ February 5, 2002 Meeting Moderator – Clair Goldsmith. PKI Workshop Agenda.

claral
Download Presentation

NET@EDU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NET@EDU Co Chairs C. W. Goldsmith University of Alabama at Birmingham David L. Wasley University of California Office of the President

  2. PKI Workshop Tempe, AZ February 5, 2002 Meeting Moderator – Clair Goldsmith

  3. PKI Workshop Agenda • 8:30 – Welcome Clair G. • 8:40 – Campus update roundtable • 9:30 – CREN CA update David W. • 9:40 – HEBCA update NIH experiment Steve W. • 9:50 – HECP presentation David W. • 10:00 – PKI-Lite and S/MIME initiative David W. • 10:15 – Break

  4. PKI Workshop Agenda • 10:45 – Quick updates • FERPA and PKI Directories Steve W. • HIPAA update Clair G. • HealthKey, etc. Clair G. • 11:00 – PKI Implementation Issues Clair G. • 12:00 - 1:00 Lunch

  5. PKI Workshop Agenda • 1:00 – Grid Security Technologies • Grid Security Requirements John M. • CAS Von M. • Shibboleth & Inter-realm author Bob M. • HEBCA, HEPKI Michael G. • KX509 Ken K. • myProxy Randy • 3:00 – Break

  6. PKI Workshop Agenda • 3:30 – Continued PKI Implementation Issues Potential pilot projects and/or issues to be investigated • 5:00 Adjourn

  7. PKI IMPLEMENTATION ISSUES • Stategies For Implementing a CA • In-house versus outsourcing • Vendor code versus open source • Institutional resource requirements • What about the CP/CPS?

  8. PKI IMPLEMENTATION ISSUES • Authorization Strategies • Legacy applications? • Can we categorize applications and appropriate strategies? • Attribute certificates versus attribute directories

  9. PKI IMPLEMENTATION ISSUES • Portals and other "single sign-on" approaches applications such as ERP systems and course management systems need to be not just directory enabled, but cert-in-directory enabled.

  10. PKI IMPLEMENTATION ISSUES • Directories • Is there an authoritative directory of those associated with the institution? • If not, what does it take to create one? (best practices)

  11. PKI IMPLEMENTATION ISSUES • Email • Can be signed and encrypted. • Is a one or two key system best and why? • List servers can modify email thereby making signing those messages pointless.

  12. PKI IMPLEMENTATION ISSUES • Email • Outlook has two mechanisms: • One requires that all email be signed – in other words signing is a configuration parameter of the Outlook client • Other requires pulldown menus for single use (4 clicks) • Ideally, signing should be something I choose. • Should signing require a password (access the private key) every time it is performed? • Outlook signs only the email message and not enclosed attachments. • Communicator seems to sign both.

  13. PKI IMPLEMENTATION ISSUES • Multiple certificates and S/MIME!

  14. PKI IMPLEMENTATION ISSUES • Digital Signatures • How can one sign a document (in Word), independent of an email client? • Requires a third party product: for example: eLock • Adobe allows signing of Acrobat documents through proprietary plug-ins, but plug-ins are not available for all certificates. • How can the Adobe signer be prevented from creating certificates?

  15. PKI IMPLEMENTATION ISSUES • What does it mean to sign a web form? • Does it attest to the information placed in boxes? • The information around the boxes? • Or both? • If both, what is then done with it? Where is it put? • Does all of it need to be in a database: lock, stock, and html? [If so, there are neat things one can contemplate regarding records retention.]

  16. PKI IMPLEMENTATION ISSUES • Multiple Signatures • Having more than one signature on a document is rarely supported • One signer application (e-Lock version 4.X) allows multiple signatures, but you cannot see the document content at the time you sign the document, which provides opportunities for other errors.

  17. PKI IMPLEMENTATION ISSUES • Other Signature Issues • Do you always need to validate signatures as well as verify them? • If so, application plug-ins such as provided by Adobe will not be adequate. • Some of the application signers are priced on a per use basis!

  18. PKI IMPLEMENTATION ISSUES • Cert & Key Management • How to best handle key escrow for decryption keys? • This problem is compounded when keys expire annually.

  19. PKI IMPLEMENTATION ISSUES • Certificate and private key portability options? • Proxy authentication issues

  20. PKI IMPLEMENTATION ISSUES FUTURES • National Security Card

More Related