Presentation is loading. Please wait.

Presentation is loading. Please wait.

Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris.

Similar presentations

Presentation on theme: "Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris."— Presentation transcript:

1 Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris

2 10/12/2000www.cren.net2 What is CREN in Year 2000?  A non-profit higher education member organization - 230 members  Mission - Support higher education and research organizations with strategic IT knowledge services and communication tools for infrastructure  Evolving from BITNET launched in 1984 (Visit us at  “Corporation for Research and Educational Networking”

3 10/12/2000www.cren.net3 Certificate Authority - Topics (3)  Operations and Status l As many questions as we have answers..:-)  EvolvingTrust Models l Hierarchical model -Trust Anchor l Bridge model - Trust Conduit l Cross-certification Plans  Evolving Documents l Certificate Policies - with cert profile info l Certificate Practice Statements l IETF RFC 2527 as guide to doc development

4 10/12/2000www.cren.net4 Certificate Authority by CREN  Goal is to simplify connection to a trust community  Serve as a trusted third party and to facilitate trust relationships l Among institutions l Between higher education and other communities  Provide a link to other validated, trusted institutions without a separate pair-wise trust relationship between each pair of institutions

5 10/12/2000www.cren.net5 Certificate Authority by CREN  Primary initial use is a focus on supporting inter - institutional resource sharing l Among institutions l Between institutions and content providers l Primarily for academic content and research resources  Goal - map to basic or medium assurance with Federal Bridge Certificate Authority  Operate under a Certificate Practices Statement of 1/27/2000 Version 3.0

6 10/12/2000www.cren.net6 Higher Education CA by CREN Hierarchical CA Trust Community Minn HeHRCA (CREN) UT-Austin Princeton MIT GaTech UTenn Penn State HeHRCA Group shares “close enough” CP, CPS Hierarchy as “Trust Anchor.”

7 10/12/2000www.cren.net7 Operations - Higher Ed CA (1)  CA Subscriber process  Two page Application Form completed by Institution’s CREN member rep  Signed by an executive officer of institution  Once registration is complete, the technical contact l Issues request for certificate l Accepts the certificate on behalf of institution

8 10/12/2000www.cren.net8 Operations - Higher Ed CA (2)  CREN Office l Serves as the Registration Authority (RA) l Receives, approves, and manage the applications and issuance of institutional certificates l Validates institutional contacts for the institutional CA certificate l Sends message to MIT approving and initiating secure contact with institution

9 10/12/2000www.cren.net9 Operations - Higher Ed CA (3)  MIT l Operates the CREN CA under contract for CREN l Receives the certificate request message directly from technical contact at institution l Generates the institutional certificate l Sends the institutional certificate back to technical contact and to CREN RA Contact l Updates the repository of certificates

10 10/12/2000www.cren.net10 CREN Root Key Cutting Ceremony at MIT 11/17/99

11 10/12/2000www.cren.net11 Certificate Authority Status  Institutional certificates issued and accepted l MIT, Georgia Tech, Princeton l U of Minnesota, UT-Austin, Penn State  Testing with JSTOR is underway l Success with remote access using U of MN CREN -issued certificate - 9/19/00 l One next step: test with U Minn directory query based on https embedded in certificate

12 10/12/2000www.cren.net12 Applications  Registration process complete - U Tenn & U Mass - Amherst  Applications received - in various stages of process l Johns Hopkins University l Florida State University  Other applications received, but folks wanted something else

13 10/12/2000www.cren.net13 Relationship of CREN within Higher Education (1)  Working closely with HEPKI-TAG and PAG l TAG- Technical Issues Group l PAG - Policy Issues Group  HEPKI is a loose federation of Internet2, EDUCAUSE and CREN and community folks  Led by Ken Klingenstein - Internet2 and many others...

