pki status @ georgetown university or whaassuuuup pki n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
PKI Status @ Georgetown University or Whaassuuuup PKI? PowerPoint Presentation
Download Presentation
PKI Status @ Georgetown University or Whaassuuuup PKI?

Loading in 2 Seconds...

play fullscreen
1 / 17

PKI Status @ Georgetown University or Whaassuuuup PKI? - PowerPoint PPT Presentation


  • 138 Views
  • Uploaded on

PKI Status @ Georgetown University or Whaassuuuup PKI?. Michael R. Gettes Lead Application Systems Integrator “LASI” gettes@Georgetown.EDU. Policy. We don’t need no stinkin’ policy! Covert warfare can be a valid tactic for IT deployments

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'PKI Status @ Georgetown University or Whaassuuuup PKI?' - amil


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
pki status @ georgetown university or whaassuuuup pki

PKI Status @ Georgetown UniversityorWhaassuuuup PKI?

Michael R. Gettes

Lead Application Systems Integrator “LASI”

gettes@Georgetown.EDU

policy
Policy
  • We don’t need no stinkin’ policy!
  • Covert warfare can be a valid tactic for IT deployments
    • Yes, this is a juicy rationalization with self-serving purpose
  • Verified no District (DC) Laws limiting PKI

CSG PKI Workshop gettes@georgetown.edu

middleware
Middleware
  • If the goal is a PKI…
    • Identifiers
    • Identification process
    • Authentication systems
    • Directory
    • CA Deployment
      • Server Certificates
    • Authorizations
    • Client Certificates

CSG PKI Workshop gettes@georgetown.edu

server config
Server Config
  • CA Software
    • Netscape CMS 4
      • Solaris, E250
      • On Same physical hardware as Kerberos slave
      • Root key is simple PW protected. But, this is COTS!
  • Purchased 100 Certs
    • $30 each; your mileage may vary
  • All work done by 1 person
    • Get this going quickly for Network Services

CSG PKI Workshop gettes@georgetown.edu

netscape cms 4 2
Netscape CMS 4.2
  • Some Auth-n methods for end users
    • Really intended for LDAP integration
  • Forms for certificate enrollment
    • Web based for RA and Operator functions
  • Policies for governing the formulation of certificates
    • Managed by Netscape Console
  • Publishing of certificates and CRLs
    • LDAP, of course

CSG PKI Workshop gettes@georgetown.edu

netscape cms 4 21
Netscape CMS 4.2
  • Event-driven notifications
  • Backup and recovery (escrow)
    • See sproule@Princeton.EDU for more info
    • Database is LDAP as well… do we detect a pattern here?

CSG PKI Workshop gettes@georgetown.edu

ca certificate
CA Certificate
  • Valid until 10/2001
  • Simple profile
    • No special extensions
    • No special constraints or criticalities
  • Subject contains X.500 and DC names
    • O=Georgetown University
      • required because of Communicator
    • dc=georgetown,dc=edu
      • At end of subjectName in Certificates
      • Also root suffix for Enterprise Directory

CSG PKI Workshop gettes@georgetown.edu

ca issued certificates
CA Issued Certificates
  • Client Certificates
    • NONE
    • Cost, Deployment, Policy
  • Server Certificates
    • On a limited basis, carefully considered
    • Valid until 10/2001
    • No special constraints

CSG PKI Workshop gettes@georgetown.edu

expiry rationale
Expiry Rationale
  • Why 10/2001 for Expiry?
    • Force decision on future PKI vendor or continue “as is”. Hopefully a decision!
    • October implies a summer time redeployment with “misses” found in October when community is present.
    • Realization of the future of CREN CA
      • Validity period, fBCA model, browser deployments (maybe)

CSG PKI Workshop gettes@georgetown.edu

ca certificate deployment
CA Certificate Deployment
  • Netscape Communicator 4.7x
    • Customized Netscape for CA Cert deployment
    • Also needed for IMAP and other new services
      • Central IMAP and Directory only accessible with SSL
  • Internet Explorer
    • No custom distribution method developed. Would like to something in the future along with Win2K
  • Manual Configuration of CA Certificate
    • people can visit https://ca.georgetown.edu
  • Alumni and other public services: Verisign

CSG PKI Workshop gettes@georgetown.edu

ca certificate deployment1
CA Certificate Deployment

There must be a better way!

MIT approach assumes client cert distribution

like others, not a bad thing, just different

  • Microsoft seems willing to play ball
  • heDRCD (being discussed in HEPKI-TAG)

CSG PKI Workshop gettes@georgetown.edu

directories are part of the i in pki
Directories are part of the I in PKI
  • Directory (October, 1999)
    • Centralized, automated Name Space
    • VERY carefully controlled
      • Users modify very little
      • Priv’d access highly restricted
    • Control considered necessary step for PKI to trust the directory
    • Eventually, client, server and other certs will be published in the directory.
    • Hopefully a model campus for LDAP deployment
      • Internet2 Middleware 201 (others?) coursework

CSG PKI Workshop gettes@georgetown.edu

overall plan
Overall Plan
  • Best of all 3 worlds
    • LDAP + Kerberos + PKI
      • LDAP Authentication performs Kerberos Authentication out the backend. Started 9/2000 to finish NS plug-in.
      • Credential Caching handled by Directory.
      • All directory authentications SSL protected. Enforced with necessary exceptions
    • Use Kerberos to derive Certificates
    • One Userid/Password (single-signon vs. FSO)

CSG PKI Workshop gettes@georgetown.edu

overall plan1
Overall Plan
  • AT&T Access Cards (Onecard project)
    • Vending, Building Access, Credit, etc
      • Mag-stripe only, no chip
  • Unfortunately, no smart-card plan by admin – at least nothing I have seen 
  • Schlumberger interested in HEPKI 

CSG PKI Workshop gettes@georgetown.edu

ca future
CA Future
  • OpenCA (built on OpenSSL)?
  • Baltimore?
  • Casey Lide – DST?
  • Netscape/iPlanet/Sun?
  • Outsourcing? (parts is parts is parts)
  • Something else? (notaries)
  • Ken’s matrix should help with decision

CSG PKI Workshop gettes@georgetown.edu

georgetown institute for information assurance
Georgetown Institute for Information Assurance
  • Recently formed: July 2000
  • Research and practical deployment of Network Security, Internet2 Middleware and PKI
  • Joint work between Central IT, CompSci, Medical Center, Law Center, Public Policy Institute, Legal and other experts and faculty.
  • Focal point for University policy and practice
  • http://www.georgetown.edu/giia

CSG PKI Workshop gettes@georgetown.edu

georgetown activities
Georgetown Activities
  • Internet2 Middleware + EDUCAUSE, CREN
    • Directories, Dir of Dirs for Higher Ed, Shibboleth, PKI, CREN CA, LDAP-RECIPE, eduPerson
  • Professor Dorothy Denning, CS, info-warfare
  • Prof./Dr. Jeffrey Collmann, Sociology
  • Dr. Alan Zuckerman, biometrics
  • HEPKI TAG/PAG – Kathryn Baerwald, Georgetown Legal PAG involvement.

CSG PKI Workshop gettes@georgetown.edu