Transcript The Vision of the RTS - University of Oxford

Digital Certificate Operation in a
Complex Environment
Consultation/Stakeholders Meeting
3 December 2003
03 December 2003
DCOCE
dΛ’kŊtfi:
Der-kot-chee
03 December 2003
The DCOCE project
• DCOCE is about authentication with digital
certificates
• Digital certificates use Public Key Infrastructure
(PKI)
– PKI is very secure
– but can be difficult to administer
03 December 2003
The DCOCE project
• Digital certificates and PKI rely upon trust
• Trust relies upon co-operation (or understanding)
between organisations
• Oxford University is a Complex Environment
– DCOCE
– If it can work here...
03 December 2003
What DCOCE is not about
• Authorisation
– but…
• Single sign on
– but…
• e-Science and the grid
– but…
03 December 2003
Project team
Evaluators
Alun Edwards (OUCS)
Johanneke Sytsema
(SERS)
• Based within the RTS
at OUCS in collaboration
with SERS
Project Manager
Mark Norman
Systems Developer
Christian Fernau
03 December 2003
Project partners
• Research Technologies Service at Oxford University
Computing Services in collaboration with:
– the Systems and Electronic Resources Service at
Oxford University Library Services (SERS)
– Manchester Information and Associated Services
(ZETOC)
– the Athens Devolved Authentication Service (at
EduServ)
– the Oxford e-Science Centre (OeSC)
03 December 2003
What is DCOCE?
• 2-year project funded by the
(Joint
Information Systems Committee)
– feasibility of using digital certificates for authentication
and simplified access to remote services
– researching and running a pilot of a PKI (public key
infrastructure)
– evaluating and documenting all of the major stages and
of the user experience
03 December 2003
Why at Oxford?
• The complex environment is here…
– the Departments and Colleges of the University of Oxford
•
•
•
•
everyone may have a different requirement
desires secure access to central IT support applications
desires to optimise access to licensed content
Oxford hosts regional e-Science Centre
– OUCS
• secure access to web-based email; LDAP services; VPN service
• developing account management packages for RDN Subject Portals
Project
• Information flow is very important to a PKI
03 December 2003
Stakeholder group
Project Team
Oxford University
Computing Services
Research Technologies
Service
IT Support Staff services
User registration
03 December 2003
Library
Services
E-Science
Centre
Admin & Legal
Services
Stakeholder group
• We need to know what you think:
– are the ideas difficult?
– what do you think you need?
• Early 2004 we need people to trial the use of our
digital certificates
– to discover the advantages and difficulties as they
appear to you
03 December 2003
Modelling
• Admin. architecture
– select and review 4 PKI
implementations
– build an administration
architecture model for
Oxford
– Athens, MIMAS and OeSC
to advise and review initial
proposals for models
03 December 2003
• System architecture
– review the 4 PKI
implementations
– build a system architecture
model for Oxford
– Athens, MIMAS and OeSC
to advise and and review
initial proposals for models
Development and implementation
• Implement, and develop, the systems and
administrative processes to support a certificate
life-cycle within a PKI
– architectures
• very small-scale rollout
– a certification authority
• initial testing
– OeSC to advise
03 December 2003
Athens Devolved Authentication
• Enable access to remote resources subscribed to
by Oxford compliant with Athens single sign-on
(SSO) via digital certificate authentication
– examine Athens requirements and standards
– ensure certificates and ‘presentment’ mechanisms
comply and PKI can be trusted
03 December 2003
MIMAS
• Enable access to remote Zetoc/British Library
resources via digital certificate authentication
mechanism
– examine MIMAS/Zetoc requirements and standards
– ensure certificates and ‘presentment’ mechanisms
comply and PKI can be trusted
03 December 2003
Real-world rollout
• Distribute the certificates much more widely
– test
– examine revocation and recovery issues
– document the issues arising
• Extensive set of users will receive certificates
– IT support staff in devolved roles throughout the
University
– selected end users of many types and roles
• Trial revocation and recovery/re-issuing mechanisms
• OeSC, Athens and MIMAS to advise
03 December 2003
Certificate Policy Statement
• Develop and publish a detailed Certificate Policy
Statement (CP)
– in accordance with the Internet Engineering Task Force
PKI X.509 Certificate Policy and Certification Practice
Statement (CPS) Framework
– produce an early draft of the CP
• consult about trust issues
– final version of the CP will be produced after rollout
03 December 2003
Legal and administrative issues
• Input from Oxford University Legal Services
–
–
–
–
issuing and revoking certificates
running the PKI
the final Certificate Policy Statement (CP)
the administration issues of managing:
• a registration authority
• and certificate authority
• and revocation list
– research legal and administration issues
• OeSC to advise
03 December 2003
Evaluation and dissemination
• Technical and user-oriented evaluations
– the implementation of PKI at UK HE establishments
– final report
• Project progress report
– successes and failures and points of difficulty
• Via web pages, email lists and at real 'events'
– http://www.dcoce.ox.ac.uk/ Web site
– [email protected] mailing list
– Useful to others considering PKI within UK FE and HE
• formative evaluation of decisions made
• summative evaluations
– decision-making processes and the experiences of end users etc.
03 December 2003
Summary of deliverables
• Evaluation reports
– for different stages of the process
• Policies
– overall Certification Practice Statement (CPS)
• Systems architecture details
– any open source adaptations
• Project Web site
– http://www.dcoce.ox.ac.uk/
• Summative report
– practical manual
03 December 2003
Ideas for discussion at the moment
• Sending server certificates on a CD-ROM
• Ideas for a Local Institution Certificate Store
• Ideas for issuing certificates (enrolling)
03 December 2003