Internet2 Middleware PKI: Oy-vey!

Internet2 MiddlewarePKI: Oy-vey!

Michael R. GettesPrincipal TechnologistGeorgetown University

[email protected]://www.georgetown.edu/giia/internet2

HEPKI

Sponsors: Internet2, EDUCAUSE, CREN

TAG – Technical Activities Group

• Jim Jokl, Chair, Virginia• Techonology, practicality, deployment, testbeds

PAG – Policy Activities Group

• (Default Chair), Ken Klingenstein, Colorado• Knee-deep in policy(CP), HEBCA, Campus, Subscribers and Relying Party issues.

PKI Labs (AT&T)– Neal McBurnett, Avaya

• Wisconsin-Madison & Dartmouth• Industry, Gov., Edu expert guidance

http://www.educause.edu/hepki

HEPKI-TAG Activities

Charter – Technical Activities Group (TAG)• Certificate profiles, CA software• Private key protection• Mobility, client issues• Interactions with directories• Testbed projects (PKI-Lite, S/MIME Interop, Profiles)• Communicate results

http://www.educause.edu/hepki

HEPKI-PAGWe don’t need no stinkin’ policy?

Policy, Lawyers, documenting practice, what gives?• Going outside the institution. Staying inside doesn’t require new

policy (rather new practice)• PKI seems to make authN / authZ a legitimate problem deserving

legal attention

Working with U.S. Gov’t on PKI Policy

Moved the development of HEBCA Cert Policy

Realized need for Campus Model Cert Policy

Realized need to simplify policy for PKI-Lite

Transforming Education Through Information Technologies

http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island)

HEBCA: Higher Education Bridge Certificate Authority

Michael R Gettes

Georgetown University

[email protected]



Multiple CAs in FBCA Membrane

• Survivable PKI

• Cross Certificates

allow for

“one/two-way

policy”

• Directories are

critical in BCA

world.



A Snapshot of the U.S. Federal PKI

Federal Bridge CA

NFC PKI

Higher Education Bridge CA

NASA PKI

DOD PKI Illinois PKI

University PKI

CANADA PKI



What is Cross Certification?

• A Bridge signs a CA and CA signs bridge

• Policy OIDs and Name Constraint controls are in the cross certificates

• Cross Certificates are published in directories and discovered via the network. BCA/CA may remain off-line.

• Policy OIDs could map to XML documents describing the policy (processed per Carmody)



Path Validation

• Application receives a Certificate

• Finds a path back to signer of Certificate validating the path for policy mappings and name constraints.

• Policy Mappings can be LOA (levels of assurance) or “we agree to be in club shib” or whatever

• Name Constraints controls subjectName name space. I.E. a CA can only sign within dc=U,dc=edu



On Policy

• We have a draft HEBCA Certificate Policy

• The HE CP and HEBCA CP are congruent

• The HEBCA CP and FBCA CP are congruent

• We need a HEPKI PA – EDUCAUSE is working

this problem – granted “power” from ACE



NIH- Educause PKI Pilot:NIH- Educause PKI Pilot:Phase Two Phase Two

Electronic Grant Application With Electronic Grant Application With

Multiple Digital SignaturesMultiple Digital Signatures

Peter Alterman, Ph.D.Peter Alterman, Ph.D.Director of OperationsDirector of OperationsOffice of Extramural ResearchOffice of Extramural Research



Project ParticipantsProject Participants

• University of Alabama-BirminghamUniversity of Alabama-Birmingham

• University of Wisconsin-MadisonUniversity of Wisconsin-Madison

• University of California, Office of the PresidentUniversity of California, Office of the President

• University of Texas – Houston Health ScienceUniversity of Texas – Houston Health Science

• Dartmouth CollegeDartmouth College

• Georgetown University – HEBCA properGeorgetown University – HEBCA proper

• National Institutes of Health (NIH)National Institutes of Health (NIH)

• Mitretek (www.mitretek.org)Mitretek (www.mitretek.org)



The ProblemThe Problem

• Picture/s of piles of grant applications

– About 20,000 5 ft high standing people of paper.

• 1 forest per year for just grant apps.

• The Solution: signed, electronic grant application

– Of course!



Phase Two Concept of Operations (CONOPS)Phase Two Concept of Operations (CONOPS)

NIH OER Mail ServerUniversity A

University B

University C

Internet

E-LockAssured OfficeDigital Signed

Grant Appl


Grant Appl


Grant Appl

NIH OER Recipient


Grant Appl

E-LockAssured OfficeCAM-enabled

NIH CAM Server

FBCA

HEBCA

CertStatus

CertStatus

Certificate ValidationUniversity B

Certificate ValidationUniversity A

Certificate ValidationUniversity C



NIHca

trustanchor

““DAVE” DAVE” (Discovery and Validation Engine)(Discovery and Validation Engine)

sender(UA)

receiver(NIH)

NIHdirectory

FBCA

FBCAdir

crosscert

crosscert

DAVECAM

E-Lock

software

ca

directory

HEBCA HEBCAdir

crosscert

UAca

UAdir

issued

get Cert,CRLvia directory chaining

New LDAPRegistry of

Directories for BCAs



Bridge CA vs. Shibboleth

• PKI is hard to deploy to end users

• Shib should use BCA aware PKI between servers

• Club Shib will then scale using Policies and

Relationships established by Bridge CA world

• ONE Club Shib managed by policy - globally

• Java 1.4 is Bridge aware. Whistler supposed to be.

CampusSystems

The PKI Puzzle

Fed Bridge Educause HE Bridge

CREN Root CA

CampusSystems

CampusPKI

Directory

PKI provides:• Strong Authentication• Flexible Authorization• Secure Digital Signature• Powerful Data Security

CampusPKI

Directory

ServerCerts

VendorResources

CampusResources

Shib

By David Wasley, UCOP

EDUPKI

Hierarchy

COMPKI

Hierarchy

PKIHierarchy

Medical

Technical Policy

PKI is1/3 Technical

and 2/3 Policy?

Internet2 Middleware PKI: Oy-vey!

Documents

Transcript of Internet2 Middleware PKI: Oy-vey!