44
Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

Embed Size (px)

Citation preview

Page 1: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next?

(Scott Rea)

Fed/Ed December 2006

Page 2: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

2

Overview

• What are the drivers for PKI in Higher Education?– Stronger authentication to resources and services of an

institution– Better protection of digital assets from disclosure, theft,

tampering, and destruction– More efficient workflow in distributed environments– Greater ability to collaborate and reliably communicate

with colleagues and peers– Greater access (and more efficient access) to external

resources– Facilitation of funding opportunities– Compliance

Page 3: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

3

Overview

• Potential Killer Apps for PKI in Higher Education– S/MIME– Paperless Office workflow– EFS– Strong SSO– Shibboleth/Federations– GRID Computing Enabled for Federations– E-grants facilitation

Page 4: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

4

Creating Silos of Trust

Dept-1

Institution

Dept-1Dept-1

SubCA

CA

SubCASubCA SubCA

CA

SubCASubCA SubCA

CA

SubCASubCA

USHER

Page 5: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

5

LOA: Levels of Assurance

• Not all CAs are created equal– Policies adhered to vary in detail and strength– Protection of private keys– Controls around private key operations– Separation of duties– Trustworthiness of Operators– Auditability– Authentication of end entities– Frequency of revocation updates

Page 6: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

6

HEBCA : Higher Education Bridge Certificate Authority

• Bridge Certificate Authority for US Higher Education• Modeled on FBCA• Provides cross-certification between the subscribing

institution and the HEBCA root CA• Flexible policy implementations through the mapping

process• The HEBCA root CA and infrastructure hosted at

Dartmouth College• Facilitates inter-institutional trust between participating

schools• Facilitates inter-federation trust between US Higher

Education community and external entities

Page 7: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

7

HEBCA

• What is the value presented by this initiative?– HEBCA facilitates a trust fabric across all of US Higher Education

so that credentials issued by participating institutions can be used (and trusted) globally e.g. signed and/or encrypted email, digitally signed documents (paperless office), etc can all be trusted inter-institutionally and not just intra-institutionally

– Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension

– Single credential accepted globally– Potential for stronger authentication and possibly authorization of

participants in grid based applications– Contributions provided to the Path Validation and Path Discovery

development efforts

Page 8: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

8

Solving Silos of Trust

Dept-1

Institution

Dept-1Dept-1

SubCA

CA

SubCASubCA SubCA

CA

SubCASubCA SubCA

CA

SubCASubCA

USHER

HEBCA

FBCA

CAUDIT PKI

Page 9: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

9

HEBCA Project - Progress• What’s been done so far?

– Operational Authority (OA) contractor engaged (Dartmouth PKI Lab)– MOA with commercial vendor for infrastructure hardware (Sun) – MOA with commercial vendor for CA software and licenses (RSA)– Policy Authority formed– Prototype HEBCA operational and cross-certified with the Prototype

FBCA (new Prototype instantiated by HEBCA OA)– Prototype Registry of Directories (RoD) deployed at Dartmouth– Production HEBCA CP produced– Production HEBCA CPS produced– Preliminary Policy Mapping completed with FBCA– Test HEBCA CA deployed and cross-certified with the Prototype

FBCA – Test HEBCA RoD deployed– Infrastructure has passed interoperability testing with FBCA

Page 10: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

10

HEBCA Project - Progress• What’s been done so far?

– Production HEBCA development phase complete– Issues Resolved

• Discovery of a vulnerability in the protocol for indirect CRLs• Inexpensive AirGap• Citizenship requirements for Bridge-2-Bridge Interoperability

– Majority of supporting documentation finalized• HEBCA Cross-Certification Criteria and Methodolgy• HEBCA Interoperability Guidelines• Draft Memorandum of Understanding• HEBCA Subscriber Agreement• HEBCA Certificate Profiles• HEBCA CRL Profiles• HEBCA Secure Personnel Selection Procedures• Business Continuity and Disaster Plans For HEBCA Operations

– PKI Test Bed server instantiated– PKI Interoperability Pilot migrated– Reassessment of community needs– Audit process defined and Auditors engaged– Participation in industry working groups– Almost ready for audit and production operations

Page 11: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

11

HEBCA Project – Next Steps• What are the next steps?

