Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004.

Published byEdmund Richard Modified over 8 years ago

Similar presentations

Presentation on theme: "Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004."— Presentation transcript:

1 Technical Issues that Challenge PKI Deployments Jim Jokl jaj@Virginia.EDU University of Virginia NET@EDU PKI Meeting August 12, 2004

2 Hardware Tokens  Uses 2-factor authentication  System administrators, HiPAA data access Mobility  Public labs, work at home  Old problems of OS registration are fixed  Issues Still expensive: ~$30 to ~$50 Token management system Generally must install client software for the tokens that we actually use Token accessories are critical to acceptance

3 S/MIME  Client support Good: Outlook/Outlook Express, Netscape, Mozilla, etc OK: Mulberry, CGatePro webmail None: Eudora  Seeking HEPKI-TAG letter endorsements  Other issues Main client issue: encryption in sentmail folder Webmail should at least verify signed email Root certificate problem  Signed email for official announcements  “incompatibility” during the roll out

4 Some Generic Application Issues (its not the PKI …..)  SSH Support available from ssh.com, VanDyke Server authorization stage well done  A couple of simple mechanisms, wildcard matching  Certificate handoff to external application Client certificate selection done well  Tries all of the certs in the OS store Not available in OpenSSL ($$$)

5 Some Generic Application Issues (its not the PKI …..)  802.1x EAP-TLS wireless authentication Usability  Very clean for windows users  OK for Macintosh users  Linux? Back-end infrastructure still somewhat painful  Our authentication server  Does path validation fine, however users still need an account in the database  Should have LDAP search for authorization  We have needs for different authorization for the same user for different wireless VLANs  Going to look at Funk Software radius servers

6 EAP-TLS and the Microsoft Clients  Microsoft field in certificate for AuthN Subject Alt Name / Other Name / Principal Name  OID 1.3.6.1.4.1.311.20.2.3 If not present, uses CN  Uniqueness issues for our CA Added OID to our certificate profile  Impact on the PKI-Lite certificate profiles Agreed to add this extension to EE cert profileprofile

7 Some Generic Application Issues (its not the PKI …..) VPN Concentrators Firewall LDAP AuthZ Servers Oracle ERP S1 S2 S3 Sn Hospital Net INOUT Main Campus Network OUT IN

8 Operating System Support  Windows Good internal support Primarily user interface issues  Certificate import & export  Root certificate installation (see HEPKI-TAG web site) Root certificate program audits expensive  Apple Macintosh Personal and root certificate installation issues  Need ties into Safari for key generation & cert import Had to implement a PKCS-12 proxy for our campus CA Few applications use the emerging OS support  Linux?  Bridge path validation

9 Certificate Profiles  Profiles change to support new applications Key Usage and the Outlook problem  PKI-Lite Spent a lot of time/effort to get it right at first Added AIA based on XP path validation work Added Microsoft OID for EAP-TLS support Add smart card login attribute next? What is next? new user certs needed each time  Could some of this type of authorization be done outside of the identity certificate?

10 Digital Signatures  Document signing The active content problem Interoperability between applications Key: choose the right tool for your application  Web form signing Want to sign the both the form and the data that the user submitted Products are very expensive

11 Ease of Use Comes from Widespread PKI Enabling of Applications  All standard applications supporting and using PKI for all aspects of their operation E.g., certificates for IMAP/SMTP authentication instead of just for use with S/MIME All instead of some of the campus VPN services All instead of a few web-based applications  Is there a reason why clients shouldn’t simply try all available personal certificates?

12 Campus Globus Implementations  The Globus toolkit uses PKI for authentication of users and resources The PKI-Lite profile works well A proxy certificate is used internally A file maps certificates to login names  Campus CA integration is complicated by the Globus interface Campus CAs and OS-exported certificates are generally in PKCS-12 format Globus expects raw PEM files for key and cert  Grids are often intercampus applications Most campuses not part of hierarchy now Bridges or PKI hierarchy needed

13 Schematic of Grid Testbed PKI Integration Goal Campus E Grid A’s PKI Testbed Bridge CA Shibbolized Testbed CA Campus B Grid Campus C Grid Campus D Grid Campus A Grid Campus F Grid B’s PKI C’s PKI Cross-cert pairs User Certs

14 Globus and Bridges  2 nd phase testing now Built “production” bridge for testbed  Dedicated laptop/OpenSSL  Cross-certified UVa, UAB, USC, and TACC Results (so far)  Bridge path validation ok for EE certs  Server certificate validation not working via bridge  Digging into OpenSSL interface  Bridge itself is fine; e.g. XP validates both directions Tools being created  Chase down cross certificates via AIA pointer, populate Globus certificate and signing policy directory  Credential converter web site: PKCS12 to PEM

15 What is not a significant problem  Issuing certificates Deployed our own CAs  Standard: on-line, tied into our databases/AuthN, LDAP  High assurance: tokens only, ID check, etc, etc Available CAs  Papyrus, OpenCA, kX509, etc  See HEPKI-TAG web site  SSL Server Certificates Prices down to $39/server; $300/wildcard  Authentication apps with good ease of use Web applications VPN Wireless

16 HEPKI-TAG Projects (a list of other issues)  Must-do items Support the USHER / InCommon projects Maintain & update existing documents and services  Potential projects discussed and ranked at our meeting Update work on S/MIME Windows domain authentication CA Audits - preparing your internal audit department EAP-TLS for wireless authentication Update on hardware tokens  survey, documentation, recommendations Introductory materials for sites getting started (CA software, applications, cookbook, etc) Other possibilities discussed more briefly  Grid integration  survey  bridge testing  Document and webform signing Profiles  AIA, EPPN, Smart Card Login

17 middleware.internet2.edu/hepki-tag  PKI-Lite documents (profiles, policy & practices), S/MIME, links to other sites, CA software, etc, etc NET@EDU PKI for Networked Higher Ed  www.educause.edu/netatedu/groups/pki www.educause.edu/netatedu/groups/pki www.educause.edu/hepki pkidev.internet2.edu PKI Labs  middleware.internet2.edu/pkilabs middleware.internet2.edu/pkilabs Some Reference URLs

Download ppt "Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004."

Similar presentations

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.

1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
1 NMI Testbed Activities at Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl

1 NMI Testbed Activities at Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.

The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.
Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Similar presentations

Ads by Google