78b24e81554e7a0085831d8aaba6e841.ppt
- Количество слайдов: 9
PKI & USHER/HEBCA Fall 2005 Internet 2 Member Meeting Jim Jokl jaj@Virginia. EDU September 21, 2005 1
PKI and USHER/HEBCA p (How) do all of these PKI pieces fit together? n n USHER – US Higher Education Root CA HEBCA – Higher Education Bridge CA Campus Certification Authorities EDUCAUSE contract for outsourced certificates What should a campus be doing? p Where’s the glue? p 2
Fundamental Decision: Build or Buy p Building your own PKI n Certification Authority (CA) p p n Implementing the Registration Authority (RA) function p p n Identity proofing of individuals Handling requests for revocation, etc. Some considerations p p n Developing or installing CA software Operating it in a secure environment Early investment in staff time, likely lower per-certificate costs for large deployments in the long run Users can have as many certificates as they need Software examples at: http: //middleware. internet 2. edu/hepki-tag/opensrc. html 3
Fundamental Decision: Build or Buy p Buying PKI services n Certification Authority (CA) p p n Implementing the Registration Authority (RA) function p p n Identity proofing of individuals Handling requests for revocation, etc. Some considerations p p n Provided by the outsource company Operated remotely in a secure environment Quick start-up Annual costs bounded by the number of certificates issued Root certificate likely already trusted by your browsers and installed in your operating systems May limit the number of certificates that each user can have Example: http: //www. educause. edu/imsp 4
Some Interesting PKI Applications p The build vs. buy decision may be influenced by your PKI applications n n n p Electronic mail (S/MIME) VPN (IPSec), Wireless (EAP-TLS), & SSH authentication Web authentication Grids (Globus toolkit) Lion. Share Digital signatures on documents Applications with large numbers of users may tip the balance towards the “build” option n Note that certificate management (getting the same certificate/key on multiple computers) can be hard for users 5
Inter-organizational Trust Cross-certificate pairs Campus A Mid-A User Campus B Mid-B User USHER CA HEBCA Bridge User Campus n Campus CA User Campus CA User 6
A Higher-level View of Inter-organizational Trust FBCA Campus CA Educause Verisign CA Campus CA SAFE Campus Users Commercial Others Campus CA Campus Users USHER CA HEBCA Campus Users Campus CA 7
One Strategy: University of Virginia p HEBCA n Cross-certify our UVa High Assurance CA p p p n p Uses hardware tokens for private key protection and mobility Photo-id identity verification ~600 users now with a couple hundred more in progress Applications: access to critical systems, medical research data, etc USHER n Subordinate our UVa Standard Assurance CA p p p n Uses operating system/browser key store Certificates issued on-line via database check ~13, 000 users with ~28, 000 certs Applications: wireless auth, VPNs, Globus 8
Some Helpful Projects PKI-Lite p HEPKI Model Certification Policy p Digital signature tools project p S/MIME p p Software CA packages n n n Investigating a project to create a campus “make install” CA available Include software, tuned for PKI-Lite certificate profiles Document integration with campus Auth. N 9
78b24e81554e7a0085831d8aaba6e841.ppt