Presentation on theme: "Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting."— Presentation transcript:
Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting
2 Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). –Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.
3 Production PKI Applications at Dartmouth Dartmouth certificate authority –800 end users have certificates, over 500 of them are students PKI authentication in production for: –Banner Student Information System –Library Electronic Journals –Tuck School of Business Portal –VPN Concentrator –Blackboard CMS –Software downloads S/MIME email (Outlook, Mozilla, Thunderbird) AOL AIM (PKI-secured sys admin communications)
4 Second Wave of PKI Deployment at Dartmouth Actively developing: Hardware tokens –Required for VPN access to secured subnets Higher assurance certificates (picture ID check) Additional applications (e.g. grid)
5 Certificate Distribution Plan Self-service web enrollment: any user can get a certificate any time (LDAP username/password) Higher assurance certificates (picture ID registration, usually on tokens) in production soon Moving to tokens for portability and two factor authentication Distributing tokens to all incoming freshmen who purchase a Windows computer
6 Freshmen Distribution Distribute over 800 computers in 2 hours Conducted every year since 80’s Covering cost of tokens in computer purchase price Not included (roughly 30%): –Macintosh purchasers (no Mac drivers for tokens yet) –“Bringers” who choose not to purchase a computer from the distribution –Anybody can get a token later This strategy will cover most undergraduates over the course of 4 years – controlled way to gain critical mass
7 Freshmen Distribution Logistics Challenge: How enroll certificates on these tokens? –5 minutes each add up fast with 700 – 800 enrollments –Issue vouchers for the tokens and have helpdesk issue them later –Spreads out labor Token drivers pre-installed on computers User education is combination of handouts and web: –No training classes –Explicit cookbook instructions, very light on PKI theory –Worked well with software certificates – help desk load has been insignificant to date
8 Other Users Low key approach – not forcing the issue (yet) Purchased 750 tokens to “prime the pump” First targeting staff, and faculty who have special reasons to use them, e.g.: –Health services staff –Users of sensitive systems –System administrators Grad students and non-freshmen undergrads voluntary (so far) WSO and SSO applications provide value managing username passwords Phase in applications that require PKI
9 End Goal Over time, PKI becomes primary authentication method for applications and users Tokens for the masses As appropriate, deploy digital signature and encryption applications Make PKI as invisible as possible
10 For More Information Outreach web: www.dartmouth.edu/~deploypki Dartmouth PKI Lab PKI Lab information: www.dartmouth.edu/~pkilab Dartmouth user information, getting a certificate: www.dartmouth.edu/~pki Mark.J.Franklin@dartmouth.edu
Your consent to our cookies if you continue to use this website.