1 / 13

Higher Education Bridge Certification Authority

Higher Education Bridge Certification Authority. Scaleable Linking of PKI trust domains. David L. Wasley Fall 2006 PKI Workshop. Topic Span. What’s a bridge? How is it different than “normal” PKI? Why is it useful? What is the HEBCA?. Bridged v.s. Hierarchical PKI.

alessa
Download Presentation

Higher Education Bridge Certification Authority

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains David L. Wasley Fall 2006 PKI Workshop

  2. Topic Span • What’s a bridge? • How is it different than “normal” PKI? • Why is it useful? • What is the HEBCA?

  3. Bridged v.s. Hierarchical PKI • Hierarchical PKI assumes uniform policy and works with most products today • Hierarchies are “PKI islands” • Therefore browsers include 100+ “trust anchors” • Bridging allows mapping between different PKI policies but very few products support this (yet) • Mapping info is used during path validation • Bridging can link “islands” and provide superior trust management • Therefore we believe it will become important …

  4. PKIs are islands of common trust

  5. They can be ‘networked’

  6. What this looks like • A Relying Party under (A) can build a path from a Subject under (C) • This avoids the RP having to know and understand Trust Anchors (B) and (C) • But not vice versa

  7. Cross-cert can be done bi-laterally

  8. A “bridge” serves as the hub of trust

  9. How does the bridge deal with differences in PKI domain CPs? • Trust is established by Certificate Policy • Each PKI domain has a Trust Anchor • Each domain can specify how it’s policy is metor exceeded by the other domain’s policy • Each can place limits on this trust • If there is no equivalency, one doesn’t trust the other • The bridge does this with respect to each of its member domains • Members must trust the bridge to do this adequately • Each can limit how far it is willing to ‘network’

  10. How CP’s are compared • Identify all important issues in the CP • Organizational responsibilities • Trust affecting issues • Create matrices to organize the comparison • General or common elements • Elements that determine Level of Assurance • Other differentiating elements

  11. How mapping is instantiated • A CA’s policy is identified by an OID • One policy may define OIDs to represent variations such as LOA, etc. • CA cross-certificate includes “policy mapping field” • Contents defined by Issuer • Pairs of OIDs • “Issuer considers its CP (OID) to be equivalent to Subject CA’s CP (OID)” [See RFC 3280]

  12. Higher Education Bridge CA- HEBCA • Sponsored by EDUCAUSE to support linking campus PKI’s with each other and with sponsored partners • Patterned after the Federal Gov’t FBCA • Will cross-cert with FBCA eventually • Operated at Dartmouth College • Test bridge is running • CP/CPS almost complete • Concern about whether there is enough interest (yet) to justify full operation • Planning to keep test bridge running

  13. Questions? • dlwasley@earthlink.net

More Related