Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.

Similar presentations

Presentation on theme: "PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado."— Presentation transcript:

1 PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder

2 Agenda  Fundamentals - Components and Contexts  The missing pieces - in the technology and in the community  Current Activities - feds, chime, anx, overseas, pkiforum, etc.  Higher Ed Activities (CREN, HEPKI-TAG, HEPKI-PAG, Net@edu, PKIlabs)

3 PKI : A few observations  Think of it as wall jack connectivity, except it’s connectivity for individuals, not for machines, and there’s no wall or jack…But it is that ubiquitous and important  Does it need to be a single infrastructure? What are the costs of multiple solutions? Subnets and ITP’s...  Options breed complexity; managing complexity is essential

4 A few more...  IP connectivity was a field of dreams. We built it and then the applications came.. Unfortunately, here the applications have arrived before the infrastructure, making its development much harder.  Noone seems to be working on the solutions for the agora.

5 Uses for PKI and Certificates  authentication and pseudo-authentication  signing docs  encrypting docs and mail  non-repudiation  secure channels across a network  authorization and attributes  and more...

6 A framework  PKI Components - hardware, software, processes, policies  Contexts for usage - community of interests  Implementation options (in-source, out-source, roll- your-own,etc.)  Note changes over time...

7 PKI Components  X.509 v3 certs - profiles and uses  Validation - Certificate Revocation Lists, OCSP, path construction  Cert management - generating certs, using keys, archiving and escrow, mobility, etc.  Directories - to store certs, and public keys and maybe private keys  Trust models and I/A  Cert-enabled apps

8 PKI Contexts for Usage  Intracampus  Within the Higher Ed community of interest  In the Broader World

9 PKI Implementation Options  In-source - with public domain or campus unique  In-source - with commercial product  Bring-in-source - with commercial services  Out-source - a spectrum of services and issues  what you do depends on when you do it...

10 Cert-enabled applications  Browsers  Authentication  S/MIME email  IPsec and VPN  Globus  Secure multicast

11 X.509 certs  purpose - bind a public key to a subject  standard fields  extended fields  profiles  client and server cert distinctions

12 Standard fields in certs  cert serial number  the subject, as x.500 DN or …  the subject’s public key  the validity field  the issuer, as id and common name  signing algorithm  signature info for the cert, in the issuer’s private key

13 Extension fields  Examples - auth/subject subcodes, key usage, LDAP URL, CRL distribution points, etc  Key usage is very important - for digsig, non-rep, key or data encipherment, etc.  Certain extensions can be marked critical - if an app can’t understand it, then don’t use the cert  Requires profiles to document, and great care...

14 Cert Management  Certificate Management Protocol - for the creation and management of certs  Revocation Options - CRL, OCSP  Storage - where (device, directory, private cache, etc.) and how - format  escrow and archive - when, how, and what else needs to be kept  Cert Authority Software or outsource options  Authority and policies

15 Certificate Management Systems  Homebrews  OpenSSL and OpenCA  Baltimore, Entrust, etc.  W2K, Netscape, etc.

16 Directories  to store certs  to store CRL  to store private keys, for the time being  to store attributes  implement with border directories, or acls within the enterprise directory, or proprietary directories

17 Inter-organizational trust model components  Certificate Policy- uses of particular certs, assurance levels for I/A, audit and archival requirements  Certificate Practices Statement- the nitty gritty operational issues  Hierarchies vs Bridges a philosopy and an implementation issue the concerns are transitivity and delegation hierarchies assert a common trust model bridges pairwise agree on trust models and policy mappings

18 Certificate Policies Address (CP)  Legal responsibilities and liabilities (indemnification issues)  Operations of Certificate Management systems  Best practices for core middleware  Assurance levels - varies according to I/A processes and other operational factors

19 Certificate Practice Statements (CPS)  Site specific details of operational compliance with a Cert Policy  A single practice statement can support several policies (Chime)  A Policy Management Authority (PMA) determines if a CPS is adequate for a given CP.

20 Trust chains  Path construction to determine a path from the issuing CA to a trusted CA heuristics to handle branching that occurs at bridges  Path validation uses the path to determine if trust is appropriate should address revocation, key usage, basic constraints, policy mappings

21 Trust chains  When and where to validate off-line on a server at the discretion of the application depth of chain  some revocations better than others - major (disaffiliation, key compromise, etc.) and minor (name change, attribute change)  sometimes the CRL can’t be found or hasn’t been updated

22 Mobility Options  smart cards  usb dongles  passwords to download from a store or directory  proprietary roaming schemes abound - Netscape, Verisign, etc  SACRED within IETF recently formed for standards  integration of certificates from multiple stores

23 More current activities  HEPKI  the Grid

24 Current Activities  PKIX ( charter.html)  Federal PKI work (  State Govs (  Medical community (Tunitas, CHIME, HIPAA)  Automobile community (ANX)  Overseas Euro government - qualifying certs EuroPKI for Higher Ed (

25 All the stuff we don’t know…  Revocation approaches  Policy languages  Standard profiles  Mobility  Path math  User interface

26 PKI and Higher Ed  ah, the public sector life…  Key issues  Current activities

27 ah, the public sector…  almost universal community of interests  cross-agency relationships  complex privacy and security issues  limited budgets and implementation options  sometimes ahead of the crowd and the obligation to build a marketplace

28 Key issues  trust relationships among autonomous organizations  interoperability of profiles and policies  interactions with J.Q. Public  international governance issues


Download ppt "PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado."

Similar presentations

Ads by Google