Presentation is loading. Please wait.

Presentation is loading. Please wait.

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

Similar presentations

Presentation on theme: "HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl"— Presentation transcript:

1 HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl jaj@Virginia.EDU

2 HEPKI-TAG Activities Sponsors: I2, Educause, CREN, NET@EDU Charter – Technical Activities Group (TAG) –Certificate profiles, CA software –Private key protection –Mobility, client issues –Interactions with directories –Testbed projects –Communicate results

3 Survey of Anticipated Campus PKI Applications Schools participating in the HEPKI work were surveyed on anticipated uses for PKI on campus HEPKI-TAG PKI Applications Survey

4 Certificate Profile Work A per-field description of certificate contents –Standard and extension fields –Criticality flags –Syntax of values permitted per field Spreadsheet & text formatsSpreadsheettext Higher education profile repository –

5 Certificate Profiles Validity Period –Wide variation from per-session to one year –Long term: expiration synchronized to semester Some form of assurance level indicator –Explicit extension –Policy OID –In issuer field Key usage –Some certificates employ Key Usage field

6 PKI Complexity and Applications You often hear of PKI as a solution for: –Authentication for high-assurance processes Funds transfer Medical records Student grades –Digital signatures Contracts Other legal documents But, can’t it also be a good fit as a technology that is better than passwords but less than a high-assurance CA?

7 PKI-lite Project Premise: many useful PKI applications can be supported using a relatively simple PKI –Simplified policy & practices Do we have large complex policies and practices for we operate our existing systems? –Examples of existing campus assurance levels Passwords on large central systems ID card system

8 PKI-lite Project Assumptions Overarching goal – simplify –Use PKI technology with existing application policy and practices PKI-lite design objectives –S/MIME –Web authentication Specify as little as possible –But provide suggested answers and templates

9 PKI-lite Technical Assumptions Certificate revocation capability is up to the institution and is not required Key usage will not be specified No requirement for separate signing and encryption certificates No requirements for key escrow Fully on-line CAs are allowed. PKI-lite does not specify the level of protection for the campus CA Simplified user identity assurance

10 PKI-lite Certificate Profile Single common profile supporting –Web authentication –S/MIME Relatively stable –in final review since December PKI-lite Certificate Profile

11 S/MIME Testing Outlook, Outlook Express, Netscape –General interoperability OK at the email level –Users can choose to sign, encrypt, or both –Clients use different certificate stores Certificate management issues Eudora with tumbleweed plug-in S/MIME support in other clients lacking

12 S/MIME Testing Outlook certificate quirk –Requires both signing and encryption certificates –So, watch key usage field Encryption issues –Folder storage Sent mail Inbox Folders –Private key backup and management Escrow Backup

13 S/MIME Testing Message forwarding to alternate inbox –Some mailers may tamper with the message contents Mailing list software –Conversion of tabs to spaces –Deletion of trailing blanks, tabs –List configuration options Opaque signing –A solution –Interoperability S/MIME & perfect privacy? – The address book problem

14 PKI-lite Campus Infrastructure Issue certificates –Contract with commercial CA –CA Software –Freely available certificates for testing Authentication for web applications –Many ways: mod_ssl & Apache S/MIME –Clients –Directory –Documentation & certificate management recommendations

15 HEPKI-Tag Projects and Demonstrations Certificate Profile Maker –Web interface –Generates XML HEPKI-CA –A demonstration CA PKI Authentication Demo –Accepts certificates from various participating schools Institutional root certificate repository –Download institutional/organizational root certificates

16 CA Private Key Protection Issues –CA Private Key is the root of all trust –Private key storage options Clear text storage on disk Encrypted storage on disk On hardware device –Physical protection of CA Locked doors and racks OS Configuration –Multi-level solutions –Jeff Schiller draft on TAG websitedraft

17 The Mobility Problem A definition: the ability to use the same cert/key-pair from multiple computers Some scenarios: –Move to a new computer –Users with work and home computers –Students and a public lab environment

18 The Mobility Problem Do mobility requirements depend on the application? –Web-auth and an on-line CA –S/MIME Mobility needs and assurance levels –Impact on non-repudiation? Solution space: hardware and software mechanisms

19 Hardware Tokens External hardware devices –Memory-only devices –Key-pair generation Private key import? –PIN protection scheme –Physical security –Provides dual-factor authentication –USB and various other reader interfaces

20 Hardware Token Examples: Smart Cards Default behaviors –Customized programming can change behavior Dual user/admin PIN systems –Card locks after x user-pin attempts –Fuse opens after y admin pin attempts Single PIN/Reinitialize systems –Card blocks after x user-pin attempts –Card can be reset back to factory state and reused

21 Software-based Solutions Issues –Overall level of protection –Authenticating the user –Non-repudiation? Floppy disk and import/export IETF SACRED

22 Discussions and projects HEPKI-TAG Website –Recommendations –Information for those starting on PKI References How-to information Certificate profiles Minutes and survey data –

23 Project Participation Much work remains –Research and recommendations –Pilot projects –Mobility –S/MIME Project –Consider participating in HEPKI-TAG if you are working on a PKI deployment

24 Where to watch NET@EDU PKI for Networked Higher EdNET@EDU – PKI Labs –

Download ppt "HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl"

Similar presentations

Ads by Google