1 / 16

PKI: News from the Front

PKI: News from the Front. Ken Klingenstein, Project Director, I2 Middleware Initiative Chief Technologist, University of Colorado at Boulder. PKI Components. X.509 certificates, profiles, PKCS CA’s and CRLS, RA’s, ARL’s policies and practices trust models

oria
Download Presentation

PKI: News from the Front

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI: News from the Front Ken Klingenstein, Project Director, I2 Middleware Initiative Chief Technologist, University of Colorado at Boulder

  2. PKI Components • X.509 certificates, profiles, PKCS • CA’s and CRLS, RA’s, ARL’s • policies and practices • trust models • viable products that generate, invalidate, manage, and store keys and certs

  3. Why Is PKI Important • Its now time to put people versus machines on net in a secure way • First possible scalable security/authentication tool • Confounded by real world issues, such as mobility, formalizing trust, inadequate infrastructure, etc.

  4. General Developments • Businesses deploying internal, “hard-coded” installations • Federal government developing external, limited use installation and agency interoperability • Foreign governments developing centralized national services

  5. What’s Happening in HE/R • A very few campuses have deployed a limited infrastructure for specific, generally web-based, applications - MIT,Stanford • Use of junk certs in some instances • DLF pilot project - UCOP, Columbia • CREN is working on a top-level CA • Educause is working in policy space

  6. Higher Ed/Research and PKI • loosely coupled management structures • people are usually an intersection of a number of communities of interest • regulations - FERPA, Open Records, state govs, federal agencies • pre-market needs; small market appeal

  7. Why Are We Important • Higher Ed a proven scaling testbed and market precursor • Educated user base • Need to push edge to support research mission • Can assess societal impacts • In this area, our multi-role characteristics presage the future

  8. Access token (eg Libraries) Session authentication (real time) Authorization (native, or carrying of attributes) Encryption of email or files (S/MIME) Session integrity and confidentiality (e.g. SSL, TLS, IPSEC) Digitally signed objects Functional Uses of Certs

  9. Archiving Escrow CRL Automatic cert renewal Mobility Exportability Overseas On-line or off-line operation Technical support needs - 1

  10. Non-repudiation NTP Directories Identifiers CPS Load (number of pages) Technical support needs - 2

  11. Rows are functional uses Columns are technical requirements Entries represent the ways in which desired uses require specific infrastructural components Important aspects for entries include what is needed to do it right how can it be done wrong need it interoperate An Undeveloped Matrix

  12. Does it work for the end-user Does it work for the enterprise Does it work for the community of interest Three Critical Contexts

  13. X.509 and PKCS • X.509 defines certificates, trust models, and uses • PKCS defines critical implementation details - eg specific encryption algorithm choices, key formats for portability, etc. • PKCS is RSA-oriented; patent burning party next year.

  14. Isolation layers • To separate application programmers from the turmoil at the security layer • Allows service providers to change service implementations • Implemented as API’s and associated libraries • GSSAPI, GAAAPI, MS CryptoAPI (version 2), Novell NICI, Java

  15. Higher Ed PKI Open Issues - I • profiles - common certificate templates for standard academic uses • policies - stating eligibilities, roles and responsibilities • practices - standard specific operating conventions • trust models - hierarchy, bridge, none; on and off-campus • risk abatement - minimize consequence

  16. Higher Ed PKI Open Issues - II • CRL’s - where to store, what frequency to publish • viable products - cost, flexible, mobility, integration with embedded bases, public domain/open source alternatives • research opportunities - apps that use policies

More Related