PKI Federations in Higher Education NIST PKI R

1
PKI Federations in Higher EducationNIST PKI RD
Workshop 5, April 4-6 2006, Gaithersburg MD
2
Contents

• Overview of PKI in Higher Education
• HEBCA
• Challenges and Opportunities

3
Overview

• 5 Potential Killer Apps for PKI in Higher
  Education
• S/MIME
• Paperless Office workflow
• Shibboleth
• GRID Computing Enabled for Federations
• E-grants facilitation

4
Overview

• PKI Initiatives in US Higher Education Community
• HEBCA (Higher Education Bridge Certificate
  Authority)
• USHER (US Higher Education Root)
• InCommon
• Grid based PKIs
• Campus based PKIs

5
OverviewHigher Education Bridge Certificate
Authority - HEBCA

• HEBCA facilitates a trust fabric across all of US
  Higher Education so that credentials issued by
  participating institutions can be used (and
  trusted) globally e.g. signed and/or encrypted
  email, digitally signed documents (paperless
  office), etc can all be trusted
  inter-institutionally and not just
  intra-institutionally
• Extensions to the Higher Education trust
  infrastructure into external federations is also
  possible and proof of concept work with the FBCA
  (via BCA cross-certification) has demonstrated
  this inter-federation trust extension
• Single credential accepted globally
• Uses Levels of Assurance to indicate strength of
  Identification and Authentication procedures,
  audit/separation of duty requirements, and key
  protection measures
• Potential for stronger authentication and
  possibly authorization of participants in grid
  based applications

6
OverviewUnited States Higher Education Root
USHER

• USHER is a public key infrastructure (PKI)
  supported by the higher education community to
  facilitate emerging deployments in research,
  education, and transactions in higher education
  that require PKI and allows subscribers to base
  PKI applications and services in a common root
  with peers and collaborative partners
• USHER is the Trusted Root of a hierarchical PKI
  for US Higher Education the root only signs
  subordinate CA certificates, and the service is
  designed to bootstrap institutional PKIs by
  providing policy infrastructure and a CA
• USHER Foundation is the first service offered and
  is designed to be a broadly adoptable PKI with
  easy implementation by leveraging most existing
  campus identity practices
• USHER Foundation does not audit or in any other
  way validate the policy or practice that a
  subscriber uses to issue certificate credentials
  to its users, instead, USHER has developed a set
  of Expected Practices for campus CA operators to
  consider
• Other USHER services are anticipated with
  stronger levels of assurance and auditable
  policies

7
OverviewInCommon

• The mission of the InCommon Federation is to
  create and support a common framework for
  trustworthy shared management of access to
  on-line resources in support of education and
  research in the United States.
• InCommon will facilitate development of a
  community-based common trust fabric sufficient to
  enable participants to make appropriate decisions
  about access control information provided to them
  by other participants
• InCommon is intended to enable production-level
  end-user access to a wide variety of protected
  resources and uses Shibboleth as its federating
  software
• InCommon eliminates the need for researchers,
  students, and educators to maintain multiple,
  password-protected accounts
• Although this system is assertion based, there is
  still a need for PKI credentials to protect the
  server infrastructure, and PKI can also be used
  as the authentication mechanism.

8
OverviewGrid based PKIs

• Some higher education institutions operate
  production level Grid CAs approved by TAGPMA
• TeraGrid (Illinois, Purdue)
• Open Science Grid (California)
• Texas High Energy Grid (Texas)
• San Diego Supercomputing Center
• Many institutions run experimental grid CAs to
  investigate the potential of this activity
• Dartmouth College
• University of Virginia

9
OverviewCampus PKIs

• Managed PKIs from Commercial vendors
• CA operations outsourced to vendor
• CyberTrust
• DST/Identrus
• GeoTrust
• VeriSign
• Vendor based Policy
• Local RAs
• Internal Campus PKI operations
• CA RA operations run on campus
• Campus based Policy
• EDUCAUSE has programs for reducing cost through
  Identity Management Services Program
• http//www.educause.edu/IMSP
• Open Source options e.g. OpenCA, CA-in-a-box,
  etc. etc.

10
HEBCA Higher Education Bridge Certificate
Authority

• Bridge Certificate Authority for US Higher
  Education
• Modeled on FBCA
• Provides cross-certification between the
  subscribing institution and the HEBCA root CA
• Flexible policy implementations through the
  mapping process
• The HEBCA root CA and infrastructure hosted at
  Dartmouth College
• Facilitates inter-institutional trust between
  participating schools
• Facilitates inter-federation trust between US
  Higher Education community and external entities

11
HEBCA Project

• What will it provide?
• The HEBCA Project will create and maintain three
  new Certificate Authority (CA) systems for
  EDUCAUSE and will also house the existing HEBCA
  Prototype CA
• The three CA systems to be created are
• HEBCA Test CA
• HEBCA Development CA
• HEBCA Production CA
• The HEBCAs will be used to cross-certify Higher
  Education PKI trust anchors to create a bridged
  trust network
• The HEBCA Test CA will also be cross-certified
  with the Prototype FBCA (other emerging Bridge
  CAs are also targets) and the HEBCA production
  CAs will be cross-certified with the production
  FBCA.

