Higher Ed Certificate Authority by CREN: Update
Download
Report
Transcript Higher Ed Certificate Authority by CREN: Update
Higher Ed Certificate Authority
by CREN
October 12, 2000
TERENA Meeting/Paris
What is CREN in Year 2000?
A non-profit higher education member
organization - 230 members
Mission - Support higher education and
research organizations with strategic IT
knowledge services and communication tools
for infrastructure
Evolving from BITNET launched in 1984
(Visit us at www.cren.net)
“Corporation for Research and Educational
Networking”
10/12/2000
www.cren.net
2
Certificate Authority - Topics (3)
Operations and Status
As many questions as we have answers..:-)
EvolvingTrust Models
Hierarchical model -Trust Anchor
Bridge model - Trust Conduit
Cross-certification Plans
Evolving Documents
Certificate Policies - with cert profile info
Certificate Practice Statements
IETF RFC 2527 as guide to doc development
10/12/2000
www.cren.net
3
Certificate Authority by CREN
Goal is to simplify connection to a trust
community
Serve as a trusted third party and to
facilitate trust relationships
Among institutions
Between higher education and other
communities
Provide a link to other validated, trusted
institutions without a separate pair-wise
trust relationship www.cren.net
between each pair of
10/12/2000
institutions
4
Certificate Authority by CREN
Primary initial use is a focus on supporting
inter - institutional resource sharing
Among institutions
Between institutions and content providers
Primarily for academic content and research
resources
Goal - map to basic or medium assurance with
Federal Bridge Certificate Authority
Operate under a Certificate Practices
Statement of 1/27/2000
10/12/2000
www.cren.net Version 3.0
5
Higher Education CA by CREN
Hierarchical CA Trust Community
Minn
MIT
HeHRCA
(CREN)
Princeton
• HeHRCA Group shares
“close enough” CP, CPS
• Hierarchy as “Trust Anchor.”
GaTech
UTenn
Penn State
10/12/2000
www.cren.net
UT-Austin
6
Operations - Higher Ed CA (1)
CA Subscriber process
Two page Application Form completed by
Institution’s CREN member rep
Signed by an executive officer of
institution
Once registration is complete, the
technical contact
10/12/2000
Issues request for certificate
Accepts the certificate on behalf of
www.cren.net
institution
7
Operations - Higher Ed CA (2)
CREN Office
Serves as the Registration Authority (RA)
Receives, approves, and manage the
applications and issuance of institutional
certificates
Validates institutional contacts for the
institutional CA certificate
Sends message to MIT approving and
initiating secure contact with institution
10/12/2000
www.cren.net
8
Operations - Higher Ed CA (3)
MIT
Operates the CREN CA under contract for
CREN
Receives the certificate request message
directly from technical contact at institution
Generates the institutional certificate
Sends the institutional certificate back to
technical contact and to CREN RA Contact
Updates the repository of certificates
10/12/2000
www.cren.net
9
CREN Root Key Cutting Ceremony
at MIT 11/17/99
10/12/2000
www.cren.net
10
Certificate Authority Status
Institutional certificates issued and
accepted
MIT, Georgia Tech, Princeton
U of Minnesota, UT-Austin, Penn State
Testing with JSTOR is underway
Success with remote access using U of MN
CREN -issued certificate - 9/19/00
One next step: test with U Minn directory
query based on https embedded in certificate
10/12/2000
www.cren.net
11
Applications
Registration process complete - U Tenn &
U Mass - Amherst
Applications received - in various stages of
process
Johns Hopkins University
Florida State University
Other applications received, but folks wanted
something else
10/12/2000
www.cren.net
12
Relationship of CREN within Higher
Education (1)
Working closely with HEPKI-TAG and PAG
TAG- Technical Issues Group
PAG - Policy Issues Group
HEPKI is a loose federation of Internet2,
EDUCAUSE and CREN and community
folks
Led by Ken Klingenstein - Internet2 and
many others...
10/12/2000
www.cren.net
13
Relationship of CREN within Higher
Education (2)
Issues with the certificate profile.
More detail on next two slides...
