Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

Similar presentations


Presentation on theme: "1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia."— Presentation transcript:

1 1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia

2 2 HEPKI-TAG Activities  Sponsors: EDUCAUSE, Internet2,  Charter – Technical Activities Group (TAG) Open-source PKI software Certificate profiles Directory / PKI interaction Validity periods Client customization issues Mobility Inter-institution test projects Private Key Protection Technical issues with cross-certification Communicate results  Process Biweekly conference calls Sessions at higher education events

3 3 Updates to PKI-Lite  PKI-Lite: using PKI technology at the LOA of the existing campus login/password system  Updated policy and practices documentdocument Changes based on feedback from NMI project, etc Clarifications to hierarchical CAs, language, etc Still 9 pages, fill in the blanks format Relationship to Citizen and Commerce (C4) Policy  FIPS-140 crypto, audits, CRL/OCSP required  New PKI-Lite certificate profiles End Entity  Bridge Environment (Authority and Subject key identifiers)  EAP-TLS Microsoft OID (SubjectAlt/OtherName/PrincipalName) Certification Authority  Authority and Subject Key Identifiers All profiles – more closely follow the RFCs for critical flags

4 4 S/MIME  Plan to update the S/MIME compatibility table with data for additional clients  HEPKI-TAG coordinated a letter to Qualcomm requesting S/MIME support for Eudoraletter Qualcomm was/is developing S/MIME support for EUDORA HEPKI-TAG developed a prioritized list of features of what we’d like to see in the clientlist Looking forward to being early testers

5 5 Introductory Materials Aiding Initial Campus Deployments  Recall our PKI-Lite framework Using PKI for “standard” applications where you likely would have used names/passwords in the past Standard Policy/Practices document and Profiles  Designed to support S/MIME, VPN, Web Authentication, etc  Validated on other apps (e.g. Globus, document signing applications, etc). Newer addition: PKI-Lite RecipePKI-Lite Recipe  by Steven Carmody at Brown

6 6 US Higher Education Root (USHER) and Policy  Background A hierarchical CA for Higher Education  Issue authority certificates to campus CAs  Replace and offer more than the old CREN hierarchy Initial discussions on LOA for USHER  Strong procedures for USHER operations  Strong process to identify campuses Discussions on requirements for schools  Something heavy, C4, PKI-Lite, less, etc?  Implications for when USHER cross-certifies with HEBCA?  Early focus decisions Strong procedures for USHER itself; use the InCommon I&A process for schools Architect for an USHER-heavier and an USHER-Lite Focus deployment on USHER-Lite

7 7 One older concept for the US Higher Education Root (USHER) USHER-Lite InCommon CA Shib Cert School CA USHER Basic/Medium School CA USHER Root

8 8 Current Thinking for USHER USHER-Lite Root InCommon CA Shib Cert School CA Future USHER Basic/Medium School CA Note: InCommon CA not related to USHER in a PKI sense HEBCA

9 9 USHER & Policy: Enter LionShare  LionShare needs a trust fabric that works logically like PKI-Lite Verify PKI-Lite OID in cert  Question: can/should USHER require at least PKI-Lite from campuses? Schools doing this anyway Strong pushback on TAG call  How does USHER certify campuses  Campus liability concerns  Why is a requirement needed? USHER Campus CA LionShare SASL CA Short-life user certificates

10 10 Current Thinking on USHER-Lite No requirements for what the campus can do using their USHER authority certificate LionShare will require the PKI-Lite Policy OID in certificates issued by the SASL-CA USHER CA profileCA  Profiles include AIA for bridge cert discovery in XP

11 11 Next Projects for HEPKI-TAG  Continue support for USHER  Maintain & update existing documents and services  Signing tools projectproject Document and web form signing tools  Update of S/MIME work Update compatibility matrix Eudora when ready  Campus CA Audits Preparation and documents for campus auditors  In the queue Windows smart card login Mobility and Hardware Token update Application integration (administrative and general) CA software More/better introductory materials Bridge application testing Grid integration & documentation Update hardware token work EAP-TLS documentation Look at SILC Insert your favorite item(s) here

12 12  If you are working on these topics, consider participating in HEPKI-TAG  Some references middleware.internet2.edu/hepki-tag  Links to other sites, CA software, etc PKI for Networked Higher Education  cation/928 cation/928 pkidev.internet2.edu PKI Labs  middleware.internet2.edu/pkilabs middleware.internet2.edu/pkilabs Questions - References


Download ppt "1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia."

Similar presentations


Ads by Google