Got Directory? January 28, 2004 TIP2004
metadirectory enterprise directory database departmental directories OS directories (MS, Novell, etc) border directory registries source systems Enterprise applications dir A Campus Directory Architecture
eduPerson Schema for US Higher Education Low hanging fruit, interoperable data Easy stuff that we can all agree is true LocalEduPerson -- local stuff local prob International efforts under way US Person? Will the Feds listen to us? eduOrg continues to be developed
LDAP-Recipe A hitchhiker’s guide to LDAP in H.E. A user’s perspective (a discussion, not a manual) of how to deploy directories. Covering: Directory Tree, Access Control, Attribute Firewalls, Group Management, How all the name attributes work, Authentication, Schema Management and Design, RDN issues that most don’t know about, Considerations for directory enabled routing, Software reference, Replication eduPerson discussion (read recipe as well as eduPerson specification)
Video Middleware (VID-MID) Post 9/11/2001 Video on the Internet is how people will communicate due to US Airline Industry impact Video and middleware folks get together Video is largely a human managed process How to integrate video into enterprise? Directory enabling versus directory slurping CommObject is born and H.350 results
Traditional X.500 naming: dn: cn=Michael R Gettes, ou=Server Group, ou=OIT, o=Duke University, c=US domainComponent (DC) naming: dn: uid=gettes,ou=People,dc=duke,dc=edu Problems with Cisco and others in the past, fixed (mostly) HEPKI has issued guidance and advice on DC= naming domainComponent (DC=) Naming
Group Toolset Architecture
RADIUS server NAS (terminal server) Dialup Users User calls CalledId from NAS is mapped to guRadProf Directory Server Netid = gettes guRadProf = guRadProf = guRadProf = OracleFin LDAP Filter is: guRadProf = NetID = gettes RADIUS + LDAP
LDAP Analyzer Todd Piket, Michigan Tech Web based tool to empirically analyze a directory eduPerson compliance Indexing and naming LDAP-Recipe guidance (good practice) H.350 compliance eduOrg compliance
What’s up in Directory Land? Directory Architecture + eduPerson + eduOrg Local Schema (localEduPerson) Non-eduPerson Persons (international efforts) usPerson? Working the Feds LDAP-Recipe + Group Management + Video Middleware + H.350 for Video Infrastructure
Directory Land (continued) DC naming + RADIUS Integration + LDAP Analyzer + Medical Middleware MACE-CourseID Authorization work (the holy grail)
LDAP: Buyer Beware!!! LDAP is LDAP is LDAP – yeah, right! “Sure! We support LDAP!” What does that mean? Contract for functionality and performance Include your Directory/Security Champion!!! Verify with other schools – so easy, rarely done. Beware of products that specify Dir Servers Get vendor to document product requirements and behavior. You paid for it!
Higher Education Bridge Certification Authority and USHER Status Update Michael R Gettes Duke University January 2004, TIP2004
Technical Policy PKI is 1/3 Technical and 2/3 Policy?
A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)
The CA formerly known as CREN Lots of discussion for a looong time – HEPKI-TAG, HEBCA-BID, PKI Labs Plan is finally emerging A few related certificate services –USHER - Level 1 - soon –USHER – Level 2 - start detailed planning for implementation USHER CP –Others if warranted, eventually –All operate on high levels of assurance in I/A of the institution, and in their internal operation at both Internet2 and subcontractors –Place varying degrees of pain, and power, to the institutions Helping on a packaging of open-source low-cost CA servers Work with EDUCAUSE on their related initiatives
Usher-Level 1 Modeled after Federal Citizen and Commerce CP/CPS ( Issues only institutional certs Those certs can be used for any purposes CP will place few constraints on campus operations User identification and key management Campus CA/RA activities Will be operated itself at high levels of confidence Will recommend a profile for campus use Good for building local expertise, insuring some consistency in approaches among campuses, and may be suitable for many campus needs and some inter-campus uses Will not work for signing federal grants, etc… Operational soon
Usher - Level 2 Modeled after FBCA Basic level CP Issues only institutional certs Those certs can be used for most purposes CP will place more constraints on campus operations User identification and key management Campus CA/RA activities Will be operated itself at high levels of confidence Will recommend a profile for campus use Good for many campus needs, many inter-campus uses, and many workings with the federal government Will peer at the HEBCA Detailed planning now starting; stand up sometime mid-next year
Interesting and Open Issues… Policy Authority for USHER? Conservation of policy groups HEBCA PA? InCommon-Exec? Final pricing and packaging Working numbers <$2K first year, <$1K renewal Includes strong institutional I/A, strong USHER operations Leverages InCommon operations Applications and use
Interesting and Open Issues 2 Cost for Usher to peer at bridges Ability to put Usher into various browsers Relation to InCommon Distinguishing one from the other –To applications –To users Leveraging one with the other
/- of Usher Pluses Pricing and lack of usage constraints on campus roots Strong institutional I/A – external and for subdomains Community-consistent ??? Negatives Not easily in browsers Uncharted peering with feds, commercials, etc Places more emphasis on running your own campus CA. ??
What ’ s a Bridge anyway? Traditional PKI With Root CA Pre-Existing?
Board of Instantiation and Development (BID) Clair Goldsmith, Chair, UT System –Augustson (PSU), Klingenstein (Internet2), Levine (Dartmouth), Wasley (UCOP), Hazelton (Wisconsin-Madison), Brentrup (Dartmouth), Gettes (Duke), Jokl (Virginia) –EDUCAUSE: Luker, Worona Staff: Faut Purpose is to instantiate a HE Bridge, organization and policy structures by November, 2003 (or sometime around that point -- okay, so we are running a tad behind schedule, sosu-us) Foster Deployment and Development of Bridged PKI Supported by EDUCAUSE
HEPKI Council Jack McCredie, Chair –Michael Baer, Sr VP ACE –Rich Guida, Johnson & Johnson –Mark Luker, EDUCAUSE –Mark Olson, EVP of NACUBO –Dave Smallen, Hamilton College –Nancy Tribbensee, ASU Not operational, policy and oversight Will approve the creation of the HEBCA Policy Authority Charged with Higher Education direction and strategy for PKI initiatives, not just Bridge Supported by EDUCAUSE
HEPKI National PKI
Current Status: January, 2004 Charter HEBCA Certificate Policy (brother Wasley) –Will develop CPS from this policy Dartmouth College –Contracted to implement HEBCA in 12/03 –EDUCAUSE funded –Received AEG from Sun Microsystems ($50K) Equipment ordered and received Signing Hardware -- not yet. Working software agreement with RSA as first CA in bridge –Maybe even further deal with Higher Ed for CA services & s/w Begin process of cross-certification with US Gov Recommending to PKI Council to create the HEBCA Policy Authority
EDUCAUSE/NIH Interoperability Project December 2003, NIH demonstrated the latest ability to submit doubly digitally signed documents to a web site that is validated using Bridge PKI. UCOP, Wisconsin, Dartmouth, UT Health Science Center (Barry Ribbeck) Directory Infrastructure at Duke :-) General doc submission facility -- freely available -- cool stuff.
National PKI Levels of Assurance / HE CP –Get mapped all the way down, the key to interop Business/Marketing: Separate Prob Policy Authorities likely to merge HEPKI umbrella should be org structure for all PKI activities in HE
Global? Trust Diagram (TWD)
Sample InterFederation
Shib/PKI Inter-Federations This model demonstrates the similarities of the PKI communities and Shib Federations. This does not mean that Shib == PKI, just that we can leverage the trust infra of a global PKI to maybe solve some larger inter-federation issues of other techno / policy spaces in a common fashion.