12
HEBCA Project - Overview
LDAP Based Directory Utilizing the Registry of
Directories Utilizing LDAP Referrals
X.500 Based Directory Directories Interconnect
via Chaining (X.500 DSP)
13
HEBCA Policy Authority

• The HEBCA PA establishes policy for and oversees
  operation of the HEBCA. HEBCA PA activities
  include
• approve and certify the Certificate Policy (CP)
  and Certification Practices Statement (CPS) for
  the HEBCA
• set policy for accepting applications for
  cross-certification and interoperation with the
  HEBCA
• certify the mapping of policy between the HEBCA
  CP and applicants CPs
• establish any needed constraints in
  cross-certification documents
• represent the HEBCA in establishing its own
  cross-certification with other PKI bridges
• set policy governing operation of the HEBCA
• oversee the HEBCA Operational Authority
• keep the HEBCA Membership and the HEPKI Council
  informed of its decisions and activities.

14
HEBCA Operating Authority

• The HEBCA OA is the organization that is
  responsible for the issuance of HEBCA
  certificates when so directed by the HEBCA PA,
  the posting of those certificates and any
  Certificate Revocation Lists (CRLs) or
  Certificate Authority Revocation Lists (CARLs)
  into the HEBCA repository, and maintaining the
  continued availability of the repository to all
  parties relying on HEBCA certificates.
• Specific responsibilities of the HEBCA OA
  include
• Management and operation of the HEBCA
  infrastructure
• Management of the registration process
• Completion of the applicant identification and
  authentication process and
• Complying with all requirements and
  representations of the Certificate Policy.
• Key personnel from the Dartmouth PKI Laboratory
  were chosen as the HEBCA Operating Authority by
  the HEBCA PA under the direction of EDUCAUSE (the
  project sponsor).

15
HEBCA Project - Progress

• Whats been done so far?
• Operational Authority (OA) contractor engaged
  (Dartmouth PKI Lab)
• MOA with commercial vendor for infrastructure
  hardware (Sun)
• MOA with commercial vendor for CA software and
  licenses (RSA)
• Policy Authority formed
• Prototype HEBCA operational and cross-certified
  with the Prototype FBCA (new Prototype
  instantiated by HEBCA OA)
• Prototype Registry of Directories (RoD) deployed
  at Dartmouth
• Draft of Production HEBCA CP produced
• Draft of Production HEBCA CPS produced
• Preliminary Policy Mapping completed with FBCA
• Test HEBCA CA deployed and cross-certified with
  the Prototype FBCA
• Test HEBCA RoD deployed
• Production HEBCA development phase complete
• Infrastructure has passed interoperability
  testing with FBCA
• Some minor documentation to finalize
• Ready for audit and production operations

16
Solving Silos of Trust
Institution
FBCA
Dept-1
Dept-1
Dept-1
HEBCA
CAUDIT PKI
USHER
CA
CA
CA
SubCA
SubCA
SubCA
SubCA
SubCA
SubCA
SubCA
SubCA
SubCA
17
Proposed Inter-federations
CA-1
CA-2
CA-2
CA-3
HE BR
CA-1
AusCert CAUDIT PKI
CA-n
HE JP
FBCA
Cross-cert
Cross-certs
DST ACES
NIH
Texas
HEBCA
Dartmouth
Cross-certs
Wisconsin
UVA
Univ-N
USHER
SAFE
CertiPath
CA-4
CFPKIB
CA-1
CA-2
CA-3
18
Challenges and Opportunities

• Operational restraints Offline CA with 6 hourly
  CRLs requiring dually authenticated sneaker-net
  with limited staffing
• Pre-generate CRLs
• AirGap USB based switch
• Audit
• What standard?
• Cost barriers
• Support for Bridge PKIs in current applications
• Cross-certificates, path discovery, path
  validation support is limited in COTS products

19
AirGap MkII
20
Challenges and Opportunities

• Community applicability
• If we build it they will come
• Chicken Egg profile for infrastructure and
  applications
• An appropriate business plan
• Consolidation and synergy
• Are USHER HEBCA competing initiatives?
• Benefits of a common infrastructure
• Alignment with policies of complimentary
  communities
• Shibboleth / InCommon
• Grids (TAGPMA)

21
Bridge-Aware Applications
22
Challenges and Opportunities

• Open Tasks
• Re-evaluate operating LOA
• Audit
• Updated Business Plan
• Mapping Grid Profiles
• Classic PKI
• SLCS
• Promotion of PKI Test bed
• Validation Authority service
• Cross-certification with FBCA
• Cross-certification with other HE PKI communities
• CAUDIT PKI (AusCERT)
• HE JP
• HE BR

23
Proposed Inter-federations
CA-1
CA-2
CA-2
CA-3
HE BR
CA-1
AusCert CAUDIT PKI
CA-n
HE JP
FBCA
Cross-cert
Cross-certs
DST ACES
NIH
Texas
HEBCA
Dartmouth
Cross-certs
Wisconsin
UVA
Univ-N
USHER
SAFE
CertiPath
CA-4
CFPKIB
CA-1
CA-2
CA-3
24
For More Information

• HEBCA Website
• http//www.educause.edu/HEBCA/623
• EDUCAUSE IMSP
• http//www.educause.edu/IMSP
• Scott Rea - Scott.Rea_at_dartmouth.edu