What are Digital Certificates: How do they Work?

advertisement
Getting Started with Digital
Certificates:
Is PKI-Lite Real PKI?
Internet2 Spring Meeting 2002
Wash, DC
May 06, 2002
Panel
Intro to PKI- Lite
– Judith Boettcher, CREN
Minnesota story
– Frank Grewe
Columbia
– Vace Kundacki
– Alan Crosswell
May 06, 2002
What is PKI-Lite?
PKI-Lite — “Full-featured PKI technology
deployed with existing campus standards for
identification and authentication (I&A) and
security”
May 06, 2002
Is PKI-Lite Real?
Developed by the HEPKI-TAG and HEPKI-PAG
groups and it is under review and
implementation
Why did PKI-Lite evolve?
May 06, 2002
Policy Swamp - for 18 months
PKI-Lite Environment - At last!
PKI-Lite Trust Environment What is it?
“Trust Documents”
– Certificate policy
– Certificate practice statement
– Certificate profiles for institutional and endentity certificates (x.509 v3, IETF)
– Relying party statement
• for content providers, publishers, etc
Existing Campus Registration Authority
– Registrar, HR
Certification Authority
– IT dept with systems and software
May 06, 2002
PKI-Lite Technology
Environment - What is it?
“Good enough” to move forward
Provides Level of Assurance (LOA)
– Rudimentary for client certificates
– Basic/ Medium for Campus Certificates
May 06, 2002
PKI-Lite Environment
Available now
– Combined PKI-Lite Certificate Policy and
Certification Practices Statement Template
• middleware.internet2.edu/hepki-tag/pki-lite/pki-litepolicy-practices.htm
– Certificate Profiles
• For Campus CA and for End-Entity/client certificates
PKI-Lite CP/CPS is being sent to various
higher education groups for review
– Reviewed by two content providers in late 2001
• Request to keep certificates validity period to
maximum of 12.5 months
May 06, 2002
The CREN CA at MIT
SafeKeyper HSM Box with the CREN CA
This box signs Certificate Signing Requests (CSRs)
May 06, 2002
Five Types of Certificates - It’s easy
to get confused!
Root Certificates
– “Self-signed certs” (Authenticate themselves)
Institutional Certificates
– Also called campus certs
Organizational Certificates
– Also called department certs, association certs
Web server certificates
– Also called server-side certs
End-Entity Certificates
– Also called end-user certs, client certs, individual
certs, personal certs, or entity certs
– Client certs.. Different ones for signing email
and
May 06, 2002
encrypting email, web authentication
What Do Individuals Use Certificates
for?
Authenticating oneself to server
Signing email
– The same certificate can be used for these two
purposes of signing email and authenticating
oneself to server
Encrypting email
– Individuals will designate one specific certificate
for encrypting email
May 06, 2002
CREN Certificate Services for
Higher Education
Hierarchy of Institutional Certificates
– CREN CA Certificates
– Operational since 11/99
Web server certificates
CREN.net CA for client certificates
– CREN.Net CA for staff, members and pilot
projects
– Potentially for individuals at campuses without
CAs who must meet federal mandates
May 06, 2002
What are Higher Ed
Organizations Doing?
HEPKI-TAG (Internet2, CREN, Educause)
– Higher Education PKI - Technical Advisory Group
– Developing the PKI -Lite environment
– Now doing some pilot testing with S/MIME
HEPKI-PAG (Internet2, CREN, Educause)
– Higher Education PKI - Policy Advisory Group
– Developing the PKI -Lite environment
Internet2
– Leading the Middleware initiative, including Shibboleth
Project
– Check out www.internet2.edu/middleware
EDUCAUSE
– Leading the Higher Ed Bridge CA
May 06, 2002
Who is Doing or Planning PKI Use
on Campus?
Two major classes of applications
– Web-based applications
– Electronic Mail (S/MIME)
– Plus authentication for network access, such
as VPN and wireless
Campuses that are working with PKI
•
•
•
•
•
•
MIT
Princeton
Cornell
U of MN
U of Mass
Penn State
Georgia Tech
U of Virginia
U of Wisconsin
U of Alabama
Columbia
U of Tennessee
May 06, 2002
Source: J.Jokl/HEPKI-TAG
Examples of Web-Based Apps and
Electronic Mail
Authentication
•
•
•
•
•
Business services
Access to class materials
Access to remote databases
HR self service
Telecom requests
Electronic mail (S/MIME)
• general individual use
• submission of service orders
• submission of timesheets, travel reports
More detail is at...
• www.cren.net/crenca/icertpages/why.html
• middleware.internet2.edu/hepki-tag/TAG-PKI-Apps3.xls
May 06, 2002
Source: J.Jokl/HEPKI-TAG
On to Campus Stories…
Frank and Vace and Alan
PKI-Lite Environment
Standard PKI-Lite Cert Profiles
– Certificate Profile for Root Certificates
– middleware.internet2.edu/hepki-tag/pki-lite/hepkitag-pkilite-root-profile-2.html
– Certificate Profile for End-entity Certificates
– middleware.internet2.edu/hepki-tag/pki-lite/hepkitag-pkilite-profile-6.html
– These profiles come with implementor notes
discussing extensions and fields to be filled out
at campus level CA
May 06, 2002
Download