Presentation is loading. Please wait.

Presentation is loading. Please wait.

Got Directory? January 28, 2004 TIP2004. 2015-06-01 2 metadirectory enterprise directory database departmental directories OS directories (MS, Novell,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Got Directory? January 28, 2004 TIP2004. 2015-06-01 2 metadirectory enterprise directory database departmental directories OS directories (MS, Novell,"— Presentation transcript:

1 Got Directory? January 28, 2004 TIP2004

2 2015-06-01 2 metadirectory enterprise directory database departmental directories OS directories (MS, Novell, etc) border directory registries source systems Enterprise applications dir A Campus Directory Architecture

3 2015-06-01 3 eduPerson  Schema for US Higher Education  Low hanging fruit, interoperable data Easy stuff that we can all agree is true  LocalEduPerson -- local stuff local prob  International efforts under way  US Person? Will the Feds listen to us?  eduOrg continues to be developed  http://middleware.internet2.edu

4 2015-06-01 4 LDAP-Recipe  A hitchhiker’s guide to LDAP in H.E. A user’s perspective (a discussion, not a manual) of how to deploy directories. Covering: Directory Tree, Access Control, Attribute Firewalls, Group Management, How all the name attributes work, Authentication, Schema Management and Design, RDN issues that most don’t know about, Considerations for directory enabled E-mail routing, Software reference, Replication eduPerson discussion (read recipe as well as eduPerson specification)

5 2015-06-01 5 Video Middleware (VID-MID)  Post 9/11/2001 Video on the Internet is how people will communicate due to US Airline Industry impact  Video and middleware folks get together Video is largely a human managed process How to integrate video into enterprise? Directory enabling versus directory slurping  CommObject is born and H.350 results

6 2015-06-01 6  Traditional X.500 naming: dn: cn=Michael R Gettes, ou=Server Group, ou=OIT, o=Duke University, c=US  domainComponent (DC) naming: dn: uid=gettes,ou=People,dc=duke,dc=edu Problems with Cisco and others in the past, fixed (mostly) HEPKI has issued guidance and advice on DC= naming domainComponent (DC=) Naming

7 2015-06-01 7 Group Toolset Architecture

8 2015-06-01 8 RADIUS server NAS (terminal server) Dialup Users User calls 202-555-1110 CalledId from NAS is mapped to guRadProf Directory Server Netid = gettes guRadProf = 2025550001 guRadProf = 2025551110 guRadProf = OracleFin LDAP Filter is: guRadProf = 2025551110 + NetID = gettes RADIUS + LDAP

9 2015-06-01 9 LDAP Analyzer  Todd Piket, Michigan Tech  Web based tool to empirically analyze a directory  eduPerson compliance  Indexing and naming  LDAP-Recipe guidance (good practice)  H.350 compliance  eduOrg compliance http://middleware.internet2.edu/dir/

10 2015-06-01 10 What’s up in Directory Land?  Directory Architecture +  eduPerson +  eduOrg  Local Schema (localEduPerson)  Non-eduPerson Persons (international efforts)  usPerson? Working the Feds  LDAP-Recipe +  Group Management +  Video Middleware + H.350 for Video Infrastructure

11 2015-06-01 11 Directory Land (continued)  DC naming +  RADIUS Integration +  LDAP Analyzer +  Medical Middleware  MACE-CourseID  Authorization work (the holy grail)

12 2015-06-01 12 LDAP: Buyer Beware!!!  LDAP is LDAP is LDAP – yeah, right!  “Sure! We support LDAP!” What does that mean?  Contract for functionality and performance  Include your Directory/Security Champion!!!  Verify with other schools – so easy, rarely done.  Beware of products that specify Dir Servers  Get vendor to document product requirements and behavior. You paid for it!

13 2015-06-0113 Higher Education Bridge Certification Authority and USHER Status Update Michael R Gettes Duke University January 2004, TIP2004

14 2015-06-0114 Technical Policy PKI is 1/3 Technical and 2/3 Policy?

15 A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)

16 2015-06-01 16 The CA formerly known as CREN  Lots of discussion for a looong time – HEPKI-TAG, HEBCA-BID, PKI Labs  Plan is finally emerging A few related certificate services –USHER - Level 1 - soon –USHER – Level 2 - start detailed planning for implementation USHER CP –Others if warranted, eventually –All operate on high levels of assurance in I/A of the institution, and in their internal operation at both Internet2 and subcontractors –Place varying degrees of pain, and power, to the institutions Helping on a packaging of open-source low-cost CA servers Work with EDUCAUSE on their related initiatives

17 2015-06-01 17 Usher-Level 1  Modeled after Federal Citizen and Commerce CP/CPS (www.cio.gov/fpkipa/documents/citizen_commerce_cpv1.pdf)www.cio.gov/fpkipa/documents/citizen_commerce_cpv1.pdf  Issues only institutional certs  Those certs can be used for any purposes  CP will place few constraints on campus operations User identification and key management Campus CA/RA activities  Will be operated itself at high levels of confidence  Will recommend a profile for campus use  Good for building local expertise, insuring some consistency in approaches among campuses, and may be suitable for many campus needs and some inter-campus uses  Will not work for signing federal grants, etc…  Operational soon

