PKI 150 PKI Parts Policy Progress Part

PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California

Activities in other Communities • PKIX – IETF Standards for PKI • www. ietf. org/html. charters/pkix-charter. html • Federal PKI work • csrc. nist. gov/pki/twg • State Governments • www. ec 3. org • national electronic commerce coordinating council • Medical community & HIPAA • HIPAA – Health Insurance Portability & Accountability Act – aspe. os. dhhs. gov/admnsimp/ • CHIME - Connecticut Hospital Association CA – www. chime. org/chimetrust. asp • Health. Key – Replicable PKI model for health care – www. healthkey. org • Tunitas – Consulting group – www. tunitas. com/pages/PKI/pki. htm 2

Activities in other Communities • PKI Forum – Vendor alliance to promote PKI – www. PKIForum. org • Overseas • Euro. PKI for Higher Ed – www. europki. org/ca/root/cps/en_index. html • Open source software – Open. SSL, Open. CA – Much open-source work done outside of US for export restriction reasons. 3

Federal Government Activities • ACES Certificates • Access Certificates for Electronic Services • hydra. gsa. gov/aces • Citizen / Government interaction: student loans, change of address… • User authentication RA • Financial model 4

Federal Government Activities Bridge Certification Authority • Highly decentralized organization • Hierarchy more difficult • CA trust list does not scale well • Bridge Certification Authority (BCA) solves these problems • Prototype: February 2000 • Production planned first quarter 2001 5

Higher Education Activities • CREN CA • www. cren. net/ca • NET@EDU PKI for Networked Higher Ed • www. educause. edu/netatedu/groups/pki • PKI Labs • middleware. internet 2. edu/pkilabs 6

Internet 2 PKI Labs • Dartmouth and Wisconsin • computer science departments and IT staff • Performing deep research - two to five years out • Policy languages, path construction, attribute certificates, etc. • National Advisory Board of leading academic and corporate PKI experts provides direction • Catalyzed by startup funding from ATT 7

Higher Education PKI Activities - HEPKI • Sponsors • Internet 2, CREN, and EDUCAUSE • HEPKI - Technical Activities Group (TAG) • Open-source PKI software • Certificate profiles • Directory / PKI interaction • Validity periods • Client customization issues • Mobility • Inter-institution test projects • Technical issues with cross-certification 8

Higher Education PKI Activities - HEPKI • HEPKI - Policy Activities Group (PAG) • Certificate policy drafts • Sharing RFPs, vendor relations • State government activity, state laws • Federal agency interaction • Open records acts, FERPA • Campus educational materials • HEPKI Group Information • www. educause. edu/hepki 9

Certificate Profiles • A per-field description of certificate contents • Standard and extension fields • Criticality flags • Syntax of values permitted per field • Spreadsheet format by R. Moskowitz • XML and ASN. 1 alternatives for machine use • Higher education profile repository • http: //www. educause. edu/hepki 10

Certificate Profiles • Assortment of EE/CA certificates • From eight institutions • Most certificates kept relatively simple • No one is doing CRLs, etc yet • Certificates are Version 3 • Signing algorithms are RSA/MD 5 or RSA/SHA-1 11

Certificate Profiles Validity Period • Wide variation from per-session to one year • Long term: expiration synchronized to semester • Long term: time zone hack Assurance level indicator • Explicit extension • Policy OID Key usage • • Some certificates employ Key Usage field Variation on criticality setting General agreement on no encryption without escrow Grid 12

Certificate Profiles Issuer/Subject field naming • X. 500 -style Distinguished Names FERPA & certificate contents • Subject fields with real names • Anonymous names – What about signing email? Little use of constraint extensions • basic, name, policy Addition of CA serial number 13

Certificate Profiles Domain Component Naming Some certificates also use DC naming • Encode domain names into X. 500 -type name fields (dc=Internet 2, dc=edu) (rfc-2247) • Issuer and Subject fields Example: given a certificate, how to find authorization info and other data Recommendation via Consensus Process • Use DC naming in the Subject and Issuer fields • Place DC components in most significant part of the name • Use more specific pointers to information before using DC names in applications 14

Certificate Profiles: Some Issues Profile Convergence • Shared desire to minimize the number of profiles in the community – Ease policy mapping – Promote interoperability • What is the right number of profiles? – What are the applications? • Recommendations for new implementations HEPKI: work for consensus on some set of common profile recommendations More profiles would be useful 15

Mobility Options Hardware tokens • Smart cards, USB devices, i. Buttons • Key-pair generation location • Driver software quality • Session timeout support Software-based Mobility • passwords to download from a store or directory • proprietary roaming schemes - Netscape, Veri. Sign, . . • IETF SACRED working group established – HEPKI-TAG Scenarios • Non-repudiation questions Difficulty in integration of certificates from multiple stores (hard drive, directory, hardware token, etc. ) 16

HEPKI-TAG Other Areas of Work Web site update • Recommendations • Information for those starting on PKI – References – How-to information – Minutes and survey data • www. educause. edu/hepki/ • What else would be useful? 17

CA Private Key Protection Issues • CA Private Key is the root of all trust • Storage options –Clear text on disk –Encrypted storage on disk –On hardware device • Physical protection of CA –Locked doors and racks –OS Configuration • Multi-level solution • Collection of information for new PKI sites 18

Discussions and Projects PKI Applications Table Higher Education Distributed Root Certificate Deployment (he. DRCD) • Problem: how to load root certificates into browsers • DNS SRV records, HTTP, browser code • Protection via “phone home” concept Certificate Repository • A mechanism for users to safely obtain root certificates from other institutions • SSL or signed objects • High assurance process – like CREN CA 19

Discussions and Projects Higher Education Bridge Certification Authority (he. BCA) • Higher education has many of the same issues as the federal government • Adapt the federal model for use in higher ed • The bridge could: – Interconnect multiple Higher Ed hierarchical CA services – Interoperate with the federal bridge – Work with other industry groups 20

PKI Application Issues An Example • Goal: VPN Authentication via PKI • Equipment: VPN Concentrator • Device uses ou of Subject DN for group membership • Moral • Code only what you need into the certificate • Get the remainder from a directory • Think first 21

Some thoughts on open source solutions • We are doing this at Virginia • Good points • Great control • Easily tied into our existing Web authentication for issuing certificates • Issues • No complete kit – You can’t just type Configure; make install • Time • Lots of little details – SCEP – CRL via LDAP v. s. HTTP 22

Will it fly? Well, it has to… Scalability Performance “With enough thrust, anything can fly” 23

Where to watch • middleware. internet 2. edu • www. educause. edu/hepki • www. cren. org • www. pkiforum. org 24