Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”"— Presentation transcript:

1 PKI Status @ Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI” gettes@Georgetown.EDU

2 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu2 Policy We don’t need no stinkin’ policy! Covert warfare can be a valid tactic for IT deployments Yes, this is a juicy rationalization with self-serving purpose Verified no District (DC) Laws limiting PKI

3 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu3 Middleware If the goal is a PKI… Identifiers Identification process Authentication systems Directory CA Deployment Server Certificates Authorizations Client Certificates

4 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu4 Server Config CA Software Netscape CMS 4 Solaris, E250 On Same physical hardware as Kerberos slave Root key is simple PW protected. But, this is COTS! Purchased 100 Certs $30 each; your mileage may vary All work done by 1 person Get this going quickly for Network Services

5 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu5 Netscape CMS 4.2 Some Auth-n methods for end users Really intended for LDAP integration Forms for certificate enrollment Web based for RA and Operator functions Policies for governing the formulation of certificates Managed by Netscape Console Publishing of certificates and CRLs LDAP, of course

6 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu6 Netscape CMS 4.2 Event-driven notifications Backup and recovery (escrow) See sproule@Princeton.EDU for more infosproule@Princeton.EDU Database is LDAP as well… do we detect a pattern here?

7 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu7 CA Certificate Valid until 10/2001 Simple profile No special extensions No special constraints or criticalities Subject contains X.500 and DC names O=Georgetown University required because of Communicator dc=georgetown,dc=edu At end of subjectName in Certificates Also root suffix for Enterprise Directory

8 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu8 CA Issued Certificates Client Certificates NONE Cost, Deployment, Policy Server Certificates On a limited basis, carefully considered Valid until 10/2001 No special constraints

9 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu9 Expiry Rationale Why 10/2001 for Expiry? Force decision on future PKI vendor or continue “as is”. Hopefully a decision! October implies a summer time redeployment with “misses” found in October when community is present. Realization of the future of CREN CA Validity period, fBCA model, browser deployments (maybe)

10 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu10 CA Certificate Deployment Netscape Communicator 4.7x Customized Netscape for CA Cert deployment Also needed for IMAP and other new services Central IMAP and Directory only accessible with SSL Internet Explorer No custom distribution method developed. Would like to something in the future along with Win2K Manual Configuration of CA Certificate people can visit https://ca.georgetown.eduhttps://ca.georgetown.edu Alumni and other public services: Verisign

11 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu11 CA Certificate Deployment There must be a better way! MIT approach assumes client cert distribution like others, not a bad thing, just different Microsoft seems willing to play ball heDRCD (being discussed in HEPKI-TAG)

12 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu12 Directories are part of the I in PKI Directory (October, 1999) Centralized, automated Name Space VERY carefully controlled Users modify very little Priv’d access highly restricted Control considered necessary step for PKI to trust the directory Eventually, client, server and other certs will be published in the directory. Hopefully a model campus for LDAP deployment Internet2 Middleware 201 (others?) coursework

13 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu13 Overall Plan Best of all 3 worlds LDAP + Kerberos + PKI LDAP Authentication performs Kerberos Authentication out the backend. Started 9/2000 to finish NS plug-in. Credential Caching handled by Directory. All directory authentications SSL protected. Enforced with necessary exceptions Use Kerberos to derive Certificates One Userid/Password (single-signon vs. FSO)

14 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu14 Overall Plan AT&T Access Cards (Onecard project) Vending, Building Access, Credit, etc Mag-stripe only, no chip Unfortunately, no smart-card plan by admin – at least nothing I have seen  Schlumberger interested in HEPKI

15 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu15 CA Future OpenCA (built on OpenSSL)? Baltimore? Casey Lide – DST? Netscape/iPlanet/Sun? Outsourcing? (parts is parts is parts) Something else? (notaries) Ken’s matrix should help with decision

16 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu16 Georgetown Institute for Information Assurance Recently formed: July 2000 Research and practical deployment of Network Security, Internet2 Middleware and PKI Joint work between Central IT, CompSci, Medical Center, Law Center, Public Policy Institute, Legal and other experts and faculty. Focal point for University policy and practice http://www.georgetown.edu/giia

17 September 20, 2000 CSG PKI Workshop gettes@georgetown.edu17 Georgetown Activities Internet2 Middleware + EDUCAUSE, CREN Directories, Dir of Dirs for Higher Ed, Shibboleth, PKI, CREN CA, LDAP-RECIPE, eduPerson Professor Dorothy Denning, CS, info-warfare Prof./Dr. Jeffrey Collmann, Sociology Dr. Alan Zuckerman, biometrics HEPKI TAG/PAG – Kathryn Baerwald, Georgetown Legal PAG involvement.

Download ppt "PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”"

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
January 6, 1999Common Solutions Group1 X.509 University Michael R. Gettes Princeton University Computing & Information Technology.

January 6, 1999Common Solutions Group1 X.509 University Michael R. Gettes Princeton University Computing & Information Technology.
Internet2 Middleware BASE CAMP slides Michael R. Gettes Principal Technologist Georgetown University

Internet2 Middleware BASE CAMP slides Michael R. Gettes Principal Technologist Georgetown University
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Administration Using EJBCA and OpenCA

PKI Administration Using EJBCA and OpenCA
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.

Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Similar presentations

Ads by Google