Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAMP PKI UPDATE August 2002 Jim Jokl

Published byAllen Merritt Modified over 8 years ago

Similar presentations

Presentation on theme: "CAMP PKI UPDATE August 2002 Jim Jokl"— Presentation transcript:

1 CAMP PKI UPDATE August 2002 Jim Jokl jaj@Virginia.EDU

2 2 Higher Education PKI Activities - HEPKI Sponsors Internet2, EDUCAUSE, CREN, NET@EDU HEPKI - Technical Activities Group (TAG) Open-source PKI software Certificate profiles Directory / PKI interaction Validity periods Client customization issues Mobility Inter-institution test projects Technical issues with cross-certification

3 3 PKI-lite Full function but lightweight A normal PKI technical infrastructure  Authenticate users  Issue certificates, perhaps revoke certificates  A comparatively simple certificate profile  Support applications, directories, etc A lightweight administrative/policy structure  Supports applications without high assurance needs  One or two page certification policy  Assurance levels per existing campus practice Campus evolution towards full featured PKI

4 4 PKI-lite Project Status PKI-lite certificate profiles completed Designed to support web authentication & S/MIME End Entity profile CA certificate profile PKI-lite Policy and Practices Statement Individual documents prepared – then merged Reviewed by many people Template-based fill in the blanks approach HEPKI Demo CA Source code available for examination Certificate repository

5 5 S/MIME Project Charter Why S/MIME Support in many email clients Why not PGP A business driver for PKI Chicken & egg problem Project goals Demonstrate the technology Show intercampus interoperability Leverage the effort of multiple institutions working together

6 6 S/MIME Project Plan Phase 1 Client interoperability testing Certificate management Documentation for users Phase 2 Real campus users PKI-lite profile certificates & assurance User-to-application trials Application-to-user trials Goal: make S/MIME easy to deploy

7 7 S/MIME Project: Some Early Results Email client interoperability testing results Common signing algorithms: SHA-1 & MD5 Common encryption algorithms: DES, 3DES, RC4 Default client configurations basically just work –SHA-1 & 3DES Interesting issues –Messages stored in folders are encrypted Key escrow issues –Opaque signing –Outlook & encryption certificate

8 8 S/MIME Project Mailing List Software List management software and signatures Strong authentication for private email lists –www.sympa.org User-to-machine interactions Software library for developers Documentation on website Project plan S/MIME clients Test CA pointers and the start of a FAQ

9 9 Possible S/MIME-based Applications Travel expense reports Notification of direct deposits Online forms routing – signed workflow Trouble ticket submissions Password resets Library notices – guard circulation data Student debit card statement privacy Timesheet submission Long distance billing privacy FERPA opt-in/opt-out Sysadmin confirmation of batch jobs List server expansion of encrypted messages

10 10 HEPKI-TAG: next steps The Mobility Problem Private key access in a mobile environment Hardware tokens Smart Cards & USB devices For mobility, enhanced assurance, non-repudiation On-device key generation v.s. memory Pin Protection Schemes –Dual user/admin PIN systems Card locks after x user-pin attempts Fuse opens after y admin pin attempts –Single PIN/Reinitialize systems Card blocks after x user-pin attempts Card can be reset back to factory state and reused

11 11 HEPKI-TAG: next steps Certificate-based SSH Authentication Motivation Solves the initial key authentication problem Enables use of smart cards/USB devices for two-factor authentication SSH.com (commercial server) Load CA certificate chain Issue cert to server Build file to map Unix users to certificate fields –Fixed fields –Regular expressions and substitution Interoperability SSH.com server & clients, VanDyke SecureCRT

12 12 HEPKI-TAG: next steps Document and form signing tools The active content problem Web-based Client tools Windows XP bridge functionality Path construction & validation Support for name and policy constraints Applications S/MIME Project continued Browser Issues & Usability

13 13 HEPKI-TAG Resources PKI-Lite EE certificate profile CA certificate profile Policy and Practices statement Demonstrations HEPKI-CA Client authentication Certificate Repository Certificate profile repository S/MIME client interoperability testing chart Certificate Profile Maker DC Naming Recommendation

14 14 And, old problems don’t go away …. Trusted Root problem An old issue That isn’t fixed yet Complete with intuitive user interfaces Large support question Get the whole campus to download? Support users one at a time? Other options? Who knows a lot about keystore access?

15 15 References Main HEPKI Site http://www.educause.edu/hepki HEPKI-TAG http://middleware.internet2.edu/hepki-tag S/MIME Project Site http://middleware.internet2.edu/hepki-tag/smime Demonstration Site http://pkidev.internet2.edu Many other links at the above sites

Download ppt "CAMP PKI UPDATE August 2002 Jim Jokl"

Similar presentations

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.

PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.
Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Similar presentations

Ads by Google