1 / 12

HEBCA Overview Internet2 Meeting, Fall 2002

HEBCA Overview Internet2 Meeting, Fall 2002. Michael R Gettes Georgetown University Gettes@Georgetown.EDU. PKI is 1/3 Technical and 2/3 Policy?. Policy. Technical. A Snapshot of the U.S. Federal PKI. DOD PKI. Illinois PKI. CANADA PKI. Federal Bridge CA. NASA PKI.

rasha
Download Presentation

HEBCA Overview Internet2 Meeting, Fall 2002

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HEBCAOverviewInternet2 Meeting, Fall 2002 Michael R Gettes Georgetown University Gettes@Georgetown.EDU

  2. PKI is 1/3 Technical and 2/3 Policy? Policy Technical

  3. A Snapshot of the U.S. Federal PKI DOD PKI Illinois PKI CANADA PKI Federal Bridge CA NASA PKI Higher Education Bridge CA University PKI NFC PKI

  4. Multiple CAs in FBCA Membrane • Survivable PKI • Cross Certificates allow for “one/two-way policy” • Directories are critical in BCA world.

  5. FBCA cross cert FBCA dir cross cert HEBCA HEBCA dir get Cert,CRL via directory chaining cross cert UA ca NIH ca UA dir NIH directory trust anchor ca DAVE issued CAM E-Lock directory sender (UA) receiver (NIH) software “DAVE” (Discovery and Validation Engine)

  6. Medical P K I H i e r a r c h y The PKI Puzzle By David Wasley, UCOP

  7. HEBCA linkage Euro PKI Weems’ Wacky World CREN Medical Healthkey State Bridges Inter- Directories FBCA HEBCA GRID NIH MitreTek E-Auth Shib Apache FDRM SEVIS Signed Email VidMid

  8. (Top) dc=edu c=us c=japan dc=intl dc=edu c=us o=US Govt, c=us dc=uab o=US Govt dc=ucop o=HHS ou=FBCA (else sup) ou=A, o=NASA ou=agency7 (else sup) ou=FBCA, o=US Govt, c=us (else sup) ou=FBCA ou=agency7 <no else> Legend: a subordinate referral a superior referral “Registry of Directories” Structure Referral Directories Content Directories • “Else superior referral” clause exists to allow any LDAP client (or content directory) to have option of pointing to a referral directory and be able to construct a desired path • There is no “else” clause in content directories to prevent loops

  9. HEBCA BID • Board of Instantiation and Development • 10-12 of CIO, Techies, Lawyers (usual suspects) • 1 Year to make HEBCA production • Governance • Stand up Policy/Operational Authorities • Service (Business plan, structure, fees, management) • Cross-certify with FBCA • Funding and Technical development issues • Application interfaces, discovery, blah blah blah

  10. HEBCA Issues • Certificates in Directories • Gietz: Break out cert data in dir objects (searchable certs) • Chadwick: Certificate Parsing Server • Likely a major impact on Bridge CA model • OpenSSL/OpenCA to be “bridge aware” • Registry of Directories (Next-Gen)

  11. HEBCA Issues • Deployment • Web Server plugin (apache) • Email validator (server based on receipt) • Bill Weems and crew; many apps • Application Integration • CAM/DAVE extensions (server validation) • OCSP, XKMS, SCVP, Novomodo, blah blah • Understanding Java 1.4 and WinXP • Develop appropriate APIs • Browser awareness!!!!

More Related