– HEBCA to operate at multiple LOAs over its lifetime

– Update of policy documents and procedures required to reflect the above

– HEBCA to operate at Test LOA initially

– Issue the limited production HEBCA Test Root

– Purchase final items and bring the infrastructure online

– Cross-certify limited community of interested early adopters and key federations

– Validate the model and continue to develop tools for bridge aware applications

Page 12: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

12

Challenges and Opportunities• Community applicability

– If we build it they will come– Chicken & Egg profile for infrastructure and applications– An appropriate business plan

• Consolidation and synergy– Are USHER & HEBCA competing initiatives?– Benefits of a common infrastructure

• Alignment with policies of complimentary communities– Shibboleth / InCommon– Grids (TAGPMA)

Page 13: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

13

Challenges and Opportunities• Open Tasks

– Audit

– Updated Business Plan

– Mapping Grid Profiles• Classic PKI

• SLCS

– Promotion of PKI Test bed

– Validation Authority service

– Cross-certification with FBCA

– Cross-certification with other HE PKI communities• CAUDIT PKI (AusCERT)

• HE JP

• HE BR

Page 14: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

14

PKI - Public Key Infrastructure

• Security is a chain; it's only as strong as the weakest link. The security of any system is based on many links and in a PKI they're not all cryptographic. People are involved

• PKI requires co-ordination across the following 3 areas:– Technology (T)– Policy & Procedures (P)– Relationships & Liability (L)

Page 15: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

15

LOA: Levels of Assurance

• Not all IdPs are created equal– Policies adhered to vary in detail and strength (P)– Strength of private keys (T)– Protection of private keys (PL)– Controls around private key operations (TPL)– Separation of duties (PL)– Trustworthiness of Operators (L)– Auditability (TP)– Authentication of end entities (TPL)– Frequency of revocation updates (TP)

Page 16: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

16

Assertions • Assertion based technology

– Shibboleth uses SAML assertions• A range of authentication processes supported• Information about exact procedures possible but not required?• Cryptographic binding of public identity to private identity possible

but not required• Generally short lived assertions issued• Revocation not well supported

– PKI uses digital certificates• A range of authentication processes supported• Information about exact procedures is required• Cryptographic binding of public identity to private identity is

required• Generally longer term assertions issued• Revocation required key component

Page 17: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

17

A Simplified View of E-AuthA Simplified View of E-AuthFederation ArchitectureFederation Architecture

Levels 1 &2 CSPs

Levels 3 &4 CSPs

-Banks-Universities-Agency Apps-Etc. Business Rules

CAF

Federal Agency PKIsOther Gov PKIsCommercial PKIs Bridges

FBCA

X-Certification

SAML Assertions

Digital Certificates

Levels 1 &2 OnlineApps & Services

Levels 3 &4 OnlineApps &Services

SDT

Digital Certificates

Page 18: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

18

LOA MappingLOA Mapping

E-Auth Level 1

E-Auth Level 2

E-Auth Level 3

E-Auth Level 4

FPKI Rudimentary;C4

FPKI Medium/HW &Medium/HW-cbp

FPKI Basic

FPKI Medium & Medium-cbp

FPKI High (governments only)

Page 19: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

19

PKI vs Shibboleth

• Shibboleth and PKI are complimentary technologies• Shibboleth has the potential to be a PKI

– Requires specific published policies & procedures (in the federation agreement? ARP?)

– Must use cryptographic binding of identities– Potential to be a really good avenue for Delegated Path Discovery

or Delegated Path Validation

• May want to use Shibboleth as a stepping stone from current IdM to a PK underlined system– Evolutionary strengthening of IdM processes

• Shibboleth growth shows better penetration into various communities than PKI

Page 20: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

20

PKI vs Shibboleth

• What are the drivers for PKI in Higher Education?– Stronger authentication to resources and services of an institution– Single Sign On within the enterprise environment– Better protection of digital assets from disclosure, theft, tampering,

and destruction– More efficient workflow in distributed environments– Greater ability to collaborate and reliably communicate with

colleagues and peers– Greater access (and more efficient access) to external resources– Facilitation of funding opportunities– Compliance

Page 21: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

21

PKI vs Shibboleth

• Potential Killer Apps for PKI in Higher Education– S/MIME– SSO– Paperless Office workflow– EFS– Shibboleth/Federations– GRID Computing Enabled for Federations– E-grants facilitation

