Pki federations in higher education nist pki r d workshop 5 april 4 6 2006 gaithersburg md
Download
1 / 24

- PowerPoint PPT Presentation


  • 291 Views
  • Uploaded on

PKI Federations in Higher Education NIST PKI R&D Workshop #5, April 4-6 2006, Gaithersburg MD Contents Overview of PKI in Higher Education HEBCA Challenges and Opportunities Overview 5 Potential Killer Apps for PKI in Higher Education S/MIME Paperless Office workflow Shibboleth

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - Faraday


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Pki federations in higher education nist pki r d workshop 5 april 4 6 2006 gaithersburg md l.jpg

PKI Federations in Higher EducationNIST PKI R&D Workshop #5, April 4-6 2006, Gaithersburg MD


Contents l.jpg
Contents

  • Overview of PKI in Higher Education

  • HEBCA

  • Challenges and Opportunities


Overview l.jpg
Overview

  • 5 Potential Killer Apps for PKI in Higher Education

    • S/MIME

    • Paperless Office workflow

    • Shibboleth

    • GRID Computing Enabled for Federations

    • E-grants facilitation


Overview4 l.jpg
Overview

  • PKI Initiatives in US Higher Education Community

    • HEBCA (Higher Education Bridge Certificate Authority)

    • USHER (US Higher Education Root)

    • InCommon

    • Grid based PKIs

    • Campus based PKIs


Overview higher education bridge certificate authority hebca l.jpg
OverviewHigher Education Bridge Certificate Authority - HEBCA

  • HEBCA facilitates a trust fabric across all of US Higher Education so that credentials issued by participating institutions can be used (and trusted) globally e.g. signed and/or encrypted email, digitally signed documents (paperless office), etc can all be trusted inter-institutionally and not just intra-institutionally

  • Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension

  • Single credential accepted globally

  • Uses Levels of Assurance to indicate strength of Identification and Authentication procedures, audit/separation of duty requirements, and key protection measures

  • Potential for stronger authentication and possibly authorization of participants in grid based applications


Slide6 l.jpg

OverviewUnited States Higher Education Root – USHER

  • USHER is a public key infrastructure (PKI) supported by the higher education community to facilitate emerging deployments in research, education, and transactions in higher education that require PKI and allows subscribers to base PKI applications and services in a common root with peers and collaborative partners

  • USHER is the Trusted Root of a hierarchical PKI for US Higher Education – the root only signs subordinate CA certificates, and the service is designed to bootstrap institutional PKIs by providing policy infrastructure and a CA

  • USHER Foundation is the first service offered and is designed to be a broadly adoptable PKI with easy implementation by leveraging most existing campus identity practices

  • USHER Foundation does not audit or in any other way validate the policy or practice that a subscriber uses to issue certificate credentials to its users, instead, USHER has developed a set of Expected Practices for campus CA operators to consider

  • Other USHER services are anticipated with stronger levels of assurance and auditable policies


Slide7 l.jpg

OverviewInCommon

  • The mission of the InCommon Federation is to create and support a common framework for trustworthy shared management of access to on-line resources in support of education and research in the United States.

  • InCommon will facilitate development of a community-based common trust fabric sufficient to enable participants to make appropriate decisions about access control information provided to them by other participants

  • InCommon is intended to enable production-level end-user access to a wide variety of protected resources and uses Shibboleth® as its federating software

  • InCommon® eliminates the need for researchers, students, and educators to maintain multiple, password-protected accounts

  • Although this system is assertion based, there is still a need for PKI credentials to protect the server infrastructure, and PKI can also be used as the authentication mechanism.


Slide8 l.jpg

OverviewGrid based PKIs

  • Some higher education institutions operate production level Grid CAs approved by TAGPMA

    • TeraGrid (Illinois, Purdue)

    • Open Science Grid (California)

    • Texas High Energy Grid (Texas)

    • San Diego Supercomputing Center

  • Many institutions run experimental grid CAs to investigate the potential of this activity

    • Dartmouth College

    • University of Virginia


Slide9 l.jpg

OverviewCampus PKIs

  • Managed PKIs from Commercial vendors

    • CA operations outsourced to vendor

      • CyberTrust

      • DST/Identrus

      • GeoTrust

      • VeriSign

    • Vendor based Policy

    • Local RAs

  • Internal Campus PKI operations

    • CA & RA operations run on campus

    • Campus based Policy

  • EDUCAUSE has programs for reducing cost through Identity Management Services Program

    • http://www.educause.edu/IMSP

  • Open Source options e.g. OpenCA, CA-in-a-box, etc. etc.


Hebca higher education bridge certificate authority l.jpg
HEBCA : Higher Education Bridge Certificate Authority

  • Bridge Certificate Authority for US Higher Education

  • Modeled on FBCA

  • Provides cross-certification between the subscribing institution and the HEBCA root CA

  • Flexible policy implementations through the mapping process

  • The HEBCA root CA and infrastructure hosted at Dartmouth College

  • Facilitates inter-institutional trust between participating schools

  • Facilitates inter-federation trust between US Higher Education community and external entities


Hebca project l.jpg
HEBCA Project

  • What will it provide?

    • The HEBCA Project will create and maintain three new Certificate Authority (CA) systems for EDUCAUSE and will also house the existing HEBCA Prototype CA

    • The three CA systems to be created are:

      • HEBCA Test CA

      • HEBCA Development CA

      • HEBCA Production CA

    • The HEBCAs will be used to cross-certify Higher Education PKI trust anchors to create a bridged trust network

    • The HEBCA Test CA will also be cross-certified with the Prototype FBCA (other emerging Bridge CAs are also targets) and the HEBCA production CAs will be cross-certified with the production FBCA.


