1 / 21

Digital Certificate Operation in a Complex Environment

Digital Certificate Operation in a Complex Environment. Consultation/Stakeholders Meeting 3 December 2003. DCOCE. d Λ ’ kŊt f i : Der-kot-chee. The DCOCE project. DCOCE is about authentication with digital certificates Digital certificates use Public Key Infrastructure (PKI)

temple
Download Presentation

Digital Certificate Operation in a Complex Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003

  2. DCOCE dΛ’kŊtfi: Der-kot-chee

  3. The DCOCE project • DCOCE is about authentication with digital certificates • Digital certificates use Public Key Infrastructure (PKI) • PKI is very secure • but can be difficult to administer

  4. The DCOCE project • Digital certificates and PKI rely upon trust • Trust relies upon co-operation (or understanding) between organisations • Oxford University is a Complex Environment • DCOCE • If it can work here...

  5. What DCOCE is not about • Authorisation • but… • Single sign on • but… • e-Science and the grid • but…

  6. Evaluators Alun Edwards (OUCS) Johanneke Sytsema (SERS) Based within the RTS at OUCS in collaboration with SERS Project Manager Mark Norman Systems Developer Christian Fernau Project team

  7. Project partners • Research Technologies Service at Oxford University Computing Services in collaboration with: • the Systems and Electronic Resources Service at Oxford University Library Services (SERS) • Manchester Information and Associated Services (ZETOC) • the Athens Devolved Authentication Service (at EduServ) • the Oxford e-Science Centre (OeSC)

  8. What is DCOCE? • 2-year project funded by the (Joint Information Systems Committee) • feasibility of using digital certificates for authentication and simplified access to remote services • researching and running a pilot of a PKI (public key infrastructure) • evaluating and documenting all of the major stages and of the user experience

  9. Why at Oxford? • The complex environment is here… • the Departments and Colleges of the University of Oxford • everyone may have a different requirement • desires secure access to central IT support applications • desires to optimise access to licensed content • Oxford hosts regional e-Science Centre • OUCS • secure access to web-based email; LDAP services; VPN service • developing account management packages for RDN Subject Portals Project • Information flow is very important to a PKI

  10. Stakeholder group Project Team Oxford UniversityComputing Services Library Services E-Science Centre Research Technologies ServiceIT Support Staff servicesUser registration Admin & LegalServices

  11. Stakeholder group • We need to know what you think: • are the ideas difficult? • what do you think you need? • Early 2004 we need people to trial the use of our digital certificates • to discover the advantages and difficulties as they appear to you

  12. Admin. architecture select and review 4 PKI implementations build an administration architecture model for Oxford Athens, MIMAS and OeSC to advise and review initial proposals for models System architecture review the 4 PKI implementations build a system architecture model for Oxford Athens, MIMAS and OeSC to advise and and review initial proposals for models Modelling

  13. Development and implementation • Implement, and develop, the systems and administrative processes to support a certificate life-cycle within a PKI • architectures • very small-scale rollout • a certification authority • initial testing • OeSC to advise

  14. Athens Devolved Authentication • Enable access to remote resources subscribed to by Oxford compliant with Athens single sign-on (SSO) via digital certificate authentication • examine Athens requirements and standards • ensure certificates and ‘presentment’ mechanisms comply and PKI can be trusted

  15. MIMAS • Enable access to remote Zetoc/British Library resources via digital certificate authentication mechanism • examine MIMAS/Zetoc requirements and standards • ensure certificates and ‘presentment’ mechanisms comply and PKI can be trusted

  16. Real-world rollout • Distribute the certificates much more widely • test • examine revocation and recovery issues • document the issues arising • Extensive set of users will receive certificates • IT support staff in devolved roles throughout the University • selected end users of many types and roles • Trial revocation and recovery/re-issuing mechanisms • OeSC, Athens and MIMAS to advise

  17. Certificate Policy Statement • Develop and publish a detailed Certificate Policy Statement (CP) • in accordance with the Internet Engineering Task Force PKI X.509 Certificate Policy and Certification Practice Statement (CPS) Framework • produce an early draft of the CP • consult about trust issues • final version of the CP will be produced after rollout

  18. Legal and administrative issues • Input from Oxford University Legal Services • issuing and revoking certificates • running the PKI • the final Certificate Policy Statement (CP) • the administration issues of managing: • a registration authority • and certificate authority • and revocation list • research legal and administration issues • OeSC to advise

  19. Evaluation and dissemination • Technical and user-oriented evaluations • the implementation of PKI at UK HE establishments • final report • Project progress report • successes and failures and points of difficulty • Via web pages, email lists and at real 'events' • http://www.dcoce.ox.ac.uk/Web site • dcoce-disc@jiscmail.ac.uk mailing list • Useful to others considering PKI within UK FE and HE • formative evaluation of decisions made • summative evaluations • decision-making processes and the experiences of end users etc.

  20. Summary of deliverables • Evaluation reports • for different stages of the process • Policies • overall Certification Practice Statement (CPS) • Systems architecture details • any open source adaptations • Project Web site • http://www.dcoce.ox.ac.uk/ • Summative report • practical manual

  21. Ideas for discussion at the moment • Sending server certificates on a CD-ROM • Ideas for a Local Institution Certificate Store • Ideas for issuing certificates (enrolling)

More Related