Page 22: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

22

PKI vs Shibboleth

• When PKI is required– High value, high trust, high reliability transactions with

end user accountability– Credentials can be leveraged for other activities besides

authentication or SSO requiring end user accountability– Transactions requiring long term validity– Peer to peer transactions that want to avoid campus

liabilities– Community demands it

• Requirement for a particular VO• Widespread or global PKI in place

Page 23: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

23

Bridge-Aware Applications

Page 24: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

24

IGTF Mapping Exercises

• Federal Bridge CA (FBCA) General Profile against IGTF Classic Profile

• Federal Citizen & Commerce Certificate CA (C-4) against IGTF Classic Profile

• IGTF Classic Profile against C-4

Page 25: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

25

International Grid Trust Federation

• IGTF founded in Oct, 2005 at GGF 15• IGTF Purpose:

– Manage authentication services for global computational grids via policy and procedures

• IGTF goal: – harmonize and synchronize member PMAs policies to establish and

maintain global trust relationships • IGTF members:

– 3 regional Policy Management Authorities• EUgridPMA• APgridPMA• TAGPMA

• 50+ CAs, 50,000+ credentials

Page 26: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

26

IGTF

Page 27: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

27

IGTF general Architecture

• The member PMAs are responsible for accrediting authorities that issue identity assertions.

• The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers.

• The management and continued evolution of an AP is assigned by the IGTF to a specific member PMA. – Proposed changes to an AP will be circulated by the chair of the PMA

managing the AP to all chairs of the IGTF member PMAs. • Each of the PMAs will accredit credential-issuing authorities and

document the accreditation policy and procedures. • Any changes to the policy and practices of a credential-issuing

authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.

Page 28: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

28

Green: EMEA countries with an Accredited Authority

23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IS, NO, PK, RU, TR

Other Accredited Authorities: DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all

EUGridPMA members and applicants

Page 29: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

29

EUgridPMA Membership

• Under “Classic X.509 secured infrastructure” authorities– accredited: 38 (recent additions: CERN-IT/IS, SRCE)

– active applicants: 4 (Serbia, Bulgaria, Romania, Morocco)

• Under “SLCS”– accredited: 0

– active applicants: 1 (SWITCH-aai)

• Under MICS draft– none yet of course,

but actually CERN-IS would be a good match for MICS as well

• Major relying parties– EGEE, DEISA, SEE-GRID, LCG, TERENA

Page 30: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

30

Ex-officio Membership• APAC (Australia)• CNIC/SDG, IHEP (China)• AIST, KEK, NAREGI (Japan)• KISTI (Korea)• NGO (Singapore)• ASGCC, NCHC (Taiwan)• NECTEC, ThaiGrid (Thailand)• PRAGMA/UCSD (USA)

General Membership• U. Hong Kong (China)• U. Hyderabad (India)• Osaka U. (Japan)• USM (Malaysia)

Map of the APGrid PMA

Page 31: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

31

APgridPMA Membership

• 9 Accredited CAs– In operation

• AIST (Japan)• APAC (Australia)• ASGCC (Taiwan)• CNIC (China)• IHEP (China)• KEK (Japan)• NAREGI (Japan)

– Will be in operation• NCHC (Taiwan)• NECTEC (Thailand)

• 1 CA under review– NGO (Singapore)

• Will be re-accredited– KISTI (Korea)

• Planning– PRAGMA (USA)– ThaiGrid (Thailand)

• General membership– Osaka U. (Japan)– U. Hong Kong (China)– U. Hyderabad (India)– USM (Malaysia)

Page 32: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

32

TAGPMA

Page 33: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

33

TAGPMA Membership

• Accredited– Argentina UNLP– Brazilian Grid CA– CANARIE (Canada)* – DOEGrids*– EELA LA Catch all Grid CA– ESnet/DOE Office Science*– REUNA Chilean CA– TACC – Root

• In Review– FNAL– Mexico UNAM– NCSA – Classic/SLCS– Purdue University– TACC – Classic/SLCS– Venezuela– Virginia– USHER

• Relying Parties– Dartmouth/HEBCA– EELA– OSG– SDSC– SLAC– TeraGrid– TheGrid– LCG

