Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC May 06, 2002 Panel Intro to PKI- Lite – Judith Boettcher, CREN Minnesota story – Frank Grewe Columbia – Vace Kundacki – Alan Crosswell May 06, 2002 What is PKI-Lite? PKI-Lite — “Full-featured PKI technology deployed with existing campus standards for identification and authentication (I&A) and security” May 06, 2002 Is PKI-Lite Real? Developed by the HEPKI-TAG and HEPKI-PAG groups and it is under review and implementation Why did PKI-Lite evolve? May 06, 2002 Policy Swamp - for 18 months PKI-Lite Environment - At last! PKI-Lite Trust Environment What is it? “Trust Documents” – Certificate policy – Certificate practice statement – Certificate profiles for institutional and endentity certificates (x.509 v3, IETF) – Relying party statement • for content providers, publishers, etc Existing Campus Registration Authority – Registrar, HR Certification Authority – IT dept with systems and software May 06, 2002 PKI-Lite Technology Environment - What is it? “Good enough” to move forward Provides Level of Assurance (LOA) – Rudimentary for client certificates – Basic/ Medium for Campus Certificates May 06, 2002 PKI-Lite Environment Available now – Combined PKI-Lite Certificate Policy and Certification Practices Statement Template • middleware.internet2.edu/hepki-tag/pki-lite/pki-litepolicy-practices.htm – Certificate Profiles • For Campus CA and for End-Entity/client certificates PKI-Lite CP/CPS is being sent to various higher education groups for review – Reviewed by two content providers in late 2001 • Request to keep certificates validity period to maximum of 12.5 months May 06, 2002 The CREN CA at MIT SafeKeyper HSM Box with the CREN CA This box signs Certificate Signing Requests (CSRs) May 06, 2002 Five Types of Certificates - It’s easy to get confused! Root Certificates – “Self-signed certs” (Authenticate themselves) Institutional Certificates – Also called campus certs Organizational Certificates – Also called department certs, association certs Web server certificates – Also called server-side certs End-Entity Certificates – Also called end-user certs, client certs, individual certs, personal certs, or entity certs – Client certs.. Different ones for signing email and May 06, 2002 encrypting email, web authentication What Do Individuals Use Certificates for? Authenticating oneself to server Signing email – The same certificate can be used for these two purposes of signing email and authenticating oneself to server Encrypting email – Individuals will designate one specific certificate for encrypting email May 06, 2002 CREN Certificate Services for Higher Education Hierarchy of Institutional Certificates – CREN CA Certificates – Operational since 11/99 Web server certificates CREN.net CA for client certificates – CREN.Net CA for staff, members and pilot projects – Potentially for individuals at campuses without CAs who must meet federal mandates May 06, 2002 What are Higher Ed Organizations Doing? HEPKI-TAG (Internet2, CREN, Educause) – Higher Education PKI - Technical Advisory Group – Developing the PKI -Lite environment – Now doing some pilot testing with S/MIME HEPKI-PAG (Internet2, CREN, Educause) – Higher Education PKI - Policy Advisory Group – Developing the PKI -Lite environment Internet2 – Leading the Middleware initiative, including Shibboleth Project – Check out www.internet2.edu/middleware EDUCAUSE – Leading the Higher Ed Bridge CA May 06, 2002 Who is Doing or Planning PKI Use on Campus? Two major classes of applications – Web-based applications – Electronic Mail (S/MIME) – Plus authentication for network access, such as VPN and wireless Campuses that are working with PKI • • • • • • MIT Princeton Cornell U of MN U of Mass Penn State Georgia Tech U of Virginia U of Wisconsin U of Alabama Columbia U of Tennessee May 06, 2002 Source: J.Jokl/HEPKI-TAG Examples of Web-Based Apps and Electronic Mail Authentication • • • • • Business services Access to class materials Access to remote databases HR self service Telecom requests Electronic mail (S/MIME) • general individual use • submission of service orders • submission of timesheets, travel reports More detail is at... • www.cren.net/crenca/icertpages/why.html • middleware.internet2.edu/hepki-tag/TAG-PKI-Apps3.xls May 06, 2002 Source: J.Jokl/HEPKI-TAG On to Campus Stories… Frank and Vace and Alan PKI-Lite Environment Standard PKI-Lite Cert Profiles – Certificate Profile for Root Certificates – middleware.internet2.edu/hepki-tag/pki-lite/hepkitag-pkilite-root-profile-2.html – Certificate Profile for End-entity Certificates – middleware.internet2.edu/hepki-tag/pki-lite/hepkitag-pkilite-profile-6.html – These profiles come with implementor notes discussing extensions and fields to be filled out at campus level CA May 06, 2002