Upload
frank-harmon
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
HEBCAOverviewInternet2 Meeting, Fall 2002
Michael R Gettes
Georgetown University
2
Technical Policy
PKI is1/3 Technical
and 2/3 Policy?
Transforming Education Through Information Technologies
http://www.educause.edu/
3
Common Solutions Group, January, 2002 (Sanibel Island)
A Snapshot of the U.S. Federal PKI
Federal Bridge CA
NFC PKI
Higher Education Bridge CA
NASA PKI
DOD PKI Illinois PKI
University PKI
CANADA PKI
Transforming Education Through Information Technologies
http://www.educause.edu/
4
Common Solutions Group, January, 2002 (Sanibel Island)
Multiple CAs in FBCA Membrane
• Survivable PKI
• Cross Certificates
allow for
“one/two-way
policy”
• Directories are
critical in BCA
world.
5
UNIVERSITY
GeorgetownUniversity
NIH
Peer-to-peer
USA GovernmentFederal
BCA
DoD
NASA
Peer-to-peer
USAHigher Education
BCA
UNIVERSITY
. . .
UNIVERSITY
University ofWashington
Peer-to-peer
USA Health Care"Health Key"
BCA
NCHICA
Special Relationships
Peer-to-peer
EuropeanHigher Education
BCA
UNIVERSITY
University ofEdinburgh
UNIVERSITY
SpecialRelationships
MayoClinic
February 5, 2001 JA-SIG Winter Meeting
NIHca
trustanchor
““DAVE” DAVE” (Discovery and Validation Engine)(Discovery and Validation Engine)
sender(UA)
receiver(NIH)
NIHdirectory
FBCA
FBCAdir
crosscert
crosscert
DAVECAM
E-Lock
software
ca
directory
HEBCA HEBCAdir
crosscert
UAca
UAdir
issued
get Cert,CRLvia directory chaining
7
CampusSystems
The PKI Puzzle
Fed Bridge Educause HE Bridge
CREN Root CA
CampusSystems
CampusPKI
Directory
PKI provides:• Strong Authentication• Flexible Authorization• Secure Digital Signature• Powerful Data Security
CampusPKI
Directory
ServerCerts
VendorResources
CampusResources
Shib
By David Wasley, UCOP
EDUPKI
Hierarchy
COMPKI
Hierarchy
PKIHierarchy
Medical
8
HEBCA linkage
HEBCAFBCA
NIH
E-Auth Shib
CRENWeems’WackyWorld
MedicalHealthkey
MitreTek
Inter-Directories
EuroPKI
GRID
SEVISApacheSigned
EmailFDRM
StateBridges
VidMid
9ControlNumber
“Registry of Directories” Structure
Legend:
a subordinate referral
a superior referral
dc=educ=usc=japandc=intl
(Top)
dc=uabdc=ucop(else sup)
dc=edu
o=US Govto=HHSou=A, o=NASA(else sup)
c=us
ou=FBCAou=agency7(else sup)
o=US Govt, c=us
ou=FBCAou=agency7<no else>
ou=FBCA, o=US Govt, c=us
Content DirectoriesReferral Directories
• “Else superior referral” clause exists to allow any LDAP client (or content directory) to have option of pointing to a referral directory and be able to construct a desired path
• There is no “else” clause in content directories to prevent loops
10
HEBCA BID
Board of Instantiation and Development 10-12 of CIO, Techies, Lawyers (usual suspects) 1 Year to make HEBCA production
– Governance
– Stand up Policy/Operational Authorities
– Service (Business plan, structure, fees, management)
– Cross-certify with FBCA
– Funding and Technical development issues• Application interfaces, discovery, blah blah blah
11
HEBCA Issues
Certificates in Directories Gietz: Break out cert data in dir
objects (searchable certs) Chadwick: Certificate Parsing Server Likely a major impact on Bridge CA
model OpenSSL/OpenCA to be “bridge aware” Registry of Directories (Next-Gen)
12
HEBCA Issues
Deployment Web Server plugin (apache) Email validator (server based on receipt) Bill Weems and crew; many apps Application Integration CAM/DAVE extensions (server validation) OCSP, XKMS, SCVP, Novomodo, blah blah Understanding Java 1.4 and WinXP Develop appropriate APIs Browser awareness!!!!