*Accredited by EUgridPMA

Page 34: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

34

TAGPMA Bridge Working Group

• Recognition that there are different LOAs – in the way some credential service providers

operate– Required by different applications

• More efficient ways of distributing Trust Anchors

• Interoperation with other trust federations• Scott Rea is Chair, representatives from

each regional PMA included

Page 35: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

35

Mapping Designations

• Seven (7) designations used to characterize the equivalency– Exceeds - The ENTITY CP policy provides a higher level of

assurance/security than the Federal CP requirement– Equivalent - The ENTITY CP policy provides exactly the same

assurance/security as the Federal CP requirement.– Comparable - The ENTITY CP contains dissimilar policy contents,

but provides a comparable level of assurance to meet the security to the Federal CP requirement.

– Partial - The ENTITY CP contains policy that is comparable, but it does not address the entire Federal CP requirement.

– Not Comparable - The ENTITY CP contains dissimilar policy contents, which provides a lower level of assurance/security than the Federal CP requirement.

– Missing - The ENTITY CP does not contain policy contents that can be compared to the Federal CP requirement in any way.

– N/A – Not Applicable to ENTITY CP or required for FBCA cross certification.

Page 36: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

36

Mapping Results

• C-4 against IGTF Classic Profile– 30 policy points evaluated– 14 Comparable designations– 12 Partial designations– 3 Not Comparable designations– 1 Not Applicable designation

Page 37: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

37

Mapping Results

• FBCA General against IGTF Classic Profile

• Basic LOA used for Comparisons– 136 policy points evaluated– 22 Comparable designations– 33 Partial designations– 12 Not Comparable designations– 65 Missing designations– 3 Not Applicable designations

Page 38: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

38

Mapping Results

• IGTF Classic Profile against C-4– 30 policy points evaluated– 19 Comparable designations– 1 Partial designation– 10 Exceeds designations

Page 39: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

39

Next Steps

• 4 Paths to proceed upon– Modify Classic CA Profile to match C-4 and cross-

certify with C-4• Modification is currently under way but we may have missed

this window• Requires all CAs to match new provisions

– Create a new Profile with a higher LOA requirement that existing users may elect to comply with e.g. Classic High Profile that is compliant with C-4

– Attempt to cross-certify at Rudimentary LOA for FBCA

– Undergo mapping with another bridge e.g. HEBCA at a lower LOA e.g. Rudimentary

Page 40: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

40

ProposedInter-federations

FBCA

CA-1CA-2

CA-n

Cross-cert

HEBCADartmouth

Wisconsin

Texas

Univ-N

UVA

USHER

DSTACES

Cross-certs

SAFECertiPath

NIH

CA-1

CA-2 CA-3

CA-4

HE JP

AusCertCAUDIT PKI

CA-1

CA-2 CA-3HE BR

Cross-certs

OtherBridges

IGTF

C-4

Page 41: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

41

High

Medium Hardware CBP

Medium Software CBP

Basic

Rudimentary

C-4

High

Medium

Basic

Rudimentary

Foundation

Classic Ca

SLCS

MICS

FPKI

IGTF

HEBCA/USHER

Classic Strong

E-Auth Level 1

E-Auth Level 2

E-Auth Level 3

E-Auth Level 4

E-AUTH

Page 42: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

42

PKI vs Shibboleth

• Potential Killer Apps for PKI in Higher Education– S/MIME

• SSO – Paperless Office workflow– EFS– Shibboleth/Federations– GRID Computing Enabled for Federations– E-grants facilitation

Page 43: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

43

Summary

• Shibboleth and PKI are complimentary technologies• With appropriate application of policies to create the I in PKI and the

requirement of cryptographic binding of identities to cover the PK in PKI, then Shibboleth can become a campus PKI (in a sense)

• Shibboleth may be a good stepping stone to a global PKI community (if it ever arrives)

• Shib can be used for various functions within an existing PKI– Delivery of credentials– Validation of credentials

• Global acceptance of a Shibboleth federation requires PKI• Levels Of Assurance are key

– It is more in the policy & liability than in the technology

Page 44: Higher Education Bridge CA (HEBCA) – What’s Relevant, What’s Next? (Scott Rea) Fed/Ed December 2006

44

For More Information• HEBCA Website:

http://webteam.educause.edu/hebca/

Scott Rea - [email protected]