Presentation is loading. Please wait.

Presentation is loading. Please wait.

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library"— Presentation transcript:

1 CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library Joan.Gargano@ucop.edu

2 http://www.ucop.edu/irc/auth/auth-wg Organization n UC Joint Operations Group – JOG Authentication Steering Group n JOG Authentication Workgroup n UCOP Information Resources & Communications – UC Common Authentication Project http://www.ucop.edu/irc/auth/auth-wg

3 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg Scope n Create an infrastructure service which integrates into the technology environment of all 9 UC campuses n Support >300,000 end users n Serve both administrative and academic applications n Extensible to services provided by external entities

4 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg Why? n Authenticated access to University business applications Bencom - Employee Benefits System n Authenticated access to licensed content Reduce dependence upon IP address authentication

5 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg Services n Directory Service A database of names and attributes of users, machines and other resources which may be accessed over the network. n Authentication – Proof of authenticity, worthy of acceptance n Authorization – Invest with the ability to perform certain tasks

6 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg Workgroup Charge n Identify issues related to Universitywide development of a common authentication architecture and work through as many of those issues as possible, n Demonstrate a working configuration of the architecture n Report on outstanding issues, n Recommend next steps for continuing the work. n Pilots and reports every 4 months

7 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg First Workgroup - Workplan n Kerberos n Public Key Infrastructure (PKI) and X.509 Certificates (PKC) n Directory Services – University Directory (NetID) – Campus Directories (Campus ID) n Pilot Projects

8 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg PKI Design Goals n One personal certificate per person n One type of certificate authority per campus n Minimal use of intermediate servers n Support campus defined procedures for issuing certificates

9 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg Key Decisions - Authorization n Key Decision:The payload of the certificate will be kept to a minimum. Information related to authorization will not be included, except for a pointer to an authorization service. n Impact:A system for managing authorization information, external to the certificate system, will be required.

10 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg Key Decisions - Strong Encryption n Key Decision:The workgroup will recommend a certificate infrastructure which relies on strong encryption technology. n Impact:Some University affiliates, especially foreign students and faculty, may be inconvenienced by export restriction laws which govern the use of the strong encryption technology. The University must create policies and procedures to guide the use of this technology.

11 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg Second Workgroup - Key Decisions n Key Decision: The certificate architecture is based upon the use of centralized certificate authorities. However, on an exceptional basis, departmental issuance of certificates based upon unique characteristics of their clients, such as Libraries and University Extensions, may be handled by departmental certificate authorities. n Impact: Departments will be responsible for their own certificate management, including Certificate Revocation Lists.

12 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg Key Decision - Unique Identifiers n Key Decision n The NetID which will be the primary key for the UCOP demographics database and directory service, is independent of the CampusID. n Any relationship between the two will be defined and maintained at the campus level.

13 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg PKI & PKC Outcomes n Defined the payload of a UC X.509 certificate. n Demonstrated the feasibility of a UC Certificate Authority using the Netscape Certificate Server. n Agreed upon a hierarchical structure for UC Certificate Authorities.

14 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg PKI & PKC New Issues n Certificate Content Pseudononymous access - only a unique identifier, NetID and/or CampusID Pointer to an authorization server Certificate strength field n Issuing Certficates - Feasible but cumbersome n CA Hierarchy - Root Server?

15 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg Task - Strength n UC Defined Strength Field n Scale from 1.0 - 10.0 n Integer portion defined Universitywide n Decimal portion defined by campuses n 7 = a generic form of photoID n 3 = a generic, automatically generated certificate

16 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg PKI & PKC - Requirements n Certificate Revocation Lists – Applications which use certificates must complete a query against a CRL. n Certificate Authorities – Must support 60,000 certificates per system – Integration with directory servers (LDAP)

17 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg PKI & PKC - Needs Investigation n Certification Practice Statement – Due diligence - How “strong” are UC certificates – U.S. Export Law Restrictions n Certificate and Private Key Management – Public Key Cryptographic Standards n PKCS-11 hardware storage of private keys n PKCS-12 secure transfer of private keys electronically

18 Joan.Gargano@ucop.edu http://www.ucop.edu/irc/auth/auth-wg Current Workplan Universitywide Architecture Statement n Define the UC Attribute Service n Create user support documentation n Address public workstation support and certificate portability n Clarify Technology Issues – Root level CA – Netscape server directions

Download ppt "CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library"

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Introduction to z/OS Security Lesson 4: There’s more to it than RACF

Introduction to z/OS Security Lesson 4: There’s more to it than RACF
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
CREN-Mellon conference, December 1, 2001 University of Texas PKI Status.

CREN-Mellon conference, December 1, 2001 University of Texas PKI Status.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

Similar presentations

Ads by Google