Middleware activities in French Higher Education

1. Middleware activities inFrench Higher Education F. Guilleux, O. Salaün - CRU

2. Institutional view Ministry in charge of Research and HE CNRS INRIA Universities (83) Engineer schools (80) Research institutions CEA … F. Guilleux, O. Salaün - CRU

3. What is the CRU • CRU stands for « Comité Réseau des Universités » (network committee for French universities) • We do NOT operate a national academic network (=> Renater) • The CRU is responsible for coordinating actions among universities and between universities and the ministry F. Guilleux, O. Salaün - CRU

4. Middleware activities • Authentication & Authorization Infrastructure • Directories • Sympa • PKI F. Guilleux, O. Salaün - CRU

5. AAI • French ministry urges universities to set up digital working environments (Virtual campuses): • National working group dealing with A&A has published “recommendations” in 2003 • Most universities chose Uportal and CAS mainly for its proxy capabilities • The CRU will shortly start an AAI based on Shibboleth F. Guilleux, O. Salaün - CRU

6. Directories • Higher Education working group defining a common LDAP schema and naming • Inheritance from EduPerson • No course data definition yet • Connectors to allow the provisioning are being developed F. Guilleux, O. Salaün - CRU

7. Sympa middleware connections LDAP SQL Lists LDAP SQL Lists XML List owners List members List definition Sympa services AuthN LDAP X509 CAS Shibb AuthZ SOAP RSS LDAP Shibboleth F. Guilleux, O. Salaün - CRU

8. PKI / general overview • Started in 2000 • Technically and administratively operated by the CRU • Delivers X.509 certificates for: • People (web authentication and electronic signature in a few cases) • Servers (HTTPS, IMAPS, LDAPS…) F. Guilleux, O. Salaün - CRU

9. Hierarchy Root CA user CA enhanced user CA server CA Private key stored on PKCS#11 device F. Guilleux, O. Salaün - CRU

10. PKI / Logical structure server certificate CA National RA CRU • user certificate for : • security officers • local software providers • RA operators Local RA Local RA Local RA volunteer universities user certificate for any employee user certificate for any employee user certificate for any employee F. Guilleux, O. Salaün - CRU

11. PKI / Figures • 500 valid user certificates for: • Security officers • Local software providers • RA operators • Currently only 30 valid user certificates delivered by 10 local RAs (since this summer) • 500 valid server certificates for 90 different universities F. Guilleux, O. Salaün - CRU

12. PKI / what we have learnt… • User and server certificates use the same technology but constraints are actually different • Server certificates: • More and more used by French universities • Main problem: the “popup problem” • Easy to deliver: • Requested by official security officers • Server identity checked against a HiEd list of hostname administred by universities F. Guilleux, O. Salaün - CRU

13. PKI / what we have learnt… • User certificates: • Costly registration and revocation processes • Lot of support because of: • Poor and various certificate implementations in web browsers • Average users don’t understand PKI concepts (CAs, CRL, cert vs private key, …) • Need of PKCS#11 devices for mobility secure storage of private keys • Too much legal constraints to allow a safe use of electronic signature F. Guilleux, O. Salaün - CRU