Presentation on theme: "Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris."— Presentation transcript:
Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris
10/12/2000www.cren.net2 What is CREN in Year 2000? A non-profit higher education member organization - 230 members Mission - Support higher education and research organizations with strategic IT knowledge services and communication tools for infrastructure Evolving from BITNET launched in 1984 (Visit us at www.cren.net) “Corporation for Research and Educational Networking”
10/12/2000www.cren.net3 Certificate Authority - Topics (3) Operations and Status l As many questions as we have answers..:-) EvolvingTrust Models l Hierarchical model -Trust Anchor l Bridge model - Trust Conduit l Cross-certification Plans Evolving Documents l Certificate Policies - with cert profile info l Certificate Practice Statements l IETF RFC 2527 as guide to doc development
10/12/2000www.cren.net4 Certificate Authority by CREN Goal is to simplify connection to a trust community Serve as a trusted third party and to facilitate trust relationships l Among institutions l Between higher education and other communities Provide a link to other validated, trusted institutions without a separate pair-wise trust relationship between each pair of institutions
10/12/2000www.cren.net5 Certificate Authority by CREN Primary initial use is a focus on supporting inter - institutional resource sharing l Among institutions l Between institutions and content providers l Primarily for academic content and research resources Goal - map to basic or medium assurance with Federal Bridge Certificate Authority Operate under a Certificate Practices Statement of 1/27/2000 Version 3.0
10/12/2000www.cren.net6 Higher Education CA by CREN Hierarchical CA Trust Community Minn HeHRCA (CREN) UT-Austin Princeton MIT GaTech UTenn Penn State HeHRCA Group shares “close enough” CP, CPS Hierarchy as “Trust Anchor.”
10/12/2000www.cren.net7 Operations - Higher Ed CA (1) CA Subscriber process Two page Application Form completed by Institution’s CREN member rep Signed by an executive officer of institution Once registration is complete, the technical contact l Issues request for certificate l Accepts the certificate on behalf of institution
10/12/2000www.cren.net8 Operations - Higher Ed CA (2) CREN Office l Serves as the Registration Authority (RA) l Receives, approves, and manage the applications and issuance of institutional certificates l Validates institutional contacts for the institutional CA certificate l Sends message to MIT approving and initiating secure contact with institution
10/12/2000www.cren.net9 Operations - Higher Ed CA (3) MIT l Operates the CREN CA under contract for CREN l Receives the certificate request message directly from technical contact at institution l Generates the institutional certificate l Sends the institutional certificate back to technical contact and to CREN RA Contact l Updates the repository of certificates
10/12/2000www.cren.net10 CREN Root Key Cutting Ceremony at MIT 11/17/99
10/12/2000www.cren.net11 Certificate Authority Status Institutional certificates issued and accepted l MIT, Georgia Tech, Princeton l U of Minnesota, UT-Austin, Penn State Testing with JSTOR is underway l Success with remote access using U of MN CREN -issued certificate - 9/19/00 l One next step: test with U Minn directory query based on https embedded in certificate
10/12/2000www.cren.net12 Applications Registration process complete - U Tenn & U Mass - Amherst Applications received - in various stages of process l Johns Hopkins University l Florida State University Other applications received, but folks wanted something else
10/12/2000www.cren.net13 Relationship of CREN within Higher Education (1) Working closely with HEPKI-TAG and PAG l TAG- Technical Issues Group l PAG - Policy Issues Group HEPKI is a loose federation of Internet2, EDUCAUSE and CREN and community folks Led by Ken Klingenstein - Internet2 and many others...
10/12/2000www.cren.net14 Relationship of CREN within Higher Education (2) Issues with the certificate profile. l More detail on next two slides... Other technical issues on table l Repositories, trust paths and revocation Policy and practices work - again with HEPKI-PAG and TAG groups
10/12/2000www.cren.net15 Certificate Profile Issues Validity Period - l CREN root renewed on 6/14/2000 is valid to 11/17/07 - Eight years l Institutional certificates are issued with five year validity period DC naming in certificates - l Can include DC in “Subject Field” of Institutional Certificate following x.500 name l CREN cert “Subject field” will be x.500 only l HEPKI Recommendation - Jim Jokl paper in review
10/12/2000www.cren.net16 Certificate Profile Issues - More Upgraded to Version 3 cert with extensions in 6/00 Continuing discussion on other attributes in the Basic Constraints and Key usage fields -- gathering input to January 2001. Issue of hash - change to SHA1 from MD5 for the signature algorithm Have an OID - 7091 - from IANA
10/12/2000www.cren.net17 Certificate Profile Issues - More Principle - Profiles of CREN root certificate, institutional certificates, and client certificates can and probably will be different Work by HEPKI-TAG is working towards more consistency rather than less with certificate profiles - again led by Ken Klingenstein
10/12/2000www.cren.net18 Policy Work : HEPKI and CREN Certificate policy work l Mapping policies from FBCA, and Euro-PKI with RFC 2527 l HEPKI Goal - create generic higher ed certificate policy and CPS l Revise the existing CREN CPS and develop a Certificate Policy - need one for CREN CA Hierarchy and one for CREN CA Bridge l Evolving to a recommendation that Campus CAs need both CP and CPS
10/12/2000www.cren.net19 Possible PKI Infrastructure- Higher ED HeBCA/CREN Mn HeHRCA/CREN UCOP UT-Austin Princeton MIT GaTech UTenn Penn State HEPKI- PA UAB UWI MIT HeI GeorgeT HeBCA Group shares“close enough” CP, CPS- but might map to higher level of assurance or have different granularities of relationships Bridge acts as trust conduit or transport
10/12/2000www.cren.net20 Evolving PKI Infrastructure Higher ED and Links to Others FPKI-PA FBCA DOE DOJ ETC HeBCA/CRENHeHRCA/CREN HEPKI- PA HeI Relying Parties Community HeI Note: Not clear how vendors should be represented.
10/12/2000www.cren.net21 June 2000 CREN CA Pilot Meeting Jeff demonstrated first version of CREN repository Certificate profile work reviewed Working Groups: l Validity period working group: Chair Michael Gettes l Protecting private keys: Co-Chairs are Jeff Schiller & Ariel Glenn l Vendor Solutions Group - Chair Kevin Unrue
10/12/2000www.cren.net22 CREN CA Continuing work Fall, 2000 (1) Continue working the issues and issuing institutional certificates Work on building community awareness and expertise via scenarios, FAQs, and workshops plus support of HEPKI activities Examine feasibility of issuing server certificates to institutions with institutional certificates
10/12/2000www.cren.net23 CREN CA Continuing work Fall, 2000 (2) FAQ on Directories is in review l Complement for FAQ on PKI l Complements the “LDAP Recipe” CA Pilot Schools meeting in October with Internet2 in Atlanta Planning for Seminars on Directories and Certificate Authorities in late January 2001 Plan for CREN CA Production Levels Work on the browser challenge...
10/12/2000www.cren.net24 Continuing Open Questions Certificate Profiles - Can we achieve a common profile? Also common CPs and CPs? How will the CA relationships within higher education in the US evolve? How to get the CREN Root in the Netscape and IE browsers? What might the links to Euro-PKI look like? What community of interest does the Euro- PKI Certificate Policy address?
10/12/2000www.cren.net25 For More Information…and to Get Involved... HEPKI is the place to start l website: www.educause.edu/HEPKI CA List at CREN l Send request to firstname.lastname@example.org CREN Web site - www.cren.net l CA Section l Archived TechTalks l FAQ on PKI Infrastructure at web site l Campus scenarios