PKI in US Higher Education

TAGPMA Meeting, March 2006 Rio De Janeiro , Brazil

2

HEBCA : Higher Education Bridge Certificate Authority

• Bridge Certificate Authority for US Higher Education• Modeled on FBCA• Provides cross-certification between the subscribing

institution and the HEBCA root CA• Flexible policy implementations through the mapping

process• The HEBCA root CA and infrastructure hosted at

Dartmouth College• Facilitates inter-institutional trust between participating

schools• Facilitates inter-federation trust between US Higher

Education community and external entities

3

HEBCA Project

• What will it provide?– The HEBCA Project will create and maintain three new Certificate

Authority (CA) systems for EDUCAUSE and will also house the existing HEBCA Prototype CA

– The three CA systems to be created are:• HEBCA Test CA

• HEBCA Development CA

• HEBCA Production CA

– The HEBCAs will be used to cross-certify Higher Education PKI trust anchors to create a bridged trust network

– The HEBCA Test CA will also be cross-certified with the Prototype FBCA (other emerging Bridge CAs are also targets) and the HEBCA production CAs will be cross-certified with the production FBCA.

4

HEBCA Project

• What does it look like?

(Artists impression only)

5

HEBCA Policy Authority The HEBCA PA establishes policy for and oversees operation

of the HEBCA. HEBCA PA activities include…• approve and certify the Certificate Policy (CP) and Certification Practices

Statement (CPS) for the HEBCA

• set policy for accepting applications for cross-certification and interoperation with the HEBCA

• certify the mapping of policy between the HEBCA CP and applicants’ CP’s

• establish any needed constraints in cross-certification documents

• represent the HEBCA in establishing its own cross-certification with other PKI bridges

• set policy governing operation of the HEBCA

• oversee the HEBCA Operational Authority

• keep the HEBCA Membership and the HEPKI Council informed of its decisions and activities.

6

HEBCA Operating Authority

• The HEBCA OA is the organization that is responsible for the issuance of HEBCA certificates when so directed by the HEBCA PA, the posting of those certificates and any Certificate Revocation Lists (CRLs) or Certificate Authority Revocation Lists (CARLs) into the HEBCA repository, and maintaining the continued availability of the repository to all parties relying on HEBCA certificates.

• Specific responsibilities of the HEBCA OA include:– Management and operation of the HEBCA infrastructure;– Management of the registration process; – Completion of the applicant identification and authentication process; and– Complying with all requirements and representations of the Certificate Policy.

• Key personnel from the Dartmouth PKI Laboratory were chosen as the HEBCA Operating Authority by the HEBCA PA under the direction of EDUCAUSE (the project sponsor).

7

HEBCA

• What is the value presented by this initiative?– HEBCA facilitates a trust fabric across all of US Higher Education so that

credentials issued by participating institutions can be used (and trusted) globally e.g. signed and/or encrypted email, digitally signed documents (paperless office), etc can all be trusted inter-institutionally and not just intra-institutionally

– Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension

– Single credential accepted globally– Potential for stronger authentication and possibly authorization of

participants in grid based applications– Contributions provided to the Path Validation and Path Discovery

development efforts– Facilitates compliance with legal requirements (GPEA, HIPAA)

8

USHER : US Higher Education Root

• Trusted Root for US Higher Education• Only signs subordinate CA certificates• Bootstraps institutional PKIs by providing policy

infrastructure and a CA• The USHER root CA and infrastructure hosted at

Dartmouth College• Facilitates inter-institutional trust between

participating schools• Different levels of assurance supported

9

USHER Project • What will it provide?

– The USHER Project will create and maintain four new Certificate Authority (CA) systems for Internet2 and will share the existing HEBCA infratsructure

– The four CA systems to be created are:• USHER Foundation CA• USHER Basic CA*• USHER Medium CA*• USHER High CA**Not officially named yet

– The USHERs will be used to provide institutions of higher education PKI trust anchors with a common policy

– The USHER CAs may also be potentially cross-certified with the HEBCA to allow interoperation outside the USHER community.

