Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University

Published byWilliam Henry Modified over 8 years ago

Similar presentations

Presentation on theme: "Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University"— Presentation transcript:

1 Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University gettes@Georgetown.EDU http://www.georgetown.edu/giia/internet2

2 HEPKI Sponsors: Internet2, EDUCAUSE, CREN TAG – Technical Activities Group Jim Jokl, Chair, Virginia Techonology, practicality, deployment, testbeds PAG – Policy Activities Group (Default Chair), Ken Klingenstein, Colorado Knee-deep in policy(CP), HEBCA, Campus, Subscribers and Relying Party issues. PKI Labs (AT&T)– Neal McBurnett, Avaya Wisconsin-Madison & Dartmouth Industry, Gov., Edu expert guidance http://www.educause.edu/hepki

3 HEPKI-TAG Activities Charter – Technical Activities Group (TAG) Certificate profiles, CA software Private key protection Mobility, client issues Interactions with directories Testbed projects (PKI-Lite, S/MIME Interop, Profiles) Communicate results http://www.educause.edu/hepki

4 HEPKI-PAG We don’t need no stinkin’ policy? Policy, Lawyers, documenting practice, what gives? Going outside the institution. Staying inside doesn’t require new policy (rather new practice) PKI seems to make authN / authZ a legitimate problem deserving legal attention Working with U.S. Gov’t on PKI Policy Moved the development of HEBCA Cert Policy Realized need for Campus Model Cert Policy Realized need to simplify policy for PKI-Lite

5 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) HEBCA: Higher Education Bridge Certificate Authority Michael R Gettes Georgetown University gettes@Georgetown.EDU

6 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Multiple CAs in FBCA Membrane Survivable PKI Cross Certificates allow for “one/two-way policy” Directories are critical in BCA world.

7 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) A Snapshot of the U.S. Federal PKI Federal Bridge CA NFC PKI Higher Education Bridge CA NASA PKI DOD PKI Illinois PKI University PKI CANADA PKI

8 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) What is Cross Certification? A Bridge signs a CA and CA signs bridge Policy OIDs and Name Constraint controls are in the cross certificates Cross Certificates are published in directories and discovered via the network. BCA/CA may remain off-line. Policy OIDs could map to XML documents describing the policy (processed per Carmody)

9 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Path Validation Application receives a Certificate Finds a path back to signer of Certificate validating the path for policy mappings and name constraints. Policy Mappings can be LOA (levels of assurance) or “we agree to be in club shib” or whatever Name Constraints controls subjectName name space. I.E. a CA can only sign within dc=U,dc=edu

10 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) On Policy We have a draft HEBCA Certificate Policy The HE CP and HEBCA CP are congruent The HEBCA CP and FBCA CP are congruent We need a HEPKI PA – EDUCAUSE is working this problem – granted “power” from ACE

11 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) NIH- Educause PKI Pilot: Phase Two Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office of Extramural Research

12 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Project Participants University of Alabama-BirminghamUniversity of Alabama-Birmingham University of Wisconsin-MadisonUniversity of Wisconsin-Madison University of California, Office of the PresidentUniversity of California, Office of the President University of Texas – Houston Health ScienceUniversity of Texas – Houston Health Science Dartmouth CollegeDartmouth College Georgetown University – HEBCA properGeorgetown University – HEBCA proper National Institutes of Health (NIH)National Institutes of Health (NIH) Mitretek (www.mitretek.org)Mitretek (www.mitretek.org)

13 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) The Problem Picture/s of piles of grant applications –About 20,000 5 ft high standing people of paper. 1 forest per year for just grant apps. The Solution: signed, electronic grant application –Of course!

14 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Phase Two Concept of Operations (CONOPS) NIH OER Recipient E-Lock Assured Office Digital Signed Grant Appl E-Lock Assured Office CAM-enabled NIH CAM Server FBCA HEBCA Cert Status Cert Status Certificate Validation University B Certificate Validation University A Certificate Validation University C

15 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) NIH ca trust anchor “DAVE” (Discovery and Validation Engine) sender (UA) receiver (NIH) NIH directory FBCA dir cross cert cross cert DAVECAME-Lock software ca directory HEBCA dir cross cert UA ca UA dir issued get Cert,CRL via directory chaining New LDAP Registry of Directories for BCAs

16 Transforming Education Through Information Technologies http://www.educause.edu/ Common Solutions Group, January, 2002 (Sanibel Island) Bridge CA vs. Shibboleth PKI is hard to deploy to end users Shib should use BCA aware PKI between servers Club Shib will then scale using Policies and Relationships established by Bridge CA world ONE Club Shib managed by policy - globally Java 1.4 is Bridge aware. Whistler supposed to be.

17 The PKI Puzzle By David Wasley, UCOP PKI Hierarchy Medical

18 Technical Policy PKI is 1/3 Technical and 2/3 Policy?

Download ppt "Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University"

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.
Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris.

Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council 202-622-1552.

The U.S. Federal PKI Richard Guida, P.E. Chair, Federal PKI Steering Committee Chief Information Officers Council
Internet2 Middleware BASE CAMP slides Michael R. Gettes Principal Technologist Georgetown University

Internet2 Middleware BASE CAMP slides Michael R. Gettes Principal Technologist Georgetown University
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”

PKI Georgetown University or Whaassuuuup PKI? Michael R. Gettes Lead Application Systems Integrator “LASI”
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority
PKI: Glue of Middleware Michael R Gettes, Duke University EuroCAMP March, 2005 Michael R Gettes, Duke University EuroCAMP March, 2005.

PKI: Glue of Middleware Michael R Gettes, Duke University EuroCAMP March, 2005 Michael R Gettes, Duke University EuroCAMP March, 2005.
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

Similar presentations

Ads by Google