PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”
September 20, 2000 CSG PKI Workshop Policy We don’t need no stinkin’ policy! Covert warfare can be a valid tactic for IT deployments Yes, this is a juicy rationalization with self-serving purpose Verified no District (DC) Laws limiting PKI
September 20, 2000 CSG PKI Workshop Middleware If the goal is a PKI… Identifiers Identification process Authentication systems Directory CA Deployment Server Certificates Authorizations Client Certificates
September 20, 2000 CSG PKI Workshop Server Config CA Software Netscape CMS 4 Solaris, E250 On Same physical hardware as Kerberos slave Root key is simple PW protected. But, this is COTS! Purchased 100 Certs $30 each; your mileage may vary All work done by 1 person Get this going quickly for Network Services
September 20, 2000 CSG PKI Workshop Netscape CMS 4.2 Some Auth-n methods for end users Really intended for LDAP integration Forms for certificate enrollment Web based for RA and Operator functions Policies for governing the formulation of certificates Managed by Netscape Console Publishing of certificates and CRLs LDAP, of course
September 20, 2000 CSG PKI Workshop Netscape CMS 4.2 Event-driven notifications Backup and recovery (escrow) See for more Database is LDAP as well… do we detect a pattern here?
September 20, 2000 CSG PKI Workshop CA Certificate Valid until 10/2001 Simple profile No special extensions No special constraints or criticalities Subject contains X.500 and DC names O=Georgetown University required because of Communicator dc=georgetown,dc=edu At end of subjectName in Certificates Also root suffix for Enterprise Directory
September 20, 2000 CSG PKI Workshop CA Issued Certificates Client Certificates NONE Cost, Deployment, Policy Server Certificates On a limited basis, carefully considered Valid until 10/2001 No special constraints
September 20, 2000 CSG PKI Workshop Expiry Rationale Why 10/2001 for Expiry? Force decision on future PKI vendor or continue “as is”. Hopefully a decision! October implies a summer time redeployment with “misses” found in October when community is present. Realization of the future of CREN CA Validity period, fBCA model, browser deployments (maybe)
September 20, 2000 CSG PKI Workshop CA Certificate Deployment Netscape Communicator 4.7x Customized Netscape for CA Cert deployment Also needed for IMAP and other new services Central IMAP and Directory only accessible with SSL Internet Explorer No custom distribution method developed. Would like to something in the future along with Win2K Manual Configuration of CA Certificate people can visit Alumni and other public services: Verisign
September 20, 2000 CSG PKI Workshop CA Certificate Deployment There must be a better way! MIT approach assumes client cert distribution like others, not a bad thing, just different Microsoft seems willing to play ball heDRCD (being discussed in HEPKI-TAG)
September 20, 2000 CSG PKI Workshop Directories are part of the I in PKI Directory (October, 1999) Centralized, automated Name Space VERY carefully controlled Users modify very little Priv’d access highly restricted Control considered necessary step for PKI to trust the directory Eventually, client, server and other certs will be published in the directory. Hopefully a model campus for LDAP deployment Internet2 Middleware 201 (others?) coursework
September 20, 2000 CSG PKI Workshop Overall Plan Best of all 3 worlds LDAP + Kerberos + PKI LDAP Authentication performs Kerberos Authentication out the backend. Started 9/2000 to finish NS plug-in. Credential Caching handled by Directory. All directory authentications SSL protected. Enforced with necessary exceptions Use Kerberos to derive Certificates One Userid/Password (single-signon vs. FSO)
September 20, 2000 CSG PKI Workshop Overall Plan AT&T Access Cards (Onecard project) Vending, Building Access, Credit, etc Mag-stripe only, no chip Unfortunately, no smart-card plan by admin – at least nothing I have seen Schlumberger interested in HEPKI
September 20, 2000 CSG PKI Workshop CA Future OpenCA (built on OpenSSL)? Baltimore? Casey Lide – DST? Netscape/iPlanet/Sun? Outsourcing? (parts is parts is parts) Something else? (notaries) Ken’s matrix should help with decision
September 20, 2000 CSG PKI Workshop Georgetown Institute for Information Assurance Recently formed: July 2000 Research and practical deployment of Network Security, Internet2 Middleware and PKI Joint work between Central IT, CompSci, Medical Center, Law Center, Public Policy Institute, Legal and other experts and faculty. Focal point for University policy and practice
September 20, 2000 CSG PKI Workshop Georgetown Activities Internet2 Middleware + EDUCAUSE, CREN Directories, Dir of Dirs for Higher Ed, Shibboleth, PKI, CREN CA, LDAP-RECIPE, eduPerson Professor Dorothy Denning, CS, info-warfare Prof./Dr. Jeffrey Collmann, Sociology Dr. Alan Zuckerman, biometrics HEPKI TAG/PAG – Kathryn Baerwald, Georgetown Legal PAG involvement.