Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains David L. Wasley Fall 2006 PKI Workshop
Topic Span w Why a bridge makes sense w Where is the HEBCA? 2
Bridged v. s. Hierarchical PKI w Simple PKI is hierarchical and assumes a uniform policy set w Assumed by most products today w Hierarchies are “PKI islands” w Therefore browsers & apps include 100+ “trust anchors” w Bilaterial cross-certification can link “islands” w Provides superior trust management w Maps policy you “know” to other policy, with constraints w A “bridge” is a general case of this w Serves as a “trust broker” 3
PKIs are islands of common trust 4
Bi-lateral cross-certification 5
A “bridge” serves as a trust broker 6
What this looks like to a RP w A Relying Party can build a trusted path from a Subject User cert to its own TA w This avoids the RP having to know and understand policy in other PKI domains 7
The bridge as trust broker w Trust is established by Certificate Policy w Each PKI domain has a Trust Anchor w Each domain can specify how it’s policy set is met or exceeded by the other domain’s policy w Each can place limits on this trust w If there is no equivalency, there is no trust w The bridge does this with respect to each of its member domains w Members must trust the bridge to do this properly w Each can limit how far it is willing to ‘network’ 8
Higher Education Bridge CA - HEBCA w Sponsored by EDUCAUSE to support linking campus PKI’s with each other and with sponsored partners w Patterned after the Federal Gov’t FBCA w Plan is to cross-cert with FBCA w Other BCAs have expressed interest too w Operated at Dartmouth College w Test bridge is running w CP/CPS almost complete w Awaiting critical mass 9
Questions? w Scott Rea (HEBCA OA) w Scott. Rea@Dartmouth. EDU w David Wasley (HEBCA PA) w dlwasley@earthlink. net w http: //www. educause. edu/hebca 10
Скачать презентацию Higher Education Bridge Certification Authority Scaleable Linking of
7583c2f351ab53df54c5326d4f532939.ppt