1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.

Slides:

Advertisements

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Advertisements

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Inside the PKI Framework: * Activating the Puzzle Pieces PKI Summit Snowmass August

Public Key Infrastructure Ammar Hasayen ….

1 Digital Credential for Higher Education John Gardiner August 11, 2004.

1 Grids and PKI Bridges (Globus Toolkit) EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Shelley Henderson - USC Jim Jokl - Virginia.

Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004.

HEPKI-TAG Activities & Globus and Bridges Jim Jokl University of Virginia Fed/ED PKI Meeting June 16, 2004.

EDUCAUSE PKI Working Group Where Are We and Where are We Going.

1 PKI Update September 2002 CSG Meeting Jim Jokl

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

HEPKI-TAG UPDATE Jim Jokl University of Virginia

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Module 9: Fundamentals of Securing Network Communication.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Security in ebXML Messaging CPP/CPA Elements. Elements of Security P rivacy –Protect against information being disclosed or revealed to any entity not.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

PKI Session Overview 1:30 pm edt - Welcome, etiquette, session outline 1:40 pm edt - HEPKI-TAG Update (Jim Jokl, Virginia) 2:00 pm edt - HEPKI-PAG Update.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.

Higher Ed Certificate Authority by CREN: Update CSG February 2, 2000.

CaGrid 1.0 Security Infrastructure Stephen Langella, Scott Oster, Shannon Hastings, David Ervin, Joshua Phillips, Vinay Kumar, Tahsin Kurc, Joel Saltz.

EGEE is a project funded by the European Union CA overview and requirements Ognjen Prnjat, Nikos Vogiatzis GRNET EGEE-SEE regional kick-off, April 7-8.

1 SURAGrid User/Host Certificate Authority SURAgrid Meeting MARCH 26, 2010 Jim Jokl University of Virginia.

Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.

Higher Education Bridge Certification Authority Scaleable Linking of PKI trust domains Scaleable Linking of PKI trust domains David L. Wasley Fall 2006.

HellasGrid CA & euGridPMA

Organized by governmental sector (National Institute　of information )

USHER U.S. Higher Education Root Certificate Authority

Higher Education Bridge CA (HEBCA) – Planting is required before the harvest (Scott Rea) Fed/Ed June 2007.

Inter-institutional Trust Fabric Overview and Synergies

Fed/ED December 2007 Jim Jokl University of Virginia

September 2002 CSG Meeting Jim Jokl

Presentation transcript:

1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia

2 USHER - US Higher Education Root CA  Philosophy Lots of discussions about the needs of our community Eventual decision to implement what we call USHER-Basic first A different version of USHER may appear in the future to support applications that require a higher levels of assurance

3 USHER Basic Summary  Purpose: facilitate inter-institutional use of campus issued PKI credentials  USHER-Basic target Campuses that operate their PKI infrastructure at the same LOA as their common password- based systems  , scheduling, and commodity computing, etc  The USHER CA itself will operate at a relatively high level of assurance

4 PKI Applications  USHER was designed with some of these example applications in mind LionShare Grids (Globus toolkit) Electronic mail (S/MIME) VPN (IPSec), Wireless (EAP-TLS), & SSH authentication Web authentication

5 Expected Practices  When campuses join USHER, they are expected to adhere to a set of “Expected Practices” Will operate their PKI using processes that are at least as strong as how they manage accounts for and calendaring Campuses may issue certificates to anyone affiliated with their institution – the campus definition of affiliation applies

6 Expected Practices  The campus will actively maintain all services that are implied in their certificates, e.g., CRLs Policy and practices if Policy OID is present  Campuses will not join USHER if they can not or will not meet the expected practices  Expected practices are still being finalized

7 CA/RA Process  Signed Participation Agreement Signed by a campus official authorized to commit the university Designates the operational campus entity A strong process similar to the one that was used by CREN is used to validate the campus operator and establish a secure communications channel The campus generates a request which is then signed by the USHER CA

8 USHER: Some Q&A  Can a campus have multiple USHER CAs? Yes, and some may do this for organizational reasons Also, one campus USHER CA can issue an Authority Certificate to another as long this is consistent with existing campus ID management practices  Eligibility US Higher Education Institutions Other entities sponsored by a US Higher Education member

9 USHER: Some Q&A  What is the minimum LOA that a relying party can assume? A campus official designated a campus organization to operate the USHER CA USHER used a strong process to validate the organization and establish a secure communications channel The USHER CA signs campus authority certificates using a strong technical process

10 PKI and USHER/HEBCA  (How) do all of these PKI pieces fit together? USHER – US Higher Education Root CA HEBCA – Higher Education Bridge CA Campus Certification Authorities EDUCAUSE contract for outsourced certificates  What should a campus be doing?  Where’s the glue?

11 A Higher-level View of Inter-organizational Trust FBCA HEBCA SAFE Commercial Others Campus CA Educause Verisign CA USHER CA Campus CA Campus Users

12  Thank you  Questions/Discussion