Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federating and PKI: Case Studies Paul Hill, MIT

Published byAnnikki Palo Modified over 5 years ago

Similar presentations

Presentation on theme: "Federating and PKI: Case Studies Paul Hill, MIT"— Presentation transcript:

1 Federating and PKI: Case Studies Paul Hill, MIT
Understanding what's needed to collaborate across boundaries, this session will provide concrete examples of campus technical implementations.

2 MIT context 99 % of MIT users have at least one MIT x.509 certificate
MIT deployment since 1996 Soft certificate “junk” certificate used only for authentication Obtained using MIT ID number, Kerberos principal name, and Kerberos password submitted over SSL/TLS 4/6/2019 2

3 Our CA(s) MIT CA, self signed cert Equifax All user certificates
Nearly all MIT application servers Equifax Used by a small number of application servers that need to be under a commercial CA 4/6/2019 3

4 Internal uses Web authentication Access to MIT-only web pages
Fine grained access control Ability to download MIT licensed software Sloan’s web portal Course registration Housing lotteries Financial system 4/6/2019 4

5 Using the MIT certificates outside of MIT for online purchasing
DELL Apple GovConnection Office Depot VWR Scientific AirGas Grainger Minuteman Press of Cambridge 4/6/2019 5

6 Using Certificates for online sales
ChargeMIT – MIT’s e-commerce solutions suite of ecommerce services provided by the Controller's Accounting Office (CAO) and Information Services & Technology (IS&T) enable secure online, back-office, and point-of-sale credit card transactions for MIT departments, labs, centers, and recognized groups Hosted service or DLC’s server 4/6/2019 6

7 MIT Certificates are not used for
Code signing SMIME long term encryption VPN authentication (yet) 4/6/2019 7

8 Support issues for end users
Getting the MIT root CA into the certificate store Getting the users to obtain a certificate Certificate renewals Certificates expire July 31st each year Large publicity campaign once a year 4/6/2019 8

9 Support issues for application servers
Getting the proper certificates installed on the application server Certificate renewal Teaching developers how to use the technology 4/6/2019 9

10 Obstacles to using PKI for easy federations
Perceived lack of other interesting sites deploying user certificates Lack of developers that understand the use of user certificates Armchair lawyers Non-repudiation “signatures” equivalency Multi-tier applications 4/6/2019 10

11 The lack of barriers So far few external partners have refused to accept MIT certificates once we have asked Variety of commercial vendors US government agencies 4/6/2019 11

12 Future directions Better education of developers PKINIT PKCROSS
Improved documentation Sample source code Hosted servers running arbitrary code PKINIT Multi-tiered applications PKCROSS Using PKI to establish Kerberos cross realm authentication 4/6/2019 12

Download ppt "Federating and PKI: Case Studies Paul Hill, MIT"

Similar presentations

1 Capability Set - Bullet. 2 Common Community Problems Too Much Information –Institutions have to SPAM their faculty and students –Too many online sources.

1 Capability Set - Bullet. 2 Common Community Problems Too Much Information –Institutions have to SPAM their faculty and students –Too many online sources.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
MIT Web Credit Card Processing Lorraine J. Rappaport.

MIT Web Credit Card Processing Lorraine J. Rappaport.
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.

Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.
European Electronic Identity Practices Country Update of …………… Speaker: Date:

European Electronic Identity Practices Country Update of …………… Speaker: Date:
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.

The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.
Microsoft Passport www.passport.com Waldemar Swiercz.

Microsoft Passport Waldemar Swiercz.

Similar presentations

Ads by Google