1 / 19

PKI Update: Emerging Distinctions, Technical Basics, and Research Issues

This report provides an update on the progress of PKI implementation, including emerging distinctions, technical basics, and research issues. It covers topics such as XKMS, KX.509 and Grid, revocation methods, and the HE Bridge CA and CREN CA. The report also explores the challenges and complexities of PKI, as well as its applications in VPNs, enterprise authentication, encrypted and signed emails, and SEVIS.

gregoriop
Télécharger la présentation

PKI Update: Emerging Distinctions, Technical Basics, and Research Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Day 3 Roadmap and PKI Update

  2. When do we get to go home? Report from the BoFs CAMP assessment, next steps PKI technical update Break Research Issues in Middleware Wrap up

  3. PKI Technical Update • Some emerging distinctions • The apps - authn, web authn, s/mime, signed docs, vpn’s, SEVIS • The technical basics • XKMS and other leavenings • KX.509 and Grid • Policies and levels of assurance • Revisiting revocation – OCSP, CRL, none • HE Bridge CA, NIH pilot • CREN CA

  4. Some emerging themes • end-entity vs enterprise PKI • X.509 versus non X.509 end-entity • new problems: what you see is not what you signed…

  5. Single infrastructure to provide all security services Established technology standards, though little operational experience Elegant technical underpinnings Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption Low cost in mass numbers Why PKI?

  6. High legal barriers Lack of mobility support Challenging user interfaces, especially with regard to privacy and scaling Persistent technical incompatibilities Overall complexity Why Not PKI?

  7. The apps • VPN’s • Enterprise authentication • App authentication (the web, some Grids, etc.) • Encrypted email • Signed email and docs • SEVIS (http://www.ins.usdoj.gov/graphics/services/tempbenefits/sevp.htm)

  8. D. Wasley’s PKI Puzzle

  9. on the road to general purpose interrealm PKI the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKI simplifications in policies, technologies, applications, scope each plane provides experience and value The Four Planes of PKI

  10. Full interrealm PKI - (Boeing 777) - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues Simple interrealm PKI - (Regional jets) - multipurpose within a community, operating under standard policies and structured hierarchical directory services PKI-light - (Corporate jets) - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; can be extended within selected communities PKI-ultralight (Ultralights) - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane... The Four Planes are

  11. Spectrum of Assurance Levels Signature Algorithms Permitted Range of Applications Enabled Revocation Requirements and Approaches Subject Naming Requirements Treatment of Mobility ... Examples of Areas of Simplification

  12. CP: Wasley, etal. Draft HE CP stubbed to basic/rudimentary CRL: ? Applications: (Signed email) Mobility: Password enabled Signing: md5RSA Thumbprint: sha1 Naming: dc Directory Services needed: Inetorgperson PKI-Light example

  13. CP: none CRL: limit lifetime Applications: VPN, Internal web authentication Mobility: not specified Signing: not specified Thumbprint: sha1 Naming: not specified Directory Services needed: none PKI-Ultralight

  14. fBCA NIH Pilot ACES fPKI TWG Others – federal S/MIME work Internet2/NIH/NIST research conference ... Federal Activities

  15. HIPAA - Privacy specs issued HIPAA - Security specs not yet done Two year compliance phase-ins Little progress in community trust agreements Non-PKI HIPPA Compliance Options Healthcare

  16. Success stories within many individual corporations for VPN, authentication No current community ABA guidelines Others... Corporate deployments

  17. Generally a bit more successful; can leverage culture, national licensing structures, passports, etc. Higher ed efforts somewhat tied to national efforts; no trans-Euro work of note. http://www.terena.nl/projects/pki/pki-coord011126minutes-draft.html Have major Grid needs coming in 2005 As always, the directories are hard and ad hoc European Efforts

  18. KX.509 • Software that uses a Kerberos ticket to create a temporary certificate (less than 8 hrs; no revocation; etc.) • Used for authentication to certificate-based local web services (preload campus roots) in Kerberos realms • Out of Michigan; to be polished and released via NMI grant • Two parts: server (KCA) that issues certs; client code to manage incoming cert into stores,OS and applications… • New service (KCT) to issue Kerberos tickets from certs.

  19. Higher Education • HEBCA • HEPKI-TAG • HEPKI-PAG • PKI-labs • Campus successes – Texas Med, Dartmouth, MIT…

More Related