Presentation on theme: "Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August."— Presentation transcript:
Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August 2004
2 Dartmouth PKI Lab R&D to make end user PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). –Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.
3 Production PKI Applications at Dartmouth Dartmouth certificate authority –Issued 850 end users have certificates, 575 of them are active students PKI authentication in production for: –Banner Student Information System –Library Electronic Journals –Tuck School of Business Portal –VPN Concentrator –Blackboard CMS –Software downloads S/MIME (Outlook, Mozilla, Thunderbird) AOL AIM (PKI-secured sys admin communications)
4 Lessons Learned at Dartmouth Start simple, fancier later Online enrollment Client-side SSL authN VPN authN PKI authN initially as an option USB tokens for security & portability Security incident inspires urgency User-initiated revocation Certificate renewal Fast conversion to PKI authN Complex CP/CPS documents Encryption (at least not yet) WorksDoesn’t Work
5 Works: Start simple, fancier later Don’t try to make it perfect right away Simplify, get started, adjust, etc. Avoid getting mired in making elaborate policies It is possible to adjust your policies later – just issue a new CPS (few read them anyway) How many institutions have formal username/password policy? Remember what you’re replacing and don’t make PKI a non- starter by holding it to too high standards.
6 Works: Online enrollment Self-service web enrollment for low assurance and short term certificates (2 minute operation, LDAP password authN) Higher assurance certificates still web enrollment, but also require authorized Dartmouth representative to check ID (5 minute operation)
7 Works: Client-side SSL authN Apache modssl easy to set up, IIS works out of the box Seamless failover to legacy Kerberos authN Oracle IAS integration works well PKI-only authN is easy to set up – more work to support failover to legacy authN and handle non compliant browsers gracefully.
8 Works: PKI authN initially as an option Reduce barriers to getting started Relatively risk free environment to refine PKI authN Conservative deployment avoids big glitches Earn confidence of system owners over time Our sys admin community wouldn’t allow requiring PKI right away anyway.
9 Works: USB tokens for security & portability Enforces password on private key in Windows CAPI Excellent portability for PKI credentials Also store legacy username/password securely – bridge to PKI future We’re just ramping up (700 Aladdin eTokens to freshmen next month) – talk to us in a year and we’ll know a lot more.
10 Works: Security incident inspires urgency Very recent incident – dust not settled yet USB tokens now very high priority We laid the groundwork… now we expect an urgent mandate to go into high gear. Don’t try this at home, kids! (Not recommended procedure to get priority!)
11 Doesn’t Work: User-initiated revocation Users simply don’t revoke their certificates Fortunately, they don’t lose control of their private key often either (tokens should virtually eliminate this) Still need institutional-initiated revocation
12 Doesn’t Work: Certificate renewal Application owners and users consider renewal an annoyance Troubles with renewal announcements in SunOne CA (discontinued, and one SP back) Glitches with renewal on tokens We’ve just moved to four year validity period (covers most undergraduates without renewal).
13 Doesn’t Work: Fast conversion to PKI authN Minimizing user disruption is paramount to our system administrators and application owners, and they refused to deploy PKI aggressively. Likely different now after our security incident and now that we have a good track record with the initial cautious deployment.
14 Doesn’t Work: Complex CP/CPS documents 8 pagers are hard enough to keep up with – 80 pages?!? PKI Lite is a good starting point Get more complicated only as needed
15 Doesn’t Work: Encryption (at least not yet) Key escrow complexity Separate signing and encryption keys causes complication in apps Complications arise from our strategy of issuing multiple sets of credentials for user convenience Nothing insurmountable – we just chose not to go there yet in the name of simplicity.
16 Conclusion Dartmouth’s first year of production client- side PKI has gone quite well, and we intend to refine and aggressively expand our deployment.
17 For More Information Outreach web: Dartmouth PKI Lab PKI Lab information: Dartmouth user information, getting a certificate: