190 likes | 203 Vues
This report provides an update on the progress of PKI implementation, including emerging distinctions, technical basics, and research issues. It covers topics such as XKMS, KX.509 and Grid, revocation methods, and the HE Bridge CA and CREN CA. The report also explores the challenges and complexities of PKI, as well as its applications in VPNs, enterprise authentication, encrypted and signed emails, and SEVIS.
E N D
When do we get to go home? Report from the BoFs CAMP assessment, next steps PKI technical update Break Research Issues in Middleware Wrap up
PKI Technical Update • Some emerging distinctions • The apps - authn, web authn, s/mime, signed docs, vpn’s, SEVIS • The technical basics • XKMS and other leavenings • KX.509 and Grid • Policies and levels of assurance • Revisiting revocation – OCSP, CRL, none • HE Bridge CA, NIH pilot • CREN CA
Some emerging themes • end-entity vs enterprise PKI • X.509 versus non X.509 end-entity • new problems: what you see is not what you signed…
Single infrastructure to provide all security services Established technology standards, though little operational experience Elegant technical underpinnings Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption Low cost in mass numbers Why PKI?
High legal barriers Lack of mobility support Challenging user interfaces, especially with regard to privacy and scaling Persistent technical incompatibilities Overall complexity Why Not PKI?
The apps • VPN’s • Enterprise authentication • App authentication (the web, some Grids, etc.) • Encrypted email • Signed email and docs • SEVIS (http://www.ins.usdoj.gov/graphics/services/tempbenefits/sevp.htm)
on the road to general purpose interrealm PKI the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKI simplifications in policies, technologies, applications, scope each plane provides experience and value The Four Planes of PKI
Full interrealm PKI - (Boeing 777) - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues Simple interrealm PKI - (Regional jets) - multipurpose within a community, operating under standard policies and structured hierarchical directory services PKI-light - (Corporate jets) - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; can be extended within selected communities PKI-ultralight (Ultralights) - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane... The Four Planes are
Spectrum of Assurance Levels Signature Algorithms Permitted Range of Applications Enabled Revocation Requirements and Approaches Subject Naming Requirements Treatment of Mobility ... Examples of Areas of Simplification
CP: Wasley, etal. Draft HE CP stubbed to basic/rudimentary CRL: ? Applications: (Signed email) Mobility: Password enabled Signing: md5RSA Thumbprint: sha1 Naming: dc Directory Services needed: Inetorgperson PKI-Light example
CP: none CRL: limit lifetime Applications: VPN, Internal web authentication Mobility: not specified Signing: not specified Thumbprint: sha1 Naming: not specified Directory Services needed: none PKI-Ultralight
fBCA NIH Pilot ACES fPKI TWG Others – federal S/MIME work Internet2/NIH/NIST research conference ... Federal Activities
HIPAA - Privacy specs issued HIPAA - Security specs not yet done Two year compliance phase-ins Little progress in community trust agreements Non-PKI HIPPA Compliance Options Healthcare
Success stories within many individual corporations for VPN, authentication No current community ABA guidelines Others... Corporate deployments
Generally a bit more successful; can leverage culture, national licensing structures, passports, etc. Higher ed efforts somewhat tied to national efforts; no trans-Euro work of note. http://www.terena.nl/projects/pki/pki-coord011126minutes-draft.html Have major Grid needs coming in 2005 As always, the directories are hard and ad hoc European Efforts
KX.509 • Software that uses a Kerberos ticket to create a temporary certificate (less than 8 hrs; no revocation; etc.) • Used for authentication to certificate-based local web services (preload campus roots) in Kerberos realms • Out of Michigan; to be polished and released via NMI grant • Two parts: server (KCA) that issues certs; client code to manage incoming cert into stores,OS and applications… • New service (KCT) to issue Kerberos tickets from certs.
Higher Education • HEBCA • HEPKI-TAG • HEPKI-PAG • PKI-labs • Campus successes – Texas Med, Dartmouth, MIT…