Higher Ed Certificate Authority by CREN

October 12, 2000TERENA Meeting/Paris

10/12/2000 www.cren.net 2

What is CREN in Year 2000? A non-profit higher education member

organization - 230 members Mission - Support higher education and research

organizations with strategic IT knowledge services and communication tools for infrastructure

Evolving from BITNET launched in 1984 (Visit us at www.cren.net)

“Corporation for Research and Educational Networking”

10/12/2000 www.cren.net 3

Certificate Authority - Topics (3) Operations and Status

As many questions as we have answers..:-) EvolvingTrust Models

Hierarchical model -Trust Anchor Bridge model - Trust Conduit Cross-certification Plans

Evolving Documents Certificate Policies - with cert profile info Certificate Practice Statements IETF RFC 2527 as guide to doc development

10/12/2000 www.cren.net 4

Certificate Authority by CREN Goal is to simplify connection to a trust

community Serve as a trusted third party and to facilitate trust

relationships Among institutions Between higher education and other communities

Provide a link to other validated, trusted institutions without a separate pair-wise trust relationship between each pair of institutions

10/12/2000 www.cren.net 5

Certificate Authority by CREN Primary initial use is a focus on supporting inter -

institutional resource sharing Among institutions Between institutions and content providers Primarily for academic content and research resources

Goal - map to basic or medium assurance with Federal Bridge Certificate Authority

Operate under a Certificate Practices Statement of 1/27/2000 Version 3.0

10/12/2000 www.cren.net 6

Higher Education CA by CRENHierarchical CA Trust Community

Minn

HeHRCA(CREN)

UT-Austin

Princeton

MIT

GaTech

UTenn

Penn State

• HeHRCA Group shares “close enough” CP, CPS• Hierarchy as “Trust Anchor.”

10/12/2000 www.cren.net 7

Operations - Higher Ed CA (1) CA Subscriber process Two page Application Form completed by

Institution’s CREN member rep Signed by an executive officer of institution Once registration is complete, the technical

contact Issues request for certificate Accepts the certificate on behalf of institution

10/12/2000 www.cren.net 8

Operations - Higher Ed CA (2)

CREN Office Serves as the Registration Authority (RA) Receives, approves, and manage the

applications and issuance of institutional certificates

Validates institutional contacts for the institutional CA certificate

Sends message to MIT approving and initiating secure contact with institution

10/12/2000 www.cren.net 9

Operations - Higher Ed CA (3) MIT

Operates the CREN CA under contract for CREN Receives the certificate request message directly

from technical contact at institution Generates the institutional certificate Sends the institutional certificate back to

technical contact and to CREN RA Contact Updates the repository of certificates

10/12/2000 www.cren.net 10

CREN Root Key Cutting Ceremony at MIT 11/17/99

10/12/2000 www.cren.net 11

Certificate Authority Status

Institutional certificates issued and accepted MIT, Georgia Tech, Princeton U of Minnesota, UT-Austin, Penn State

Testing with JSTOR is underway Success with remote access using U of MN

CREN -issued certificate - 9/19/00 One next step: test with U Minn directory

query based on https embedded in certificate

10/12/2000 www.cren.net 12

Applications Registration process complete - U Tenn & U

Mass - Amherst Applications received - in various stages of

process Johns Hopkins University Florida State University

Other applications received, but folks wanted something else

10/12/2000 www.cren.net 13

Relationship of CREN within Higher Education (1) Working closely with HEPKI-TAG and PAG

TAG- Technical Issues Group PAG - Policy Issues Group

HEPKI is a loose federation of Internet2, EDUCAUSE and CREN and community folks

Led by Ken Klingenstein - Internet2 and many others...

10/12/2000 www.cren.net 14

Relationship of CREN within Higher Education (2)

Issues with the certificate profile. More detail on next two slides...

