Date post: | 01-Apr-2015 |
Category: |
Documents |
Upload: | jair-lifsey |
View: | 214 times |
Download: | 0 times |
Higher Ed Certificate Authority by CREN
October 12, 2000TERENA Meeting/Paris
10/12/2000 www.cren.net 2
What is CREN in Year 2000? A non-profit higher education member
organization - 230 members Mission - Support higher education and
research organizations with strategic IT knowledge services and communication tools for infrastructure
Evolving from BITNET launched in 1984 (Visit us at www.cren.net)
“Corporation for Research and Educational Networking”
10/12/2000 www.cren.net 3
Certificate Authority - Topics (3) Operations and Status
As many questions as we have answers..:-)
EvolvingTrust Models Hierarchical model -Trust Anchor Bridge model - Trust Conduit Cross-certification Plans
Evolving Documents Certificate Policies - with cert profile info Certificate Practice Statements IETF RFC 2527 as guide to doc development
10/12/2000 www.cren.net 4
Certificate Authority by CREN Goal is to simplify connection to a trust
community Serve as a trusted third party and to facilitate trust
relationships Among institutions Between higher education and other communities
Provide a link to other validated, trusted institutions without a separate pair-wise trust relationship between each pair of institutions
10/12/2000 www.cren.net 5
Certificate Authority by CREN Primary initial use is a focus on supporting inter -
institutional resource sharing Among institutions Between institutions and content providers Primarily for academic content and research resources
Goal - map to basic or medium assurance with Federal Bridge Certificate Authority
Operate under a Certificate Practices Statement of 1/27/2000 Version 3.0
10/12/2000 www.cren.net 6
Higher Education CA by CRENHierarchical CA Trust Community
Minn
HeHRCA(CREN)
UT-Austin
Princeton
MIT
GaTech
UTenn
Penn State
• HeHRCA Group shares “close enough” CP, CPS• Hierarchy as “Trust Anchor.”
10/12/2000 www.cren.net 7
Operations - Higher Ed CA (1)
CA Subscriber process Two page Application Form completed by
Institution’s CREN member rep Signed by an executive officer of institution Once registration is complete, the technical
contact Issues request for certificate Accepts the certificate on behalf of institution
10/12/2000 www.cren.net 8
Operations - Higher Ed CA (2)
CREN Office Serves as the Registration Authority (RA) Receives, approves, and manage the
applications and issuance of institutional certificates
Validates institutional contacts for the institutional CA certificate
Sends message to MIT approving and initiating secure contact with institution
10/12/2000 www.cren.net 9
Operations - Higher Ed CA (3) MIT
Operates the CREN CA under contract for CREN
Receives the certificate request message directly from technical contact at institution
Generates the institutional certificate Sends the institutional certificate back to
technical contact and to CREN RA Contact Updates the repository of certificates
10/12/2000 www.cren.net 10
CREN Root Key Cutting Ceremony at MIT 11/17/99
10/12/2000 www.cren.net 11
Certificate Authority Status
Institutional certificates issued and accepted MIT, Georgia Tech, Princeton U of Minnesota, UT-Austin, Penn State
Testing with JSTOR is underway Success with remote access using U of MN
CREN -issued certificate - 9/19/00 One next step: test with U Minn directory
query based on https embedded in certificate
10/12/2000 www.cren.net 12
Applications
Registration process complete - U Tenn & U Mass - Amherst
Applications received - in various stages of process
Johns Hopkins University Florida State University
Other applications received, but folks wanted something else
10/12/2000 www.cren.net 13
Relationship of CREN within Higher Education (1)
Working closely with HEPKI-TAG and PAG TAG- Technical Issues Group PAG - Policy Issues Group
HEPKI is a loose federation of Internet2, EDUCAUSE and CREN and community folks
Led by Ken Klingenstein - Internet2 and many others...
10/12/2000 www.cren.net 14
Relationship of CREN within Higher Education (2)
Issues with the certificate profile. More detail on next two slides...
