Day 3 Roadmap and PKI Update. When do we get to go home? Report from the BoFs CAMP assessment, next steps PKI technical update Break Research Issues in.

Slides:



Advertisements
Similar presentations
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Advertisements

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Report on Attribute Certificates By Ganesh Godavari.
Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.
UNCLASS DoD Public Key Infrastructure LCDR Tom Winnenberg DISA API1 Chief Engineer 25 April 2002.
Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Inside the PKI Framework: * Activating the Puzzle Pieces PKI Summit Snowmass August
Public Key Infrastructure from the Most Trusted Name in e-Security.
Public Key Infrastructure Ammar Hasayen ….
Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed.
EDUCAUSE PKI Working Group Where Are We and Where are We Going.
PKI: Glue of Middleware Michael R Gettes, Duke University CAMP Enterprise Authentication Michael R Gettes, Duke University CAMP Enterprise Authentication.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
1 PKI Update September 2002 CSG Meeting Jim Jokl
KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.
CREN Certificate Authority Project: Update from Georgia Tech Ron Hutchins 28 March 2000.
HEBCA Overview Internet2 Meeting, Fall 2002 Michael R Gettes Georgetown University
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
HEPKI-TAG UPDATE Jim Jokl University of Virginia
1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.
X.509/PKI There is progress.... Topics Why PKI? Why not PKI? The Four Stages of X.509/PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
CAMP PKI UPDATE August 2002 Jim Jokl
Co Chairs C. W. Goldsmith University of Alabama at Birmingham David L. Wasley University of California Office of the President.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Module 9: Fundamentals of Securing Network Communication.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Building Security into Your System Bill Major Gregory Ponto.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
HEBCA Overview CSG, uWash, 2002 Michael R Gettes Georgetown University
Going Forward: Year 2 NMI and Higher Ed Middleware.
PKI Summit August 2004 Technical Issues to Deploying PKI on Campuses.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
PKI Session Overview 1:30 pm edt - Welcome, etiquette, session outline 1:40 pm edt - HEPKI-TAG Update (Jim Jokl, Virginia) 2:00 pm edt - HEPKI-PAG Update.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
1 XML Key Management Specification XKMS Dr Phillip Hallam-Baker FBCS CEng. VeriSign Inc.
Cryptography and Network Security
Secure Enterprise Technology Initiatives e-Provisioning Group
USHER U.S. Higher Education Root Certificate Authority
Public Key Infrastructure from the Most Trusted Name in e-Security
Inter-institutional Trust Fabric Overview and Synergies
Fed/ED December 2007 Jim Jokl University of Virginia
September 2002 CSG Meeting Jim Jokl
“Ten Years Ago… on a cold dark night”
Presentation transcript:

Day 3 Roadmap and PKI Update

When do we get to go home? Report from the BoFs CAMP assessment, next steps PKI technical update Break Research Issues in Middleware Wrap up

PKI Technical Update Some emerging distinctions The apps - authn, web authn, s/mime, signed docs, vpn’s, SEVIS The technical basics XKMS and other leavenings KX.509 and Grid Policies and levels of assurance Revisiting revocation – OCSP, CRL, none HE Bridge CA, NIH pilot CREN CA

Some emerging themes end-entity vs enterprise PKI X.509 versus non X.509 end-entity new problems: what you see is not what you signed…

Why PKI? Single infrastructure to provide all security services Established technology standards, though little operational experience Elegant technical underpinnings Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption Low cost in mass numbers

Why Not PKI? High legal barriers Lack of mobility support Challenging user interfaces, especially with regard to privacy and scaling Persistent technical incompatibilities Overall complexity

The apps VPN’s Enterprise authentication App authentication (the web, some Grids, etc.) Encrypted Signed and docs SEVIS (

D. Wasley’s PKI Puzzle

The Four Planes of PKI on the road to general purpose interrealm PKI the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKI simplifications in policies, technologies, applications, scope each plane provides experience and value

The Four Planes are Full interrealm PKI - (Boeing 777) - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues Simple interrealm PKI - (Regional jets) - multipurpose within a community, operating under standard policies and structured hierarchical directory services PKI-light - (Corporate jets) - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; can be extended within selected communities PKI-ultralight (Ultralights) - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane...

Examples of Areas of Simplification Spectrum of Assurance Levels Signature Algorithms Permitted Range of Applications Enabled Revocation Requirements and Approaches Subject Naming Requirements Treatment of Mobility...

PKI-Light example CP: Wasley, etal. Draft HE CP stubbed to basic/rudimentary CRL: ? Applications: (Signed ) Mobility: Password enabled Signing: md5RSA Thumbprint: sha1 Naming: dc Directory Services needed: Inetorgperson

PKI-Ultralight CP: none CRL: limit lifetime Applications: VPN, Internal web authentication Mobility: not specified Signing: not specified Thumbprint: sha1 Naming: not specified Directory Services needed: none

Federal Activities fBCA NIH Pilot ACES fPKI TWG Others – federal S/MIME work Internet2/NIH/NIST research conference...

Healthcare HIPAA - Privacy specs issued HIPAA - Security specs not yet done Two year compliance phase-ins Little progress in community trust agreements Non-PKI HIPPA Compliance Options

Corporate deployments Success stories within many individual corporations for VPN, authentication No current community ABA guidelines Others...

European Efforts Generally a bit more successful; can leverage culture, national licensing structures, passports, etc. Higher ed efforts somewhat tied to national efforts; no trans- Euro work of note. draft.html Have major Grid needs coming in 2005 As always, the directories are hard and ad hoc

KX.509 Software that uses a Kerberos ticket to create a temporary certificate (less than 8 hrs; no revocation; etc.) Used for authentication to certificate-based local web services (preload campus roots) in Kerberos realms Out of Michigan; to be polished and released via NMI grant Two parts: server (KCA) that issues certs; client code to manage incoming cert into stores,OS and applications… New service (KCT) to issue Kerberos tickets from certs.

Higher Education HEBCA HEPKI-TAG HEPKI-PAG PKI-labs Campus successes – Texas Med, Dartmouth, MIT…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.