Other technical issues on table
Repositories, trust paths and revocation
Policy and practices work - again with
HEPKI-PAG and TAG groups
10/12/2000
www.cren.net
14
Certificate Profile Issues
Validity Period
CREN root renewed on 6/14/2000 is valid to
11/17/07 - Eight years
Institutional certificates are issued with five
year validity period
DC naming in certificates Can include DC in “Subject Field” of
Institutional Certificate following x.500 name
CREN cert “Subject field” will be x.500 only
HEPKI Recommendation - Jim Jokl paper in
10/12/2000 review
www.cren.net
15
Certificate Profile Issues - More
Upgraded to Version 3 cert with extensions in
6/00
Continuing discussion on other attributes in
the Basic Constraints and Key usage fields -gathering input to January 2001.
Issue of hash - change to SHA1 from MD5
for the signature algorithm
Have an OID - 7091 - from IANA
10/12/2000
www.cren.net
16
Certificate Profile Issues - More
Principle - Profiles of CREN root certificate,
institutional certificates, and client certificates
can and probably will be different
Work by HEPKI-TAG is working towards
more consistency rather than less with
certificate profiles - again led by Ken
Klingenstein
10/12/2000
www.cren.net
17
Policy Work : HEPKI and CREN
Certificate policy work
Mapping policies from FBCA, and Euro-PKI
with RFC 2527
HEPKI Goal - create generic higher ed
certificate policy and CPS
Revise the existing CREN CPS and develop a
Certificate Policy - need one for CREN CA
Hierarchy and one for CREN CA Bridge
Evolving to a recommendation that Campus
CAs need both CP and CPS
10/12/2000
www.cren.net
18
Possible
PKI Infrastructure- Higher ED
Mn
HEPKI- PA
UCOP
GeorgeT
MIT
HeBCA/CREN
HeHRCA/CREN
UAB
UWI
HeI
10/12/2000
Princeton
GaTech
• HeBCA Group shares“close enough”
MIT CP, CPS- but might map to higher
UTenn
level of assurance or have different
Penn State
granularities of relationships
• Bridge acts as trust conduit or transport UT-Austin
www.cren.net
19
Evolving PKI Infrastructure
Higher ED and Links to Others
HEPKI- PA
HeI
HeBCA/CREN
HeHRCA/CREN
HeI
HeI
Relying Parties
Community
FPKI-PA
FBCA
DOJ
Note:
Not clear how vendors www.cren.net
should be represented.
10/12/2000
DOE
ETC
20
June 2000 CREN CA Pilot Meeting
Jeff demonstrated first version of CREN
repository
Certificate profile work reviewed
Working Groups:
Validity period working group: Chair Michael
Gettes
Protecting private keys: Co-Chairs are Jeff
Schiller & Ariel Glenn
Vendor Solutions Group - Chair Kevin Unrue
10/12/2000
www.cren.net
21
CREN CA Continuing work
Fall, 2000 (1)
Continue working the issues and issuing
institutional certificates
Work on building community awareness
and expertise via scenarios, FAQs, and
workshops plus support of HEPKI
activities
Examine feasibility of issuing server
certificates to institutions with institutional
certificates
10/12/2000
www.cren.net
22
CREN CA Continuing work
Fall, 2000 (2)
FAQ on Directories is in review
Complement for FAQ on PKI
Complements the “LDAP Recipe”
CA Pilot Schools meeting in October with
Internet2 in Atlanta
Planning for Seminars on Directories and
Certificate Authorities in late January 2001
Plan for CREN CA Production Levels
Work
on the browser
challenge...
10/12/2000
www.cren.net
23
Continuing Open Questions
Certificate Profiles - Can we achieve a
common profile? Also common CPs and
CPs?
How will the CA relationships within higher
education in the US evolve?
How to get the CREN Root in the Netscape
and IE browsers?
What might the links to Euro-PKI look like?
What community of interest does the EuroPKI Certificate Policy
address?
10/12/2000
www.cren.net
24
For More Information…and to
Get Involved...
HEPKI is the place to start
website: www.educause.edu/HEPKI
CA List at CREN
Send request to [email protected]
CREN Web site - www.cren.net
CA Section
Archived TechTalks
FAQ on PKI Infrastructure at web site
Campus scenarios
10/12/2000
www.cren.net
25