Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

Published byBryan Butler Modified over 8 years ago

Similar presentations

Presentation on theme: "1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia."— Presentation transcript:

1 1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia

2 2 USHER - US Higher Education Root CA  Much discussion about our community Needs for a PKI-based trust mechanism A replacement for the old CREN CA  Quick convergence on a set of anticipated applications Web authentication Electronic mail (S/MIME) VPN (IPSec), Wireless (EAP-TLS), & SSH authentication LionShare – P2P sharing application Grid Authentication (Globus) Digital Signatures

3 3 USHER Certification Authority  A hierarchical PKI root for US Higher Education USHER CA Campus A CA Campus D CA Campus B CA Campus C CA Campus E CA User Campus A sub-CA User

4 4 USHER - US Higher Education Root CA  However, also many questions What types of CAs do campuses operate?  What LoA do their practices support?  Formal documentation and audit? What LoA should the overall system provide? What type of agreement can a campus sign?  State agencies vs. private schools What is the potential liability of serving on the PA?  Eventual decision Initially implement an USHER service that minimizes the campus-level requirements & contracts An USHER CA that enforces higher levels of assurance will likely be implemented in the future

5 5 US Higher Education Root Technically, a Traditional Hierarchical CA USHER CA Campus #1 CA/RA Campus #2 CA/RA Campus #3 CA/RA User Certs Machine Certs Authority Certs User Certs Machine Certs Authority Certs User Certs Machine Certs Authority Certs Commercial CA Remote Service Campus RA User Certs Machine Certs

6 6 USHER Implementation  USHER Philosophy Leverage the InCommon infrastructure as much as practical  Use InCommon I&A process  If campus officials are same, no need to repeat the process  USHER CA/RA Process Signed Participation Agreement  Signed by a campus official authorized to commit the university  Designates the operational campus entity A strong process is used to validate the campus operator and establish a secure communications channel The campus generates a request which is then signed by the USHER CA

7 7 USHER Implementation & LoA  The USHER CA itself is operated at a relatively high level of assurance Solid practices for protecting & operating CA Strong process to identify designated campus official and establish secure out-of-band communications  Campus LoA: as determined by the campus PKI-Lite type systems expected to be common PKI-Lite Likely some stronger LoA PKIs too  However, recall that few contractual requirements are imposed in the agreement signed by the campus official Solution: detail expectations in a set of Expected PracticesExpected Practices

8 8 USHER Expected Practices  When campuses join USHER, they are expected to adhere to the set of Expected Practices Campuses will not join USHER if they can not or will not meet the expected practices Campuses are expected to leave USHER if they are unable to continue to meet the expected practices Action by the Policy Authority if ever needed  PA does not audit or review audits of campus CAs

9 9 USHER Expected Practices  Will operate their PKI using processes that are at least as strong as how they manage central accounts for email, calendaring, etc, etc  The campus will actively maintain all services that are implied in their certificates, e.g., CRLs & OCSP, etc Policy and practices if Policy OID is present  Campuses may issue certificates to anyone affiliated with their institution The campus definition of affiliation applies

10 10 USHER Expected Practices  On campus delegation is permissible If it matches existing campus policy and does not dilute the LoA of user identification  Campus will not issue 3 rd party certs Instead campus should sponsor the other entity for USHER membership  Campuses strongly encouraged to document their CP and CPS How many have formally documented central password procedures?  Certificate naming Will not issue certs intended to mislead or confuse relying parties  Security issues will be considered CA operations Notification of private key compromise  So, what is the overall resulting LoA Relatively strong based on a community of trust as opposed to an audited foundation

11 11 USHER Certificate Policies and Profiles  For USHER See: usher.internet2.edu or www.usherca.orgusher.internet2.eduwww.usherca.org Root and Campus certificate profiles are complete  For the campus PKI-Lite is likely a good solution for campuses that have not already developed their own PKI-Lite

12 12 USHER: Current Status  General availability: now Key signing ceremony completed Business processes at Internet2 (leveraging the same people/processes from InCommon) Campus Subscriber Agreement passed legal reviewSubscriber Agreement Expected Practices are finalized Expected Practices CP and CPS are complete CP  Schools with authority certificates Johns Hopkins Penn State University of Virginia Discussions in progress with several more schools

13 13 USHER: Some Q&A  Can a campus have multiple USHER CAs? Yes, and some may do this for organizational reasons Also, one campus USHER CA can issue an Authority Certificate to another as long this is consistent with existing campus ID management practices  Eligibility US Higher Education Institutions Other entities sponsored by a US Higher Education member  What will it cost? (same as InCommon) $1,000 per year Plus one-time institutional I&A

14 14 USHER: Some Q&A  What is the minimum LOA that a relying party can assume? A campus official designated a campus organization to operate the USHER CA USHER used a strong process to validate the organization and establish a secure communications channel The USHER CA signs campus authority certificates using a strong technical process The Expected Practices document the commitment that the USHER community has agreed to make

15 15 USHER: Some Q&A  Will USHER “be trusted by browsers?” Not by default  Significant cost in the required audits  Perhaps some added operational costs  Commercial server certificates are no longer expensive A new root is not hard for your users to install  Deliver it with their end entity certificate  http://pkidev.internet2.edu/rootcerts/ http://pkidev.internet2.edu/rootcerts/

16 16 USHER Q&A: Where does USHER fit in overall? USHER CA Campus CA Campus A Mid-A User Campus B Campus n Mid-B User HEBCA Bridge Cross-certificate pairs User

17 17 One View: Higher Education PKI Space FBCA HEBCA SAFE Commercial Others Campus CA Educause Verisign CA USHER CA Campus CA Campus Users

18 18 Main URL http://usher.internet2.edu/ http://www.usherca.org http://usher.internet2.edu/ http://www.usherca.org USHER information sheet http://usher.internet2.edu/docs/USHER_Infosh eet_200604.pdf http://usher.internet2.edu/docs/USHER_Infosh eet_200604.pdf Also feel free to contact the members of the PA http://www.usherca.org/pa.html http://www.usherca.org/pa.html http://middleware.internet2.edu/hepki-tag  PKI-Lite, other higher education PKI technical activities Questions & Discussion Some References

19 19 Other PKI Topics?  UVa’s conversion from CREN to USHER Windows Vista issues, back to school We are developing of a tool that will download and install user certificates, configure wireless, and windows firewall, etc  HEPKI-TAG Focus now is on a survey of PKI implementers to help determine what their needs are

Download ppt "1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.

SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.
David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Similar presentations

Ads by Google