Hebca project overview l.jpg
HEBCA Project - Overview

LDAP Based Directory

Utilizing the Registry of Directories

Utilizing LDAP Referrals

X.500 Based Directory

Directories Interconnect via Chaining (X.500 DSP)


Hebca policy authority l.jpg
HEBCA Policy Authority

  • The HEBCA PA establishes policy for and oversees operation of the HEBCA. HEBCA PA activities include…

    • approve and certify the Certificate Policy (CP) and Certification Practices Statement (CPS) for the HEBCA

    • set policy for accepting applications for cross-certification and interoperation with the HEBCA

    • certify the mapping of policy between the HEBCA CP and applicants’ CP’s

    • establish any needed constraints in cross-certification documents

    • represent the HEBCA in establishing its own cross-certification with other PKI bridges

    • set policy governing operation of the HEBCA

    • oversee the HEBCA Operational Authority

    • keep the HEBCA Membership and the HEPKI Council informed of its decisions and activities.


Hebca operating authority l.jpg
HEBCA Operating Authority

  • The HEBCA OA is the organization that is responsible for the issuance of HEBCA certificates when so directed by the HEBCA PA, the posting of those certificates and any Certificate Revocation Lists (CRLs) or Certificate Authority Revocation Lists (CARLs) into the HEBCA repository, and maintaining the continued availability of the repository to all parties relying on HEBCA certificates.

  • Specific responsibilities of the HEBCA OA include:

    • Management and operation of the HEBCA infrastructure;

    • Management of the registration process;

    • Completion of the applicant identification and authentication process; and

    • Complying with all requirements and representations of the Certificate Policy.

  • Key personnel from the Dartmouth PKI Laboratory were chosen as the HEBCA Operating Authority by the HEBCA PA under the direction of EDUCAUSE (the project sponsor).


Hebca project progress l.jpg
HEBCA Project - Progress

  • What’s been done so far?

    • Operational Authority (OA) contractor engaged (Dartmouth PKI Lab)

    • MOA with commercial vendor for infrastructure hardware (Sun)

    • MOA with commercial vendor for CA software and licenses (RSA)

    • Policy Authority formed

    • Prototype HEBCA operational and cross-certified with the Prototype FBCA (new Prototype instantiated by HEBCA OA)

    • Prototype Registry of Directories (RoD) deployed at Dartmouth

    • Draft of Production HEBCA CP produced

    • Draft of Production HEBCA CPS produced

    • Preliminary Policy Mapping completed with FBCA

    • Test HEBCA CA deployed and cross-certified with the Prototype FBCA

    • Test HEBCA RoD deployed

    • Production HEBCA development phase complete

    • Infrastructure has passed interoperability testing with FBCA

    • Some minor documentation to finalize

    • Ready for audit and production operations


Solving silos of trust l.jpg
Solving Silos of Trust

Institution

FBCA

Dept-1

Dept-1

Dept-1

HEBCA

CAUDIT

PKI

USHER

CA

CA

CA

SubCA

SubCA

SubCA

SubCA

SubCA

SubCA

SubCA

SubCA

SubCA


Slide17 l.jpg

Proposed

Inter-federations

CA-2

CA-1

CA-2

CA-3

HE BR

CA-1

AusCert

CAUDIT

PKI

CA-n

HE JP

FBCA

Cross-cert

Cross-certs

DST

ACES

NIH

Texas

Dartmouth

HEBCA

Cross-certs

Wisconsin

UVA

Univ-N

USHER

CertiPath

SAFE

CA-4

CFPKIB

CA-1

CA-2

CA-3


Challenges and opportunities l.jpg
Challenges and Opportunities

  • Operational restraints: Offline CA with 6 hourly CRLs requiring dually authenticated sneaker-net with limited staffing

    • Pre-generate CRLs

    • AirGap: USB based switch

  • Audit

    • What standard?

    • Cost barriers

  • Support for Bridge PKIs in current applications

    • Cross-certificates, path discovery, path validation support is limited in COTS products



Challenges and opportunities20 l.jpg
Challenges and Opportunities

  • Community applicability

    • If we build it they will come

    • Chicken & Egg profile for infrastructure and applications

    • An appropriate business plan

  • Consolidation and synergy

    • Are USHER & HEBCA competing initiatives?

    • Benefits of a common infrastructure

  • Alignment with policies of complimentary communities

    • Shibboleth / InCommon

    • Grids (TAGPMA)



Challenges and opportunities22 l.jpg
Challenges and Opportunities

  • Open Tasks

    • Re-evaluate operating LOA

    • Audit

    • Updated Business Plan

    • Mapping Grid Profiles

      • Classic PKI

      • SLCS

    • Promotion of PKI Test bed

    • Validation Authority service

    • Cross-certification with FBCA

    • Cross-certification with other HE PKI communities

      • CAUDIT PKI (AusCERT)

      • HE JP

      • HE BR


Slide23 l.jpg

Proposed

Inter-federations

CA-2

CA-1

CA-2

CA-3

HE BR

CA-1

AusCert

CAUDIT

PKI

CA-n

HE JP

FBCA

Cross-cert

Cross-certs

DST

ACES

NIH

Texas

Dartmouth

HEBCA

Cross-certs

Wisconsin

UVA

Univ-N

USHER

CertiPath

SAFE

CA-4

CFPKIB

CA-1

CA-2

CA-3


For more information l.jpg
For More Information

  • HEBCA Website:

    http://www.educause.edu/HEBCA/623

  • EDUCAUSE IMSP:

    http://www.educause.edu/IMSP

    Scott Rea - [email protected]


ad