HEBCA – Higher Education Bridge Certification Authority
Presented by Scott Rea and Mark Franklin, Fed/Ed Meeting, 12/14/2005
2
Topics
• HEBCA’s goals
• Progress to date
• Next steps
• Collaboration
3
HEBCA’s Goals• Provide a mechanism for inter-institutional trust of
PKI certificates – Policies
– Technical infrastructure
• Cross-certify participants at appropriate levels of assurance
• Provide high availability online directory (x-cert lookup) and revocation services
• Dynamically add cross-certifications of existing CAs• Cross-certify with other trust fabrics as appropriate
(FBCA, USHER, SAFE, etc.)
4
HEBCA’s Goals (continued)Enable inter-institutional applications:• Digital signatures on web forms, applications, reports,
etc.• Authentication to network services• GRID authentication• S/MIME signed email• Trust fabric for server identity certificates, Web
Services
Any PKI certificate path validation can use the bridge mechanism to impute trust and determine level of assurance.
5
Progress to Date
• Active and productive
Policy Authority• Most policy in place• Many official docs
approved• Operating Authority nearly finished installing initial
production infrastructure• Audit agreements signed, audit starting• Collaborating with USHER (policy, infrastructure,
Registration Authority)
6
HEBCA Production Hardware
7
Progress to Date (continued)
Hurdles overcome
• Invented techniques and procedures to operate a high assurance CA on a shoestring budget
– Streamline everything
– Air gap for offline CA automation
• Resolution of FBCA requirement for US citizenship of “trusted roles” personnel prior to cross-certification
• Discovered and worked around vulnerability in protocol for indirect CRLs
8
AirGap • The Problem:
– Offline CA– CRLs generation and publish every 6 hours– Need two trusted personnel present to access CA
How do we staff this? Two people visit the machine room every 6 hours? No way!
9
AirGap
• USB flash device carries signed data between CA and Directory
• Storage is never connected to both devices at the same time – hardware enforces an “air gap”
• Storage connected to online Directory for 5 mins every 6 hours, otherwise connected to offline CA
• Automated sneakernet equivalent!
10
AirGap • Components (about $100 cost):
– Sewell Manual Share USB Switch– 5V relay– 5V AC adapter– Power Timer– Simple debounce circuit– Crucial 1Gb Flash Disk– Cron jobs running on CA and online Directory
server– Signed objects passed back and forth (CRL,
revocation requests, certificate requests, etc.)
11
Next Steps• Policies, procedures, and documentation finalized
• Dry run cross-certification with University of Virginia
• Audit
• Initialize production CA
• Production operations
• Market and cross-certify with customer CAs
• Cross-certify with FBCA, other bridges
12
HEBCA and USHER Collaboration• Sharing infrastructure and
implementation• Single OA (Dartmouth) and single
RA (Internet2) • One CA implementation and
system• Much shared policy and
documentation
HEBCA and USHER are significantly cheaper to build and run collaboratively than separately.
13
For More Information
• HEBCA Website: http://webteam.educause.edu/hebca/
OA Architect and Implementor
Scott Rea - [email protected]
Mark Franklin – [email protected]