PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”

Slides:

Advertisements

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

January 6, 1999Common Solutions Group1 X.509 University Michael R. Gettes Princeton University Computing & Information Technology.

Internet2 Middleware BASE CAMP slides Michael R. Gettes Principal Technologist Georgetown University

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

PKI Administration Using EJBCA and OpenCA

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

Middleware Directories Application Specific Issues Michael R. Gettes Principal Technologist Georgetown University Copyright.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Senior Technical Writer

Configuring Active Directory Certificate Services Lesson 13.

I2-MI Middleware 2011 CSG WORKSHOP OPERATIONAL AND DYS-FUNCTIONAL DIRECTORIES Agenda Georgetown, Stanford, Burton Group, iPlanet, Michigan, Minnesota,

1 Digital Credential for Higher Education John Gardiner August 11, 2004.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

EDUCAUSE PKI Working Group Where Are We and Where are We Going.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001.

1 PKI Update September 2002 CSG Meeting Jim Jokl

PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

HEPKI-TAG UPDATE Jim Jokl University of Virginia

1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.

Gregorio Martínez Pérez University of Murcia PROVIDING SECURITY TO UNIVERSITY ENVIRONMENT COMMUNICATIONS.

X.509/PKI There is progress.... Topics Why PKI? Why not PKI? The Four Stages of X.509/PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other.

Co Chairs C. W. Goldsmith University of Alabama at Birmingham David L. Wasley University of California Office of the President.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Identity in the Virtual World: Creating Virtual Certainty David L. Wasley Information Resources & Communications UC Office of the President.

Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

PKI Activities at Virginia September 2000 Jim Jokl

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Creating and Managing Digital Certificates Chapter Eleven.

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

Some Technical Issues in PKI Deployment David Chadwick

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Exploring Access to External Content Providers with Digital Certificates University of Chicago Team Charles Blair James Mouw.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Building and extending the internal PKI

1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.

Fed/ED December 2007 Jim Jokl University of Virginia

September 2002 CSG Meeting Jim Jokl

Operational Issues in Directories (selected)

Presentation transcript:

PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”

September 20, 2000 CSG PKI Workshop Policy We don’t need no stinkin’ policy! Covert warfare can be a valid tactic for IT deployments Yes, this is a juicy rationalization with self-serving purpose Verified no District (DC) Laws limiting PKI

September 20, 2000 CSG PKI Workshop Middleware If the goal is a PKI… Identifiers Identification process Authentication systems Directory CA Deployment Server Certificates Authorizations Client Certificates

September 20, 2000 CSG PKI Workshop Server Config CA Software Netscape CMS 4 Solaris, E250 On Same physical hardware as Kerberos slave Root key is simple PW protected. But, this is COTS! Purchased 100 Certs $30 each; your mileage may vary All work done by 1 person Get this going quickly for Network Services

September 20, 2000 CSG PKI Workshop Netscape CMS 4.2 Some Auth-n methods for end users Really intended for LDAP integration Forms for certificate enrollment Web based for RA and Operator functions Policies for governing the formulation of certificates Managed by Netscape Console Publishing of certificates and CRLs LDAP, of course

September 20, 2000 CSG PKI Workshop Netscape CMS 4.2 Event-driven notifications Backup and recovery (escrow) See for more Database is LDAP as well… do we detect a pattern here?

September 20, 2000 CSG PKI Workshop CA Certificate Valid until 10/2001 Simple profile No special extensions No special constraints or criticalities Subject contains X.500 and DC names O=Georgetown University required because of Communicator dc=georgetown,dc=edu At end of subjectName in Certificates Also root suffix for Enterprise Directory

September 20, 2000 CSG PKI Workshop CA Issued Certificates Client Certificates NONE Cost, Deployment, Policy Server Certificates On a limited basis, carefully considered Valid until 10/2001 No special constraints

September 20, 2000 CSG PKI Workshop Expiry Rationale Why 10/2001 for Expiry? Force decision on future PKI vendor or continue “as is”. Hopefully a decision! October implies a summer time redeployment with “misses” found in October when community is present. Realization of the future of CREN CA Validity period, fBCA model, browser deployments (maybe)

September 20, 2000 CSG PKI Workshop CA Certificate Deployment Netscape Communicator 4.7x Customized Netscape for CA Cert deployment Also needed for IMAP and other new services Central IMAP and Directory only accessible with SSL Internet Explorer No custom distribution method developed. Would like to something in the future along with Win2K Manual Configuration of CA Certificate people can visit Alumni and other public services: Verisign

September 20, 2000 CSG PKI Workshop CA Certificate Deployment There must be a better way! MIT approach assumes client cert distribution like others, not a bad thing, just different Microsoft seems willing to play ball heDRCD (being discussed in HEPKI-TAG)

September 20, 2000 CSG PKI Workshop Directories are part of the I in PKI Directory (October, 1999) Centralized, automated Name Space VERY carefully controlled Users modify very little Priv’d access highly restricted Control considered necessary step for PKI to trust the directory Eventually, client, server and other certs will be published in the directory. Hopefully a model campus for LDAP deployment Internet2 Middleware 201 (others?) coursework

September 20, 2000 CSG PKI Workshop Overall Plan Best of all 3 worlds LDAP + Kerberos + PKI LDAP Authentication performs Kerberos Authentication out the backend. Started 9/2000 to finish NS plug-in. Credential Caching handled by Directory. All directory authentications SSL protected. Enforced with necessary exceptions Use Kerberos to derive Certificates One Userid/Password (single-signon vs. FSO)

September 20, 2000 CSG PKI Workshop Overall Plan AT&T Access Cards (Onecard project) Vending, Building Access, Credit, etc Mag-stripe only, no chip Unfortunately, no smart-card plan by admin – at least nothing I have seen  Schlumberger interested in HEPKI

September 20, 2000 CSG PKI Workshop CA Future OpenCA (built on OpenSSL)? Baltimore? Casey Lide – DST? Netscape/iPlanet/Sun? Outsourcing? (parts is parts is parts) Something else? (notaries) Ken’s matrix should help with decision

September 20, 2000 CSG PKI Workshop Georgetown Institute for Information Assurance Recently formed: July 2000 Research and practical deployment of Network Security, Internet2 Middleware and PKI Joint work between Central IT, CompSci, Medical Center, Law Center, Public Policy Institute, Legal and other experts and faculty. Focal point for University policy and practice

September 20, 2000 CSG PKI Workshop Georgetown Activities Internet2 Middleware + EDUCAUSE, CREN Directories, Dir of Dirs for Higher Ed, Shibboleth, PKI, CREN CA, LDAP-RECIPE, eduPerson Professor Dorothy Denning, CS, info-warfare Prof./Dr. Jeffrey Collmann, Sociology Dr. Alan Zuckerman, biometrics HEPKI TAG/PAG – Kathryn Baerwald, Georgetown Legal PAG involvement.