Internet2 Middleware PKI: Oy-vey!
description
Transcript of Internet2 Middleware PKI: Oy-vey!
Internet2 MiddlewarePKI: Oy-vey!
Michael R. GettesPrincipal TechnologistGeorgetown University
[email protected]://www.georgetown.edu/giia/internet2
HEPKI
Sponsors: Internet2, EDUCAUSE, CREN
TAG – Technical Activities Group
• Jim Jokl, Chair, Virginia• Techonology, practicality, deployment, testbeds
PAG – Policy Activities Group
• (Default Chair), Ken Klingenstein, Colorado• Knee-deep in policy(CP), HEBCA, Campus, Subscribers and Relying Party issues.
PKI Labs (AT&T)– Neal McBurnett, Avaya
• Wisconsin-Madison & Dartmouth• Industry, Gov., Edu expert guidance
http://www.educause.edu/hepki
HEPKI-TAG Activities
Charter – Technical Activities Group (TAG)• Certificate profiles, CA software• Private key protection• Mobility, client issues• Interactions with directories• Testbed projects (PKI-Lite, S/MIME Interop, Profiles)• Communicate results
http://www.educause.edu/hepki
HEPKI-PAGWe don’t need no stinkin’ policy?
Policy, Lawyers, documenting practice, what gives?• Going outside the institution. Staying inside doesn’t require new
policy (rather new practice)• PKI seems to make authN / authZ a legitimate problem deserving
legal attention
Working with U.S. Gov’t on PKI Policy
Moved the development of HEBCA Cert Policy
Realized need for Campus Model Cert Policy
Realized need to simplify policy for PKI-Lite
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
HEBCA: Higher Education Bridge Certificate Authority
Michael R Gettes
Georgetown University
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Multiple CAs in FBCA Membrane
• Survivable PKI
• Cross Certificates
allow for
“one/two-way
policy”
• Directories are
critical in BCA
world.
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
A Snapshot of the U.S. Federal PKI
Federal Bridge CA
NFC PKI
Higher Education Bridge CA
NASA PKI
DOD PKI Illinois PKI
University PKI
CANADA PKI
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
What is Cross Certification?
• A Bridge signs a CA and CA signs bridge
• Policy OIDs and Name Constraint controls are in the cross certificates
• Cross Certificates are published in directories and discovered via the network. BCA/CA may remain off-line.
• Policy OIDs could map to XML documents describing the policy (processed per Carmody)
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Path Validation
• Application receives a Certificate
• Finds a path back to signer of Certificate validating the path for policy mappings and name constraints.
• Policy Mappings can be LOA (levels of assurance) or “we agree to be in club shib” or whatever
• Name Constraints controls subjectName name space. I.E. a CA can only sign within dc=U,dc=edu
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
On Policy
• We have a draft HEBCA Certificate Policy
• The HE CP and HEBCA CP are congruent
• The HEBCA CP and FBCA CP are congruent
• We need a HEPKI PA – EDUCAUSE is working
this problem – granted “power” from ACE
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
NIH- Educause PKI Pilot:NIH- Educause PKI Pilot:Phase Two Phase Two
Electronic Grant Application With Electronic Grant Application With
Multiple Digital SignaturesMultiple Digital Signatures
Peter Alterman, Ph.D.Peter Alterman, Ph.D.Director of OperationsDirector of OperationsOffice of Extramural ResearchOffice of Extramural Research
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Project ParticipantsProject Participants
• University of Alabama-BirminghamUniversity of Alabama-Birmingham
• University of Wisconsin-MadisonUniversity of Wisconsin-Madison
• University of California, Office of the PresidentUniversity of California, Office of the President
• University of Texas – Houston Health ScienceUniversity of Texas – Houston Health Science
• Dartmouth CollegeDartmouth College
• Georgetown University – HEBCA properGeorgetown University – HEBCA proper
• National Institutes of Health (NIH)National Institutes of Health (NIH)
• Mitretek (www.mitretek.org)Mitretek (www.mitretek.org)
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
The ProblemThe Problem
• Picture/s of piles of grant applications
– About 20,000 5 ft high standing people of paper.
• 1 forest per year for just grant apps.
• The Solution: signed, electronic grant application
– Of course!
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Phase Two Concept of Operations (CONOPS)Phase Two Concept of Operations (CONOPS)
NIH OER Mail ServerUniversity A
University B
University C
Internet
E-LockAssured OfficeDigital Signed
Grant Appl
E-LockAssured OfficeDigital Signed
Grant Appl
E-LockAssured OfficeDigital Signed
Grant Appl
NIH OER Recipient
E-LockAssured OfficeDigital Signed
Grant Appl
E-LockAssured OfficeCAM-enabled
NIH CAM Server
FBCA
HEBCA
CertStatus
CertStatus
Certificate ValidationUniversity B
Certificate ValidationUniversity A
Certificate ValidationUniversity C
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
NIHca
trustanchor
““DAVE” DAVE” (Discovery and Validation Engine)(Discovery and Validation Engine)
sender(UA)
receiver(NIH)
NIHdirectory
FBCA
FBCAdir
crosscert
crosscert
DAVECAM
E-Lock
software
ca
directory
HEBCA HEBCAdir
crosscert
UAca
UAdir
issued
get Cert,CRLvia directory chaining
New LDAPRegistry of
Directories for BCAs
Transforming Education Through Information Technologies
http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)
Bridge CA vs. Shibboleth
• PKI is hard to deploy to end users
• Shib should use BCA aware PKI between servers
• Club Shib will then scale using Policies and
Relationships established by Bridge CA world
• ONE Club Shib managed by policy - globally
• Java 1.4 is Bridge aware. Whistler supposed to be.
CampusSystems
The PKI Puzzle
Fed Bridge Educause HE Bridge
CREN Root CA
CampusSystems
CampusPKI
Directory
PKI provides:• Strong Authentication• Flexible Authorization• Secure Digital Signature• Powerful Data Security
CampusPKI
Directory
ServerCerts
VendorResources
CampusResources
Shib
By David Wasley, UCOP
EDUPKI
Hierarchy
COMPKI
Hierarchy
PKIHierarchy
Medical
Technical Policy
PKI is1/3 Technical
and 2/3 Policy?