Technical Issues that Challenge PKI Deployments Jim Jokl University of Virginia PKI Meeting August 12, 2004
Hardware Tokens Uses 2-factor authentication System administrators, HiPAA data access Mobility Public labs, work at home Old problems of OS registration are fixed Issues Still expensive: ~$30 to ~$50 Token management system Generally must install client software for the tokens that we actually use Token accessories are critical to acceptance
S/MIME Client support Good: Outlook/Outlook Express, Netscape, Mozilla, etc OK: Mulberry, CGatePro webmail None: Eudora Seeking HEPKI-TAG letter endorsements Other issues Main client issue: encryption in sentmail folder Webmail should at least verify signed Root certificate problem Signed for official announcements “incompatibility” during the roll out
Some Generic Application Issues (its not the PKI …..) SSH Support available from ssh.com, VanDyke Server authorization stage well done A couple of simple mechanisms, wildcard matching Certificate handoff to external application Client certificate selection done well Tries all of the certs in the OS store Not available in OpenSSL ($$$)
Some Generic Application Issues (its not the PKI …..) 802.1x EAP-TLS wireless authentication Usability Very clean for windows users OK for Macintosh users Linux? Back-end infrastructure still somewhat painful Our authentication server Does path validation fine, however users still need an account in the database Should have LDAP search for authorization We have needs for different authorization for the same user for different wireless VLANs Going to look at Funk Software radius servers
EAP-TLS and the Microsoft Clients Microsoft field in certificate for AuthN Subject Alt Name / Other Name / Principal Name OID If not present, uses CN Uniqueness issues for our CA Added OID to our certificate profile Impact on the PKI-Lite certificate profiles Agreed to add this extension to EE cert profileprofile
Some Generic Application Issues (its not the PKI …..) VPN Concentrators Firewall LDAP AuthZ Servers Oracle ERP S1 S2 S3 Sn Hospital Net INOUT Main Campus Network OUT IN
Operating System Support Windows Good internal support Primarily user interface issues Certificate import & export Root certificate installation (see HEPKI-TAG web site) Root certificate program audits expensive Apple Macintosh Personal and root certificate installation issues Need ties into Safari for key generation & cert import Had to implement a PKCS-12 proxy for our campus CA Few applications use the emerging OS support Linux? Bridge path validation
Certificate Profiles Profiles change to support new applications Key Usage and the Outlook problem PKI-Lite Spent a lot of time/effort to get it right at first Added AIA based on XP path validation work Added Microsoft OID for EAP-TLS support Add smart card login attribute next? What is next? new user certs needed each time Could some of this type of authorization be done outside of the identity certificate?
Digital Signatures Document signing The active content problem Interoperability between applications Key: choose the right tool for your application Web form signing Want to sign the both the form and the data that the user submitted Products are very expensive
Ease of Use Comes from Widespread PKI Enabling of Applications All standard applications supporting and using PKI for all aspects of their operation E.g., certificates for IMAP/SMTP authentication instead of just for use with S/MIME All instead of some of the campus VPN services All instead of a few web-based applications Is there a reason why clients shouldn’t simply try all available personal certificates?
Campus Globus Implementations The Globus toolkit uses PKI for authentication of users and resources The PKI-Lite profile works well A proxy certificate is used internally A file maps certificates to login names Campus CA integration is complicated by the Globus interface Campus CAs and OS-exported certificates are generally in PKCS-12 format Globus expects raw PEM files for key and cert Grids are often intercampus applications Most campuses not part of hierarchy now Bridges or PKI hierarchy needed
Schematic of Grid Testbed PKI Integration Goal Campus E Grid A’s PKI Testbed Bridge CA Shibbolized Testbed CA Campus B Grid Campus C Grid Campus D Grid Campus A Grid Campus F Grid B’s PKI C’s PKI Cross-cert pairs User Certs
Globus and Bridges 2 nd phase testing now Built “production” bridge for testbed Dedicated laptop/OpenSSL Cross-certified UVa, UAB, USC, and TACC Results (so far) Bridge path validation ok for EE certs Server certificate validation not working via bridge Digging into OpenSSL interface Bridge itself is fine; e.g. XP validates both directions Tools being created Chase down cross certificates via AIA pointer, populate Globus certificate and signing policy directory Credential converter web site: PKCS12 to PEM
What is not a significant problem Issuing certificates Deployed our own CAs Standard: on-line, tied into our databases/AuthN, LDAP High assurance: tokens only, ID check, etc, etc Available CAs Papyrus, OpenCA, kX509, etc See HEPKI-TAG web site SSL Server Certificates Prices down to $39/server; $300/wildcard Authentication apps with good ease of use Web applications VPN Wireless
HEPKI-TAG Projects (a list of other issues) Must-do items Support the USHER / InCommon projects Maintain & update existing documents and services Potential projects discussed and ranked at our meeting Update work on S/MIME Windows domain authentication CA Audits - preparing your internal audit department EAP-TLS for wireless authentication Update on hardware tokens survey, documentation, recommendations Introductory materials for sites getting started (CA software, applications, cookbook, etc) Other possibilities discussed more briefly Grid integration survey bridge testing Document and webform signing Profiles AIA, EPPN, Smart Card Login
middleware.internet2.edu/hepki-tag PKI-Lite documents (profiles, policy & practices), S/MIME, links to other sites, CA software, etc, etc PKI for Networked Higher Ed pkidev.internet2.edu PKI Labs middleware.internet2.edu/pkilabs middleware.internet2.edu/pkilabs Some Reference URLs