14 10/12/2000www.cren.net14 Relationship of CREN within Higher Education (2)  Issues with the certificate profile. l More detail on next two slides...  Other technical issues on table l Repositories, trust paths and revocation  Policy and practices work - again with HEPKI-PAG and TAG groups

15 10/12/2000www.cren.net15 Certificate Profile Issues  Validity Period - l CREN root renewed on 6/14/2000 is valid to 11/17/07 - Eight years l Institutional certificates are issued with five year validity period  DC naming in certificates - l Can include DC in “Subject Field” of Institutional Certificate following x.500 name l CREN cert “Subject field” will be x.500 only l HEPKI Recommendation - Jim Jokl paper in review

16 10/12/2000www.cren.net16 Certificate Profile Issues - More  Upgraded to Version 3 cert with extensions in 6/00  Continuing discussion on other attributes in the Basic Constraints and Key usage fields -- gathering input to January 2001.  Issue of hash - change to SHA1 from MD5 for the signature algorithm  Have an OID - 7091 - from IANA

17 10/12/2000www.cren.net17 Certificate Profile Issues - More  Principle - Profiles of CREN root certificate, institutional certificates, and client certificates can and probably will be different  Work by HEPKI-TAG is working towards more consistency rather than less with certificate profiles - again led by Ken Klingenstein

18 10/12/2000www.cren.net18 Policy Work : HEPKI and CREN  Certificate policy work l Mapping policies from FBCA, and Euro-PKI with RFC 2527 l HEPKI Goal - create generic higher ed certificate policy and CPS l Revise the existing CREN CPS and develop a Certificate Policy - need one for CREN CA Hierarchy and one for CREN CA Bridge l Evolving to a recommendation that Campus CAs need both CP and CPS

19 10/12/2000www.cren.net19 Possible PKI Infrastructure- Higher ED HeBCA/CREN Mn HeHRCA/CREN UCOP UT-Austin Princeton MIT GaTech UTenn Penn State HEPKI- PA UAB UWI MIT HeI GeorgeT HeBCA Group shares“close enough” CP, CPS- but might map to higher level of assurance or have different granularities of relationships Bridge acts as trust conduit or transport

20 10/12/2000www.cren.net20 Evolving PKI Infrastructure Higher ED and Links to Others FPKI-PA FBCA DOE DOJ ETC HeBCA/CRENHeHRCA/CREN HEPKI- PA HeI Relying Parties Community HeI Note: Not clear how vendors should be represented.

21 10/12/2000www.cren.net21 June 2000 CREN CA Pilot Meeting  Jeff demonstrated first version of CREN repository  Certificate profile work reviewed  Working Groups: l Validity period working group: Chair Michael Gettes l Protecting private keys: Co-Chairs are Jeff Schiller & Ariel Glenn l Vendor Solutions Group - Chair Kevin Unrue

22 10/12/2000www.cren.net22 CREN CA Continuing work Fall, 2000 (1)  Continue working the issues and issuing institutional certificates  Work on building community awareness and expertise via scenarios, FAQs, and workshops plus support of HEPKI activities  Examine feasibility of issuing server certificates to institutions with institutional certificates

23 10/12/2000www.cren.net23 CREN CA Continuing work Fall, 2000 (2)  FAQ on Directories is in review l Complement for FAQ on PKI l Complements the “LDAP Recipe”  CA Pilot Schools meeting in October with Internet2 in Atlanta  Planning for Seminars on Directories and Certificate Authorities in late January 2001  Plan for CREN CA Production Levels  Work on the browser challenge...

24 10/12/2000www.cren.net24 Continuing Open Questions  Certificate Profiles - Can we achieve a common profile? Also common CPs and CPs?  How will the CA relationships within higher education in the US evolve?  How to get the CREN Root in the Netscape and IE browsers?  What might the links to Euro-PKI look like?  What community of interest does the Euro- PKI Certificate Policy address?

25 10/12/2000www.cren.net25 For More Information…and to Get Involved...  HEPKI is the place to start l website:  CA List at CREN l Send request to  CREN Web site - l CA Section l Archived TechTalks l FAQ on PKI Infrastructure at web site l Campus scenarios

Download ppt "Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris."

Similar presentations

Ads by Google