1 / 18

Internet2 Middleware PKI: Oy-vey!

Internet2 Middleware PKI: Oy-vey!. Michael R. Gettes Principal Technologist Georgetown University gettes@Georgetown.EDU http://www.georgetown.edu/giia/internet2. HEPKI. Sponsors: Internet2, EDUCAUSE, CREN TAG – Technical Activities Group Jim Jokl, Chair, Virginia

irisg
Download Presentation

Internet2 Middleware PKI: Oy-vey!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet2 MiddlewarePKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University gettes@Georgetown.EDU http://www.georgetown.edu/giia/internet2

  2. HEPKI • Sponsors: Internet2, EDUCAUSE, CREN • TAG – Technical Activities Group • Jim Jokl, Chair, Virginia • Techonology, practicality, deployment, testbeds • PAG – Policy Activities Group • (Default Chair), Ken Klingenstein, Colorado • Knee-deep in policy(CP), HEBCA, Campus, Subscribers and Relying Party issues. • PKI Labs (AT&T)– Neal McBurnett, Avaya • Wisconsin-Madison & Dartmouth • Industry, Gov., Edu expert guidance • http://www.educause.edu/hepki

  3. HEPKI-TAG Activities • Charter – Technical Activities Group (TAG) • Certificate profiles, CA software • Private key protection • Mobility, client issues • Interactions with directories • Testbed projects (PKI-Lite, S/MIME Interop, Profiles) • Communicate results • http://www.educause.edu/hepki

  4. HEPKI-PAGWe don’t need no stinkin’ policy? • Policy, Lawyers, documenting practice, what gives? • Going outside the institution. Staying inside doesn’t require new policy (rather new practice) • PKI seems to make authN / authZ a legitimate problem deserving legal attention • Working with U.S. Gov’t on PKI Policy • Moved the development of HEBCA Cert Policy • Realized need for Campus Model Cert Policy • Realized need to simplify policy for PKI-Lite

  5. HEBCA: Higher Education Bridge Certificate Authority Michael R Gettes Georgetown University gettes@Georgetown.EDU

  6. Multiple CAs in FBCA Membrane • Survivable PKI • Cross Certificates allow for “one/two-way policy” • Directories are critical in BCA world.

  7. A Snapshot of the U.S. Federal PKI DOD PKI Illinois PKI CANADA PKI Federal Bridge CA NASA PKI Higher Education Bridge CA University PKI NFC PKI

  8. What is Cross Certification? • A Bridge signs a CA and CA signs bridge • Policy OIDs and Name Constraint controls are in the cross certificates • Cross Certificates are published in directories and discovered via the network. BCA/CA may remain off-line. • Policy OIDs could map to XML documents describing the policy (processed per Carmody)

  9. Path Validation • Application receives a Certificate • Finds a path back to signer of Certificate validating the path for policy mappings and name constraints. • Policy Mappings can be LOA (levels of assurance) or “we agree to be in club shib” or whatever • Name Constraints controls subjectName name space. I.E. a CA can only sign within dc=U,dc=edu

  10. On Policy • We have a draft HEBCA Certificate Policy • The HE CP and HEBCA CP are congruent • The HEBCA CP and FBCA CP are congruent • We need a HEPKI PA – EDUCAUSE is working this problem – granted “power” from ACE

  11. NIH- Educause PKI Pilot:Phase Two Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office of Extramural Research

  12. Project Participants • University of Alabama-Birmingham • University of Wisconsin-Madison • University of California, Office of the President • University of Texas – Houston Health Science • Dartmouth College • Georgetown University – HEBCA proper • National Institutes of Health (NIH) • Mitretek (www.mitretek.org)

  13. The Problem • Picture/s of piles of grant applications • About 20,000 5 ft high standing people of paper. • 1 forest per year for just grant apps. • The Solution: signed, electronic grant application • Of course!

  14. HEBCA E-Lock Assured Office Digital Signed Grant Appl Certificate Validation University A NIH OER Mail Server University A FBCA Internet Certificate Validation University B E-Lock Assured Office Digital Signed Grant Appl University B NIH CAM Server Certificate Validation University C Cert Status NIH OER Recipient E-Lock Assured Office Digital Signed Grant Appl E-Lock Assured Office Digital Signed Grant Appl University C E-Lock Assured Office CAM-enabled Cert Status Phase Two Concept of Operations (CONOPS)

  15. FBCA cross cert FBCA dir cross cert HEBCA HEBCA dir get Cert,CRL via directory chaining cross cert UA ca NIH ca UA dir NIH directory trust anchor ca DAVE issued CAM E-Lock directory sender (UA) receiver (NIH) software “DAVE” (Discovery and Validation Engine) New LDAP Registry of Directories for BCAs

  16. Bridge CA vs. Shibboleth • PKI is hard to deploy to end users • Shib should use BCA aware PKI between servers • Club Shib will then scale using Policies and Relationships established by Bridge CA world • ONE Club Shib managed by policy - globally • Java 1.4 is Bridge aware. Whistler supposed to be.

  17. Medical P K I H i e r a r c h y The PKI Puzzle By David Wasley, UCOP

  18. PKI is 1/3 Technical and 2/3 Policy? Policy Technical

More Related