Presentation is loading. Please wait.

Presentation is loading. Please wait.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L.

Published byPhillip Atkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L."— Presentation transcript:

1 David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L. Wasley University of California

2 2 Certificate Policy is … v The basis of trust between unrelated entities v Not a “contract” v A framework that informs/constrains a PKI implementation v A way of giving advice to Relying Parties v One of a number of related documents, incl. l Certification Practices l Directory Policy

3 3 Goals v A “generic” CP for higher ed PKI v Compatible with the Federal BCA policy v Simple (relatively) to implement at the “Rudimentary” level (PKI Lite) v Specific requirements intended to foster inter- domain trust v All implementation specific details deferred to associated Certification Practices Statement

4 4 PKI Players v Policy Management Authority (PMA) l Responsible for developing end enforcing policy v Certificate Authority (CA) l Operational unit(s) l Term also applies to the entire set of functions v Registration Authority (RA) l Optional delegated responsibility for I & A v Relying Parties

5 5 RFC 2527 CP Sections v Introduction v General Provisions v Identification and Authentication v Operational Requirements v Physical, Procedural and Personnel Security Ctrls v Technical Security Controls v Certificate and CARL/CRL Profiles v Specification Administration

6 6 Introduction v Distinction between CP and CPS v CP is transitive throughout the hierarchy l Authorizing CA has responsibility for authorized CA v Document identity l OID for the CP and OIDs for each LOA v On-line copy of CP and CPS must be signed v Community served may be any defined in the CPS l Relying Party can’t make assumptions unless so stated

7 7 Introduction (cont.) v Applicability of the issued certificates based on Level of Assurance (LOA) l Test - used for development and testing only l Rudimentary - very low risk apps; data integrity l Basic - for apps with minimal risk l Medium - modest risk, including monetary loss l High - secure apps; transactions of significant financial consequence

8 8 General Provisions v Obligations of the parties l CA, RA, Subscriber, Relying Party, Repository l RP is problematic since there is no “contract” s In some cases a contract may be needed, e.g. FERPA v Liability limited to $1,000 l Considered necessary to indicate trustworthiness v Audit requirements l Must be performed by qualified third party l Results must be made available

9 9 Identification and Authentication v Types of Subject names l If included, must be meaningful l Must be unique for all time v Different requirements for each LOA l Photo ID required for Medium or High LOA l Document ID marks must be recorded and archived v CA rekey requirements l Must notify PKC Subjects …

10 10 Operational Requirements v CA may not generate key pairs for Subjects v PKC acceptance for Med/High require signature v PKC Suspension or Revocation l Suspension not used l Revocation required at Basic or higher LOA s Requires standard CRL; allows for OCSP s Relying Party required to check for revocation

11 11 Operational Requirements (cont.) v Security Audit Procedure l Everything that might affect the CA or RA l Simple for Rudimentary v Records Archival l Up to 20 years + 6 months for High LOA l (Electronic archive is an activity unto itself) v Disaster Recovery Requirements v CA Termination Process

12 12 Physical, Procedural and Personnel Security Controls v CA Roles [may change] l Administrator - sysadmin; installs & configures l Officer - approves issuance and revocation of PKCs l Operator - routine system operation & backup l Auditor - reviews syslogs; oversees external audit v Separation of roles required at higher LOAs v Some tasks require action by 2 out of 4 persons

13 13 Technical Security Controls v FIPS 140 Technical Security l Level depends on LOA l Key sizes and private key protection requirements v Escrow of end-entity decryption (private) key l CA must have possession of key before issuing PKC l Must NOT escrow any other private key v Computer platform and network controls v Engineering and development controls

14 14 Certificate and CARL/CRL Profiles v Certificate profile is x.509v3 or higher l Details in CPS l CertPolicyID is the LOA OID l CPSuri points to the on-line signed CPS s CPS specifies CP OID and URL where it can be found l Certificate serial number must be unique across all PKCs issued by this CA v CARL/CRL is x.509v2 or higher

15 15 Specification Administration v Specifies how the PMA changes or updates this policy document, etc. v See also the Bibliography and Glossary

16 16 Other Policy Documents v Certification Practices Statement l All specific details, e.g. community, I&A, etc. l HE draft example begun … v Directory Policy Statement l As critical as the credential l Includes access controls, element definitions, etc… v Business Policy Provisions l The basis for the institution to issue credentials

17 17 Similar CPs for Comparison v Federal BCA Certificate Policy v European PKI certificate policy v Globus Grid CP v Draft Model Interstate Certificate Policy v Commercial PKI CPs (very different) v CP for the State of Washington v NACHA CARAT guidelines

18 18 HE CP Status v Draft in process for 9 months l Will be vetted to wider audience ASAP v Companion HEBCA CP needs to be reviewed to ensure compatibility v Generic OIDs may be acquired for CP, LOAs v Example CPS(s) will be generated v Notes for CA implementers will be created v See http://www.educause.edu/hepki/http://www.educause.edu/hepki/

19 19 Acknowledgements v Richard Guida, Federal PKI Council v Ken Klingenstein and the I2 HEPKI-PAG v Judith Boettcher, CREN v Dan Burke, Legal Council, CREN v Scott Fullerton -- Wisconsin-Madison v Art Vandenburg -- Georgia State v Support: Renee Frost, Ellen Vaughan, Nate Klingenstein (I2), Michelle Gildea (CREN)

Download ppt "David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,

Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

Similar presentations

Ads by Google