10

USHER Policy Authority The USHER PA establishes policy for and oversees

operation of the USHER initiatives. USHER PA activities include…

• approve and certify the Certificate Policy (CP) and Certification Practices Statement (CPS) for the USHER

• set policy for accepting applications for CA issuance under USHER CAs

• represent the USHER in establishing cross-certification with other PKI bridges e.g. HEBCA

• set policy governing operation of the USHER CAs• oversee the USHER Operational Authority• keep the USHER Membership informed of its decisions and

activities.

11

Solving Silos of Trust

Dept-1

Institution

Dept-1Dept-1

SubCA

CA

SubCASubCA SubCA

CA

SubCASubCA SubCA

CA

SubCASubCA

USHER

HEBCA

FBCA

12

ProposedInter-federations

FBCA

CA-1CA-2

CA-n

Cross-cert

HEBCA

DartmouthWisconsin

Texas

Univ-N

UVA

USHER

DSTACES

Cross-certs

SAFEAero

NIH

CA-1

CA-2 CA-3

CA-4

13

HEBCA Project - OverviewHEBCA PA and CP oversite

HEBCAInfrastructure

CA

RootCert

HEBCADirectory

CrossCertPair

CrossCertPair

CrossCertPair

CrossCertPair

RootCert

CrossCertPair

CA

CRLs

RootCert

CrossCertPair

CA

CRLs

University 1 PKI University 2 PKI

Border Dir Border Dir

RootCert

CrossCertPair

CA

CRLs

Border Dir

FBCA PKIOther CrossCertified PKIs

RODFBCAReferral

University 1Referral

University 2Referral

CRLs

RootCert

FBCA PA and CP oversite

FBCA Infrastructure CA

RootCert

FBCADirectory

CrossCertPair

CrossCertPair

CrossCertPair

CrossCertPair

RootCert

CrossCertPair

CA

CRLs

RootCert

CrossCertPair

CA

CRLs

DST ACES PKIOther CrossCertified PKI

Border Dir Border Dir

X.500 DSP Protocol(ChainingAgreements) betweenFBCA and CrossCertified PKI provider

RootCert

CrossCertPair

CA

CRLs

Border Dir

HEBCA PKIOther CrossCertified PKIs

CRLs

RootCert

X.500 Based DirectoryDirectories Interconnect via Chaining (X.500 DSP)

LDAP Based Directory Utilizing the Registry of Directories

Utilizing LDAP Referrals

14

HEBCA Project - Progress• What’s been done so far?

– Operational Authority (OA) contractor engaged (Dartmouth PKI Lab)– MOA with commercial vendor for infrastructure hardware (Sun) – MOA with commercial vendor for CA software and licenses (RSA)– Policy Authority formed– Prototype HEBCA operational and cross-certified with the Prototype FBCA

(new Prototype instantiated by HEBCA OA)– Prototype Registry of Directories (RoD) deployed at Dartmouth– Draft of Production HEBCA CP produced– Draft of Production HEBCA CPS produced– Preliminary Policy Mapping completed with FBCA– Test HEBCA CA deployed and cross-certified with the Prototype FBCA – Test HEBCA RoD deployed– Production HEBCA development phase underway– Infrastructure has passed interoperability testing with FBCA

15

USHER Project - Progress• What’s been done so far?

– Operational Authority (OA) contractor engaged (Dartmouth PKI Lab)

– MOA with commercial vendor for infrastructure hardware (Sun)

– MOA with commercial vendor for CA software and licenses (RSA)

– Policy Authority formed

– Prototype USHER operational on the Prototype HEBCA infrastructure

– Draft of Production USHER CP produced

– Draft of Production USHER CPS produced

– Production USHER Foundation CA created (2/23/06) and distributed

– USHER Foundation being embedded in applications (e.g. Lionshare)

– USHER Foundation run from InCommon infrastructure

16

For More Information• HEBCA Website:

http://www.educause.edu/HEBCA/623

• USHER Website: http://usher.internet2.edu/

Scott Rea - Scott.Rea@dartmouth.edu