A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)

1
A community-based CAThe (slow) rise of the
house of Usher (The CA former known as CREN)
2
The CA formerly known as CREN

• Lots of discussion for a looong time HEPKI-TAG,
  HEBCA-BID, PKI Labs
• Plan is finally emerging
• A few related certificate services
• USHER - Level 1 - soon
• USHER Level 2 - start detailed planning for
  implementation
• USHER CP
• Others if warranted, eventually
• All operate on high levels of assurance in I/A of
  the institution, and in their internal operation
  at both Internet2 and subcontractors
• Place varying degrees of pain, and power, to the
  institutions
• Helping on a packaging of open-source low-cost CA
  servers
• Work with EDUCAUSE on their related initiatives

3
Usher-Level 1

• Modeled after Federal Citizen and Commerce CP/CPS
  (www.cio.gov/fpkipa/documents/citizen_commerce_cpv
  1.pdf)
• Issues only institutional certs
• Those certs can be used for any purposes
• CP will place few constraints on campus
  operations
• User identification and key management
• Campus CA/RA activities
• Will be operated itself at high levels of
  confidence
• Will recommend a profile for campus use
• Good for building local expertise, insuring some
  consistency in approaches among campuses, and may
  be suitable for many campus needs and some
  inter-campus uses
• Will not work for signing federal grants, etc
• Operational soon

4
Usher - Level 2

• Modeled after FBCA Basic level CP
• Issues only institutional certs
• Those certs can be used for most purposes
• CP will place more constraints on campus
  operations
• User identification and key management
• Campus CA/RA activities
• Will be operated itself at high levels of
  confidence
• Will recommend a profile for campus use
• Good for many campus needs, many inter-campus
  uses, and many workings with the federal
  government
• Will peer at the HEBCA
• Detailed planning now starting stand up sometime
  mid-next year

5
Interesting and Open Issues

• Policy Authority for USHER?
• Conservation of policy groups
• HEBCA PA? InCommon-Exec?
• Final pricing and packaging
• Working numbers lt2K first year, lt1K renewal
• Includes strong institutional I/A, strong USHER
  operations
• Leverages InCommon operations
• Applications and use

6
Interesting and Open Issues 2

• Cost for Usher to peer at bridges
• Ability to put Usher into various browsers
• Relation to InCommon
• Distinguishing one from the other
• To applications
• To users
• Leveraging one with the other

7
/- of Usher

• Pluses
• Pricing and lack of usage constraints on campus
  roots
• Strong institutional I/A external and for
  subdomains
• Community-consistent
• ???
• Negatives
• Not easily in browsers
• Uncharted peering with feds, commercials, etc
• Places more emphasis on running your own campus
  CA.
• ??

8
Early version
HEBCA
FBCA
USHER-Level 2
USHER -Level 1
9
Caveats

• Progress has been very slow
• On the other hand, good progress is being made
  with InCommon and much of that can be highly
  leveraged, at least operationally
• HIPAA interpretations and priorities vary
  dramatically across campuses.
• Terena has begun to set up a registry of national
  RE CAs root. It is not clear what leverage that
  offers.