Other technical issues on table Repositories, trust paths and revocation

Policy and practices work - again with HEPKI-PAG and TAG groups

10/12/2000 www.cren.net 15

Certificate Profile Issues Validity Period -

CREN root renewed on 6/14/2000 is valid to 11/17/07 - Eight years

Institutional certificates are issued with five year validity period

DC naming in certificates - Can include DC in “Subject Field” of Institutional

Certificate following x.500 name CREN cert “Subject field” will be x.500 only HEPKI Recommendation - Jim Jokl paper in review

10/12/2000 www.cren.net 16

Certificate Profile Issues - More Upgraded to Version 3 cert with extensions in

6/00 Continuing discussion on other attributes in

the Basic Constraints and Key usage fields -- gathering input to January 2001.

Issue of hash - change to SHA1 from MD5 for the signature algorithm

Have an OID - 7091 - from IANA

10/12/2000 www.cren.net 17

Certificate Profile Issues - More

Principle - Profiles of CREN root certificate, institutional certificates, and client certificates can and probably will be different

Work by HEPKI-TAG is working towards more consistency rather than less with certificate profiles - again led by Ken Klingenstein

10/12/2000 www.cren.net 18

Policy Work : HEPKI and CREN Certificate policy work

Mapping policies from FBCA, and Euro-PKI with RFC 2527

HEPKI Goal - create generic higher ed certificate policy and CPS

Revise the existing CREN CPS and develop a Certificate Policy - need one for CREN CA Hierarchy and one for CREN CA Bridge

Evolving to a recommendation that Campus CAs need both CP and CPS

10/12/2000 www.cren.net 19

Possible PKI Infrastructure- Higher ED

HeBCA/CREN

Mn

HeHRCA/CREN

UCOP

UT-Austin

Princeton

MIT

GaTech

UTenn

Penn State

HEPKI- PA

UAB

UWI MIT

HeI

GeorgeT

• HeBCA Group shares“close enough” CP, CPS- but might map to higher level of assurance or have different granularities of relationships• Bridge acts as trust conduit or transport

10/12/2000 www.cren.net 20

Evolving PKI InfrastructureHigher ED and Links to Others

FPKI-PAFBCA

DOEDOJETC

HeBCA/CREN HeHRCA/CREN

HEPKI- PA

HeI

HeI

Relying PartiesCommunity

HeI

Note: Not clear how vendors should be represented.

10/12/2000 www.cren.net 21

June 2000 CREN CA Pilot Meeting Jeff demonstrated first version of CREN

repository Certificate profile work reviewed Working Groups:

Validity period working group: Chair Michael Gettes Protecting private keys: Co-Chairs are Jeff Schiller &

Ariel Glenn Vendor Solutions Group - Chair Kevin Unrue

10/12/2000 www.cren.net 22

CREN CA Continuing work Fall, 2000 (1) Continue working the issues and issuing

institutional certificates Work on building community awareness

and expertise via scenarios, FAQs, and workshops plus support of HEPKI activities

Examine feasibility of issuing server certificates to institutions with institutional certificates

10/12/2000 www.cren.net 23

CREN CA Continuing work Fall, 2000 (2) FAQ on Directories is in review

Complement for FAQ on PKI Complements the “LDAP Recipe”

CA Pilot Schools meeting in October with Internet2 in Atlanta

Planning for Seminars on Directories and Certificate Authorities in late January 2001

Plan for CREN CA Production Levels Work on the browser challenge...

10/12/2000 www.cren.net 24

Continuing Open Questions Certificate Profiles - Can we achieve a common

profile? Also common CPs and CPs? How will the CA relationships within higher education

in the US evolve? How to get the CREN Root in the Netscape and IE

browsers? What might the links to Euro-PKI look like? What community of interest does the Euro-PKI

Certificate Policy address?

10/12/2000 www.cren.net 25

For More Information…and to Get Involved... HEPKI is the place to start

website: www.educause.edu/HEPKI CA List at CREN

Send request to cren@cren.net CREN Web site - www.cren.net

CA Section Archived TechTalks FAQ on PKI Infrastructure at web site Campus scenarios