1 / 17

Getting Started with Digital Certificates: Is PKI-Lite Real PKI?

Getting Started with Digital Certificates: Is PKI-Lite Real PKI? . Internet2 Spring Meeting 2002 Wash, DC. Panel . Intro to PKI- Lite Judith Boettcher, CREN Minnesota story Frank Grewe Columbia Vace Kundacki Alan Crosswell .

cora
Download Presentation

Getting Started with Digital Certificates: Is PKI-Lite Real PKI?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC

  2. Panel • Intro to PKI- Lite • Judith Boettcher, CREN • Minnesota story • Frank Grewe • Columbia • Vace Kundacki • Alan Crosswell

  3. What is PKI-Lite? PKI-Lite — “Full-featured PKI technology deployed with existing campus standards for identification and authentication (I&A) and security”

  4. Is PKI-Lite Real? Developed by the HEPKI-TAG and HEPKI-PAG groups and it is under review and implementation Why did PKI-Lite evolve?

  5. Policy Swamp - for 18 months PKI-Lite Environment - At last!

  6. PKI-Lite Trust Environment - What is it? • “Trust Documents” • Certificate policy • Certificate practice statement • Certificate profiles for institutional and end-entity certificates (x.509 v3, IETF) • Relying party statement • for content providers, publishers, etc • Existing Campus Registration Authority • Registrar, HR • Certification Authority • IT dept with systems and software

  7. PKI-Lite Technology Environment - What is it? • “Good enough” to move forward • Provides Level of Assurance (LOA) • Rudimentary for client certificates • Basic/ Medium for Campus Certificates

  8. PKI-Lite Environment • Available now • Combined PKI-Lite Certificate Policy and Certification Practices Statement Template • middleware.internet2.edu/hepki-tag/pki-lite/pki-lite-policy-practices.htm • Certificate Profiles • For Campus CA and for End-Entity/client certificates • PKI-Lite CP/CPS is being sent to various higher education groups for review • Reviewed by two content providers in late 2001 • Request to keep certificates validity period to maximum of 12.5 months

  9. The CREN CA at MIT • SafeKeyper HSM Box with the CREN CA This box signs Certificate Signing Requests (CSRs)

  10. Five Types of Certificates - It’s easy to get confused! • Root Certificates • “Self-signed certs” (Authenticate themselves) • Institutional Certificates • Also called campus certs • Organizational Certificates • Also called department certs, association certs • Web server certificates • Also called server-side certs • End-Entity Certificates • Also called end-user certs, client certs, individual certs, personal certs, or entity certs • Client certs.. Different ones for signing email and encrypting email, web authentication

  11. What Do Individuals Use Certificates for? • Authenticating oneself to server • Signing email • The same certificate can be used for these two purposes of signing email and authenticating oneself to server • Encrypting email • Individuals will designate one specific certificate for encrypting email

  12. CREN Certificate Services for Higher Education • Hierarchy of Institutional Certificates • CREN CA Certificates • Operational since 11/99 • Web server certificates • CREN.net CA for client certificates • CREN.Net CA for staff, members and pilot projects • Potentially for individuals at campuses without CAs who must meet federal mandates

  13. What are Higher Ed Organizations Doing? • HEPKI-TAG (Internet2, CREN, Educause) • Higher Education PKI - Technical Advisory Group • Developing the PKI -Lite environment • Now doing some pilot testing with S/MIME • HEPKI-PAG (Internet2, CREN, Educause) • Higher Education PKI - Policy Advisory Group • Developing the PKI -Lite environment • Internet2 • Leading the Middleware initiative, including Shibboleth Project • Check out www.internet2.edu/middleware • EDUCAUSE • Leading the Higher Ed Bridge CA

  14. Who is Doing or Planning PKI Use on Campus? • Two major classes of applications • Web-based applications • Electronic Mail (S/MIME) • Plus authentication for network access, such as VPN and wireless • Campuses that are working with PKI • MIT Georgia Tech • Princeton U of Virginia • Cornell U of Wisconsin • U of MN U of Alabama • U of Mass Columbia • Penn State U of Tennessee Source: J.Jokl/HEPKI-TAG

  15. Examples of Web-Based Apps and Electronic Mail • Authentication • Business services • Access to class materials • Access to remote databases • HR self service • Telecom requests • Electronic mail (S/MIME) • general individual use • submission of service orders • submission of timesheets, travel reports • More detail is at... • www.cren.net/crenca/icertpages/why.html • middleware.internet2.edu/hepki-tag/TAG-PKI-Apps3.xls Source: J.Jokl/HEPKI-TAG

  16. On to Campus Stories… Frank and Vace and Alan

  17. PKI-Lite Environment • Standard PKI-Lite Cert Profiles • Certificate Profile for Root Certificates • middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-root-profile-2.html • Certificate Profile for End-entity Certificates • middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-profile-6.html • These profiles come with implementor notes discussing extensions and fields to be filled out at campus level CA

More Related