1 / 12

HEPKI-TAG Update: Open-Source PKI Software, Certificate Profiles, and Mobility

This update from the HEPKI-TAG summit discusses activities, sponsors, and technical issues related to open-source PKI software, certificate profiles, directory interfacing, client customization, mobility, and inter-institution test projects.

terij
Download Presentation

HEPKI-TAG Update: Open-Source PKI Software, Certificate Profiles, and Mobility

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HEPKI-TAG Update EDUCAUSE/Dartmouth PKI SummitJuly 26, 2005Jim JoklUniversity of Virginia

  2. HEPKI-TAG Activities • Sponsors: EDUCAUSE, Internet2, NET@EDU • Charter – Technical Activities Group (TAG) • Open-source PKI software • Certificate profiles • Directory / PKI interaction • Validity periods • Client customization issues • Mobility • Inter-institution test projects • Private Key Protection • Technical issues with cross-certification • Communicate results • Process • Biweekly conference calls • Sessions at higher education events

  3. Updates to PKI-Lite • PKI-Lite: using PKI technology at the LOA of the existing campus login/password system • Updated policy and practices document • Changes based on feedback from NMI project, etc • Clarifications to hierarchical CAs, language, etc • Still 9 pages, fill in the blanks format • Relationship to Citizen and Commerce (C4) Policy • FIPS-140 crypto, audits, CRL/OCSP required • New PKI-Lite certificate profiles • End Entity • Bridge Environment (Authority and Subject key identifiers) • EAP-TLS Microsoft OID (SubjectAlt/OtherName/PrincipalName) • Certification Authority • Authority and Subject Key Identifiers • All profiles – more closely follow the RFCs for critical flags

  4. S/MIME • Plan to update the S/MIME compatibility table with data for additional clients • HEPKI-TAG coordinated a letter to Qualcomm requesting S/MIME support for Eudora • Qualcomm was/is developing S/MIME support for EUDORA • HEPKI-TAG developed a prioritized list of features of what we’d like to see in the client • Looking forward to being early testers

  5. Introductory MaterialsAiding Initial Campus Deployments • Recall our PKI-Lite framework • Using PKI for “standard” applications where you likely would have used names/passwords in the past • Standard Policy/Practices document and Profiles • Designed to support S/MIME, VPN, Web Authentication, etc • Validated on other apps (e.g. Globus, document signing applications, etc). • Newer addition: PKI-Lite Recipe • by Steven Carmody at Brown

  6. US Higher Education Root(USHER) and Policy • Background • A hierarchical CA for Higher Education • Issue authority certificates to campus CAs • Replace and offer more than the old CREN hierarchy • Initial discussions on LOA for USHER • Strong procedures for USHER operations • Strong process to identify campuses • Discussions on requirements for schools • Something heavy, C4, PKI-Lite, less, etc? • Implications for when USHER cross-certifies with HEBCA? • Early focus decisions • Strong procedures for USHER itself; use the InCommon I&A process for schools • Architect for an USHER-heavier and an USHER-Lite • Focus deployment on USHER-Lite

  7. One older concept for the US Higher Education Root (USHER) USHER Root USHER-Lite InCommon CA USHER Basic/Medium School CA Shib Cert School CA Shib Cert School CA Shib Cert Shib Cert School CA School CA School CA

  8. Current Thinking for USHER USHER-Lite Root Future USHER Basic/Medium HEBCA InCommon CA School CA Shib Cert School CA Shib Cert Shib Cert School CA Shib Cert School CA School CA Note: InCommon CA not related to USHER in a PKI sense School CA

  9. USHER Campus CA Campus CA LionShare SASL CA Short-life user certificates USHER & Policy: Enter LionShare • LionShare needs a trust fabric that works logically like PKI-Lite • Verify PKI-Lite OID in cert • Question: can/should USHER require at least PKI-Lite from campuses? • Schools doing this anyway • Strong pushback on TAG call • How does USHER certify campuses • Campus liability concerns • Why is a requirement needed?

  10. Current Thinking on USHER-Lite • No requirements for what the campus can do using their USHER authority certificate • LionShare will require the PKI-Lite Policy OID in certificates issued by the SASL-CA • USHER CA profile • Profiles include AIA for bridge cert discovery in XP

  11. Next Projects for HEPKI-TAG • Continue support for USHER • Maintain & update existing documents and services • Signing tools project • Document and web form signing tools • Update of S/MIME work • Update compatibility matrix • Eudora when ready • Campus CA Audits • Preparation and documents for campus auditors • In the queue • Windows smart card login • Mobility and Hardware Token update • Application integration (administrative and general) • CA software • More/better introductory materials • Bridge application testing • Grid integration & documentation • Update hardware token work • EAP-TLS documentation • Look at SILC • Insert your favorite item(s) here

  12. Questions - References • If you are working on these topics, consider participating in HEPKI-TAG • Some references • middleware.internet2.edu/hepki-tag • Links to other sites, CA software, etc • NET@EDU PKI for Networked Higher Education • http://www.educause.edu/PKIforNetworkedHigherEducation/928 • pkidev.internet2.edu • PKI Labs • middleware.internet2.edu/pkilabs

More Related