18 2015-06-01 18 Usher - Level 2  Modeled after FBCA Basic level CP  Issues only institutional certs  Those certs can be used for most purposes  CP will place more constraints on campus operations User identification and key management Campus CA/RA activities  Will be operated itself at high levels of confidence  Will recommend a profile for campus use  Good for many campus needs, many inter-campus uses, and many workings with the federal government  Will peer at the HEBCA  Detailed planning now starting; stand up sometime mid-next year

19 2015-06-01 19 Interesting and Open Issues…  Policy Authority for USHER? Conservation of policy groups HEBCA PA? InCommon-Exec?  Final pricing and packaging Working numbers <$2K first year, <$1K renewal Includes strong institutional I/A, strong USHER operations Leverages InCommon operations  Applications and use

20 2015-06-01 20 Interesting and Open Issues 2  Cost for Usher to peer at bridges  Ability to put Usher into various browsers  Relation to InCommon Distinguishing one from the other –To applications –To users Leveraging one with the other

21 2015-06-01 21 +/- of Usher  Pluses Pricing and lack of usage constraints on campus roots Strong institutional I/A – external and for subdomains Community-consistent ???  Negatives Not easily in browsers Uncharted peering with feds, commercials, etc Places more emphasis on running your own campus CA. ??

22 2015-06-0122 What ’ s a Bridge anyway? Traditional PKI With Root CA Pre-Existing?

23 2015-06-0123 Board of Instantiation and Development (BID)  Clair Goldsmith, Chair, UT System –Augustson (PSU), Klingenstein (Internet2), Levine (Dartmouth), Wasley (UCOP), Hazelton (Wisconsin-Madison), Brentrup (Dartmouth), Gettes (Duke), Jokl (Virginia) –EDUCAUSE: Luker, Worona Staff: Faut  Purpose is to instantiate a HE Bridge, organization and policy structures by November, 2003 (or sometime around that point -- okay, so we are running a tad behind schedule, sosu-us)  Foster Deployment and Development of Bridged PKI  Supported by EDUCAUSE

24 2015-06-0124 HEPKI Council  Jack McCredie, Chair –Michael Baer, Sr VP ACE –Rich Guida, Johnson & Johnson –Mark Luker, EDUCAUSE –Mark Olson, EVP of NACUBO –Dave Smallen, CIO @ Hamilton College –Nancy Tribbensee, Counsel @ ASU  Not operational, policy and oversight  Will approve the creation of the HEBCA Policy Authority  Charged with Higher Education direction and strategy for PKI initiatives, not just Bridge  Supported by EDUCAUSE

25 2015-06-0125 HEPKI National PKI

26 2015-06-0126 Current Status: January, 2004  Charter  HEBCA Certificate Policy (brother Wasley) –Will develop CPS from this policy  Dartmouth College –Contracted to implement HEBCA in 12/03 –EDUCAUSE funded –Received AEG from Sun Microsystems ($50K) Equipment ordered and received Signing Hardware -- not yet. Working software agreement with RSA as first CA in bridge –Maybe even further deal with Higher Ed for CA services & s/w  Begin process of cross-certification with US Gov  Recommending to PKI Council to create the HEBCA Policy Authority

27 2015-06-0127 EDUCAUSE/NIH Interoperability Project  December 2003, NIH demonstrated the latest ability to submit doubly digitally signed documents to a web site that is validated using Bridge PKI. UCOP, Wisconsin, Dartmouth, UT Health Science Center (Barry Ribbeck)  Directory Infrastructure at Duke :-)  General doc submission facility -- freely available -- cool stuff.

28 2015-06-0128 National PKI  Levels of Assurance / HE CP –Get mapped all the way down, the key to interop  Business/Marketing: Separate Prob  Policy Authorities likely to merge  HEPKI umbrella should be org structure for all PKI activities in HE

29 2015-06-0129 Global? Trust Diagram (TWD)

30 2015-06-0130 Sample InterFederation

31 2015-06-0131 Shib/PKI Inter-Federations This model demonstrates the similarities of the PKI communities and Shib Federations. This does not mean that Shib == PKI, just that we can leverage the trust infra of a global PKI to maybe solve some larger inter-federation issues of other techno / policy spaces in a common fashion.

32 2015-06-01 32

Download ppt "Got Directory? January 28, 2004 TIP2004. 2015-06-01 2 metadirectory enterprise directory database departmental directories OS directories (MS, Novell,"

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Internet2 Middleware BASE CAMP slides Michael R. Gettes Principal Technologist Georgetown University

Internet2 Middleware BASE CAMP slides Michael R. Gettes Principal Technologist Georgetown University
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, November 2005.

Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, November 2005.
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.
PKI: Glue of Middleware Michael R Gettes, Duke University EuroCAMP March, 2005 Michael R Gettes, Duke University EuroCAMP March, 2005.

PKI: Glue of Middleware Michael R Gettes, Duke University EuroCAMP March, 2005 Michael R Gettes, Duke University EuroCAMP March, 2005.
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.

PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed December 2004.
Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress July 2004 Dartmouth PKI Summit.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl

1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl

Similar presentations

Ads by Google