HEBCA – Higher Education Bridge Certification Authority

Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005

2

Topics

• HEBCA’s goals

• Progress to date

• Next steps

• Collaboration

3

HEBCA’s Goals• Provide a mechanism for inter-institutional trust of

PKI certificates – Policies

– Technical infrastructure

• Cross-certify participants at appropriate levels of assurance

• Provide high availability online directory (x-cert lookup) and revocation services

• Dynamically add cross-certifications of existing CAs• Cross-certify with other trust fabrics as appropriate

(FBCA, USHER, SAFE, etc.)

4

HEBCA’s Goals (continued)Enable inter-institutional applications:• Digital signatures on web forms, applications, reports,

etc.• Authentication to network services• GRID authentication• S/MIME signed email• Trust fabric for server identity certificates, Web

Services

Any PKI certificate path validation can use the bridge mechanism to impute trust and determine level of assurance.

5

Progress to Date

• Active and productive

Policy Authority• Most policy in place• Many official docs

approved• Operating Authority nearly finished installing initial

production infrastructure• Audit agreements signed, audit starting• Collaborating with USHER (policy, infrastructure,

Registration Authority)

6

HEBCA Production Hardware

7

Progress to Date (continued)

Hurdles overcome

• Invented techniques and procedures to operate a high assurance CA on a shoestring budget

– Streamline everything

– Air gap for offline CA automation

• Resolution of FBCA requirement for US citizenship of “trusted roles” personnel prior to cross-certification

• Discovered and worked around vulnerability in protocol for indirect CRLs

8

AirGap • The Problem:

– Offline CA– CRLs generation and publish every 6 hours– Need two trusted personnel present to access CA

How do we staff this? Two people visit the machine room every 6 hours? No way!

9

AirGap

• USB flash device carries signed data between CA and Directory

• Storage is never connected to both devices at the same time – hardware enforces an “air gap”

• Storage connected to online Directory for 5 mins every 6 hours, otherwise connected to offline CA

• Automated sneakernet equivalent!

10

AirGap • Components (about $100 cost):

– Sewell Manual Share USB Switch– 5V relay– 5V AC adapter– Power Timer– Simple debounce circuit– Crucial 1Gb Flash Disk– Cron jobs running on CA and online Directory

server– Signed objects passed back and forth (CRL,

revocation requests, certificate requests, etc.)

11

Next Steps• Policies, procedures, and documentation finalized

• Dry run cross-certification with University of Virginia

• Audit

• Initialize production CA

• Production operations

• Market and cross-certify with customer CAs

• Cross-certify with FBCA, other bridges

12

HEBCA and USHER Collaboration• Sharing infrastructure and

implementation• Single OA (Dartmouth) and single

RA (Internet2) • One CA implementation and

system• Much shared policy and

documentation

HEBCA and USHER are significantly cheaper to build and run collaboratively than separately.

13

For More Information

• HEBCA Website: http://webteam.educause.edu/hebca/

OA Architect and Implementor

Scott Rea - Scott.Rea@dartmouth.edu

Mark Franklin – Mark.J.Franklin@dartmouth.edu