Presentation is loading. Please wait.

Presentation is loading. Please wait.

HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005.

Published byClementine Hudson Modified over 8 years ago

Similar presentations

Presentation on theme: "HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005."— Presentation transcript:

1 HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005

2 2 Topics HEBCA’s goals Progress to date Next steps Collaboration

3 3 HEBCA’s Goals Provide a mechanism for inter-institutional trust of PKI certificates –Policies –Technical infrastructure Cross-certify participants at appropriate levels of assurance Provide high availability online directory (x-cert lookup) and revocation services Dynamically add cross-certifications of existing CAs Cross-certify with other trust fabrics as appropriate (FBCA, USHER, SAFE, etc.)

4 4 HEBCA’s Goals (continued) Enable inter-institutional applications: Digital signatures on web forms, applications, reports, etc. Authentication to network services GRID authentication S/MIME signed email Trust fabric for server identity certificates, Web Services Any PKI certificate path validation can use the bridge mechanism to impute trust and determine level of assurance.

5 5 Progress to Date Active and productive Policy Authority Most policy in place Many official docs approved Operating Authority nearly finished installing initial production infrastructure Audit agreements signed, audit starting Collaborating with USHER (policy, infrastructure, Registration Authority)

6 6 HEBCA Production Hardware

7 7 Progress to Date (continued) Hurdles overcome Invented techniques and procedures to operate a high assurance CA on a shoestring budget –Streamline everything –Air gap for offline CA automation Resolution of FBCA requirement for US citizenship of “trusted roles” personnel prior to cross-certification Discovered and worked around vulnerability in protocol for indirect CRLs

8 8 AirGap The Problem: –Offline CA –CRLs generation and publish every 6 hours –Need two trusted personnel present to access CA How do we staff this? Two people visit the machine room every 6 hours? No way!

9 9 AirGap USB flash device carries signed data between CA and Directory Storage is never connected to both devices at the same time – hardware enforces an “air gap” Storage connected to online Directory for 5 mins every 6 hours, otherwise connected to offline CA Automated sneakernet equivalent!

10 10 AirGap Components (about $100 cost): –Sewell Manual Share USB Switch –5V relay –5V AC adapter –Power Timer –Simple debounce circuit –Crucial 1Gb Flash Disk –Cron jobs running on CA and online Directory server –Signed objects passed back and forth (CRL, revocation requests, certificate requests, etc.)

11 11 Next Steps Policies, procedures, and documentation finalized Dry run cross-certification with University of Virginia Audit Initialize production CA Production operations Market and cross-certify with customer CAs Cross-certify with FBCA, other bridges

12 12 HEBCA and USHER Collaboration Sharing infrastructure and implementation Single OA (Dartmouth) and single RA (Internet2) One CA implementation and system Much shared policy and documentation HEBCA and USHER are significantly cheaper to build and run collaboratively than separately.

13 13 For More Information HEBCA Website: http://webteam.educause.edu/hebca/ OA Architect and Implementor Scott Rea - Scott.Rea@dartmouth.eduScott.Rea@dartmouth.edu Mark Franklin – Mark.J.Franklin@dartmouth.eduMark.J.Franklin@dartmouth.edu

Download ppt "HEBCA – Higher Education Bridge Certification Authority Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.

SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.

Higher Education Bridge Certificate Authority (HEBCA) Project Progress Fed/Ed June 2005.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

Similar presentations

Ads by Google