Other technical issues on table Repositories, trust paths and revocation
Policy and practices work - again with HEPKI-PAG and TAG groups
10/12/2000 www.cren.net 15
Certificate Profile Issues Validity Period -
CREN root renewed on 6/14/2000 is valid to 11/17/07 - Eight years
Institutional certificates are issued with five year validity period
DC naming in certificates - Can include DC in “Subject Field” of Institutional
Certificate following x.500 name CREN cert “Subject field” will be x.500 only HEPKI Recommendation - Jim Jokl paper in review
10/12/2000 www.cren.net 16
Certificate Profile Issues - More Upgraded to Version 3 cert with extensions in
6/00 Continuing discussion on other attributes in
the Basic Constraints and Key usage fields -- gathering input to January 2001.
Issue of hash - change to SHA1 from MD5 for the signature algorithm
Have an OID - 7091 - from IANA
10/12/2000 www.cren.net 17
Certificate Profile Issues - More
Principle - Profiles of CREN root certificate, institutional certificates, and client certificates can and probably will be different
Work by HEPKI-TAG is working towards more consistency rather than less with certificate profiles - again led by Ken Klingenstein
10/12/2000 www.cren.net 18
Policy Work : HEPKI and CREN
Certificate policy work Mapping policies from FBCA, and Euro-PKI with
RFC 2527 HEPKI Goal - create generic higher ed certificate
policy and CPS Revise the existing CREN CPS and develop a
Certificate Policy - need one for CREN CA Hierarchy and one for CREN CA Bridge
Evolving to a recommendation that Campus CAs need both CP and CPS
10/12/2000 www.cren.net 19
Possible PKI Infrastructure- Higher ED
HeBCA/CREN
Mn
HeHRCA/CREN
UCOP
UT-Austin
Princeton
MIT
GaTech
UTenn
Penn State
HEPKI- PA
UAB
UWI MIT
HeI
GeorgeT
• HeBCA Group shares“close enough” CP, CPS- but might map to higher level of assurance or have different granularities of relationships• Bridge acts as trust conduit or transport
10/12/2000 www.cren.net 20
Evolving PKI InfrastructureHigher ED and Links to Others
FPKI-PAFBCA
DOEDOJETC
HeBCA/CREN HeHRCA/CREN
HEPKI- PA
HeI
HeI
Relying PartiesCommunity
HeI
Note: Not clear how vendors should be represented.
10/12/2000 www.cren.net 21
June 2000 CREN CA Pilot Meeting
Jeff demonstrated first version of CREN repository
Certificate profile work reviewed Working Groups:
Validity period working group: Chair Michael Gettes
Protecting private keys: Co-Chairs are Jeff Schiller & Ariel Glenn
Vendor Solutions Group - Chair Kevin Unrue
10/12/2000 www.cren.net 22
CREN CA Continuing work Fall, 2000 (1) Continue working the issues and issuing
institutional certificates Work on building community awareness
and expertise via scenarios, FAQs, and workshops plus support of HEPKI activities
Examine feasibility of issuing server certificates to institutions with institutional certificates
10/12/2000 www.cren.net 23
CREN CA Continuing work Fall, 2000 (2) FAQ on Directories is in review
Complement for FAQ on PKI Complements the “LDAP Recipe”
CA Pilot Schools meeting in October with Internet2 in Atlanta
Planning for Seminars on Directories and Certificate Authorities in late January 2001
Plan for CREN CA Production Levels Work on the browser challenge...
10/12/2000 www.cren.net 24
Continuing Open Questions
Certificate Profiles - Can we achieve a common profile? Also common CPs and CPs?
How will the CA relationships within higher education in the US evolve?
How to get the CREN Root in the Netscape and IE browsers?
What might the links to Euro-PKI look like? What community of interest does the Euro-PKI
Certificate Policy address?
10/12/2000 www.cren.net 25
For More Information…and to Get Involved... HEPKI is the place to start
website: www.educause.edu/HEPKI
CA List at CREN Send request to [email protected]
CREN Web site - www.cren.net CA Section Archived TechTalks FAQ on PKI Infrastructure at web site Campus scenarios