Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.

Slides:

Advertisements

Similar presentations

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

Advertisements

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

21 mai 2015 Bridges between Certification Authorities.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

SMUCSE 5349/7349 Public-Key Infrastructure (PKI).

The U.S. Federal PKI and the Federal Bridge Certification Authority

1 Memorandum for multi-domain PKI interoperability multidomain-pki-00.txt

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.

David L. Wasley Office of the President University of California Higher Ed PKI – Draft Certificate Policy David L. Wasley University of California Common.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl

The Federal Bridge Certification Authority – Description and Current Status Peter Alterman, Ph.D. Senior Advisor to the Chair, Federal PKI Steering Committee.

EDUCAUSE PKI Working Group Where Are We and Where are We Going.

PKI: Glue of Middleware Michael R Gettes, Duke University CAMP Enterprise Authentication Michael R Gettes, Duke University CAMP Enterprise Authentication.

Transforming Education Through Information Technologies Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

PKI Robin Burke ECT 582. Outline Discussion Review The need for PKI PKI hierarchical PKI networked PKI bridging Certificate policies rationale examples.

Bridging Higher Education PKIs PKI Summit, August 2006 Snowmass, Colorado.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

HEBCA Overview Internet2 Meeting, Fall 2002 Michael R Gettes Georgetown University

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University

The Federal Bridge A Brief Overview 1. 4BF Industry Forum April Fed PKI: View from 20,000 km FBCA C4 Common Policy CA (HSPD-12) CertiPath SSPs.

HEBCA Overview CSG, uWash, 2002 Michael R Gettes Georgetown University

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Updates to the RPKI Certificate Policy I-D Steve Kent BBN Technologies.

Jimmy C. Tseng Assistant Professor of Electronic Commerce

The Federal PKI Or, How to Herd Worms Peter Alterman Senior Advisor, Federal PKI Steering Committee.

A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

Federal PKI Update Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.

Interoperability and the Evolving Federal PKI Richard Guida, P.E. Member, Government Information Technology Services Board Chair, Federal PKI Steering.

1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.

Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.

Higher Education Bridge Certification Authority

Technical Approach Chris Louden Enspier

David L. Wasley Spring 2006 I2MM

Inter-institutional Trust Fabric Overview and Synergies

Fed/ED December 2007 Jim Jokl University of Virginia

Australian PKI experience

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Sixth Annual PKI Summit at Snowmass, Colorado August 2004.

Presentation transcript:

Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006 PKI Workshop

2 Topic Span  What’s a bridge?  How is it different than “normal” PKI?  Why is it useful?  What is the HEBCA?  What’s a bridge?  How is it different than “normal” PKI?  Why is it useful?  What is the HEBCA?

3 Bridged v.s. Hierarchical PKI  Hierarchical PKI assumes uniform policy and works with most products today  Hierarchies are “PKI islands”  Therefore browsers include 100+ “trust anchors”  Bridging allows mapping between different PKI policies but very few products support this (yet)  Mapping info is used during path validation  Bridging can link “islands” and provide superior trust management  Therefore we believe it will become important …  Hierarchical PKI assumes uniform policy and works with most products today  Hierarchies are “PKI islands”  Therefore browsers include 100+ “trust anchors”  Bridging allows mapping between different PKI policies but very few products support this (yet)  Mapping info is used during path validation  Bridging can link “islands” and provide superior trust management  Therefore we believe it will become important …

4 PKIs are islands of common trust

5 They can be ‘networked’

6 What this looks like  A Relying Party under (A) can build a path from a Subject under (C)  This avoids the RP having to know and understand Trust Anchors (B) and (C)  But not vice versa  A Relying Party under (A) can build a path from a Subject under (C)  This avoids the RP having to know and understand Trust Anchors (B) and (C)  But not vice versa

7 Cross-cert can be done bi-laterally

8 A “bridge” serves as the hub of trust

9 How does the bridge deal with differences in PKI domain CPs?  Trust is established by Certificate Policy  Each PKI domain has a Trust Anchor  Each domain can specify how it’s policy is met or exceeded by the other domain’s policy  Each can place limits on this trust  If there is no equivalency, one doesn’t trust the other  The bridge does this with respect to each of its member domains  Members must trust the bridge to do this adequately  Each can limit how far it is willing to ‘network’  Trust is established by Certificate Policy  Each PKI domain has a Trust Anchor  Each domain can specify how it’s policy is met or exceeded by the other domain’s policy  Each can place limits on this trust  If there is no equivalency, one doesn’t trust the other  The bridge does this with respect to each of its member domains  Members must trust the bridge to do this adequately  Each can limit how far it is willing to ‘network’

10 How CP’s are compared  Identify all important issues in the CP  Organizational responsibilities  Trust affecting issues  Create matrices to organize the comparison  General or common elements  Elements that determine Level of Assurance  Other differentiating elements  Identify all important issues in the CP  Organizational responsibilities  Trust affecting issues  Create matrices to organize the comparison  General or common elements  Elements that determine Level of Assurance  Other differentiating elements

11 How mapping is instantiated  A CA’s policy is identified by an OID  One policy may define OIDs to represent variations such as LOA, etc.  CA cross-certificate includes “policy mapping field”  Contents defined by Issuer  Pairs of OIDs  “Issuer considers its CP (OID) to be equivalent to Subject CA’s CP (OID)” [See RFC 3280]  A CA’s policy is identified by an OID  One policy may define OIDs to represent variations such as LOA, etc.  CA cross-certificate includes “policy mapping field”  Contents defined by Issuer  Pairs of OIDs  “Issuer considers its CP (OID) to be equivalent to Subject CA’s CP (OID)” [See RFC 3280]

12 Higher Education Bridge CA - HEBCA  Sponsored by EDUCAUSE to support linking campus PKI’s with each other and with sponsored partners  Patterned after the Federal Gov’t FBCA  Will cross-cert with FBCA eventually  Operated at Dartmouth College  Test bridge is running  CP/CPS almost complete  Concern about whether there is enough interest (yet) to justify full operation  Planning to keep test bridge running  Sponsored by EDUCAUSE to support linking campus PKI’s with each other and with sponsored partners  Patterned after the Federal Gov’t FBCA  Will cross-cert with FBCA eventually  Operated at Dartmouth College  Test bridge is running  CP/CPS almost complete  Concern about whether there is enough interest (yet) to justify full operation  Planning to keep test bridge running

13 Questions? 