1 / 25

Higher Ed Certificate Authority by CREN

Higher Ed Certificate Authority by CREN. October 12, 2000 TERENA Meeting/Paris . What is CREN in Year 2000? . A non-profit higher education member organization - 230 members

hisa
Télécharger la présentation

Higher Ed Certificate Authority by CREN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Higher Ed Certificate Authority by CREN October 12, 2000 TERENA Meeting/Paris

  2. What is CREN in Year 2000? • A non-profit higher education member organization - 230 members • Mission - Support higher education and research organizations with strategic IT knowledge services and communication tools for infrastructure • Evolving from BITNET launched in 1984 (Visit us at www.cren.net) • “Corporation for Research and Educational Networking” www.cren.net

  3. Certificate Authority - Topics (3) • Operations and Status • As many questions as we have answers..:-) • EvolvingTrust Models • Hierarchical model -Trust Anchor • Bridge model - Trust Conduit • Cross-certification Plans • Evolving Documents • Certificate Policies - with cert profile info • Certificate Practice Statements • IETF RFC 2527 as guide to doc development www.cren.net

  4. Certificate Authority by CREN • Goal is to simplify connection to a trust community • Serve as a trusted third party and to facilitate trust relationships • Among institutions • Between higher education and other communities • Provide a link to other validated, trusted institutions without a separate pair-wise trust relationship between each pair of institutions www.cren.net

  5. Certificate Authority by CREN • Primary initial use is a focus on supporting inter - institutional resource sharing • Among institutions • Between institutions and content providers • Primarily for academic content and research resources • Goal - map to basic or medium assurance with Federal Bridge Certificate Authority • Operate under a Certificate Practices Statement of 1/27/2000 Version 3.0 www.cren.net

  6. Higher Education CA by CRENHierarchical CA Trust Community Minn HeHRCA (CREN) MIT Princeton • HeHRCA Group shares • “close enough” CP, CPS • Hierarchy as “Trust Anchor.” GaTech UTenn Penn State UT-Austin www.cren.net

  7. Operations - Higher Ed CA (1) • CA Subscriber process • Two page Application Form completed by Institution’s CREN member rep • Signed by an executive officer of institution • Once registration is complete, the technical contact • Issues request for certificate • Accepts the certificate on behalf of institution www.cren.net

  8. Operations - Higher Ed CA (2) • CREN Office • Serves as the Registration Authority (RA) • Receives, approves, and manage the applications and issuance of institutional certificates • Validates institutional contacts for the institutional CA certificate • Sends message to MIT approving and initiating secure contact with institution www.cren.net

  9. Operations - Higher Ed CA (3) • MIT • Operates the CREN CA under contract for CREN • Receives the certificate request message directly from technical contact at institution • Generates the institutional certificate • Sends the institutional certificate back to technical contact and to CREN RA Contact • Updates the repository of certificates www.cren.net

  10. CREN Root Key Cutting Ceremony at MIT 11/17/99 www.cren.net

  11. Certificate Authority Status • Institutional certificates issued and accepted • MIT, Georgia Tech, Princeton • U of Minnesota, UT-Austin, Penn State • Testing with JSTOR is underway • Success with remote access using U of MN CREN -issued certificate - 9/19/00 • One next step: test with U Minn directory query based on https embedded in certificate www.cren.net

  12. Applications • Registration process complete - U Tenn & U Mass - Amherst • Applications received - in various stages of process • Johns Hopkins University • Florida State University • Other applications received, but folks wanted something else www.cren.net

  13. Relationship of CREN within Higher Education (1) • Working closely with HEPKI-TAG and PAG • TAG- Technical Issues Group • PAG - Policy Issues Group • HEPKI is a loose federation of Internet2, EDUCAUSE and CREN and community folks • Led by Ken Klingenstein - Internet2 and many others... www.cren.net

  14. Relationship of CREN within Higher Education (2) • Issues with the certificate profile. • More detail on next two slides... • Other technical issues on table • Repositories, trust paths and revocation • Policy and practices work - again with HEPKI-PAG and TAG groups www.cren.net

  15. Certificate Profile Issues • Validity Period - • CREN root renewed on 6/14/2000 is valid to 11/17/07 - Eight years • Institutional certificates are issued with five year validity period • DC naming in certificates - • Can include DC in “Subject Field” of Institutional Certificate following x.500 name • CREN cert “Subject field” will be x.500 only • HEPKI Recommendation - Jim Jokl paper in review www.cren.net

  16. Certificate Profile Issues - More • Upgraded to Version 3 cert with extensions in 6/00 • Continuing discussion on other attributes in the Basic Constraints and Key usage fields -- gathering input to January 2001. • Issue of hash - change to SHA1 from MD5 for the signature algorithm • Have an OID - 7091 - from IANA www.cren.net

  17. Certificate Profile Issues - More • Principle - Profiles of CREN root certificate, institutional certificates, and client certificates can and probably will be different • Work by HEPKI-TAG is working towards more consistency rather than less with certificate profiles - again led by Ken Klingenstein www.cren.net

  18. Policy Work : HEPKI and CREN • Certificate policy work • Mapping policies from FBCA, and Euro-PKI with RFC 2527 • HEPKI Goal - create generic higher ed certificate policy and CPS • Revise the existing CREN CPS and develop a Certificate Policy - need one for CREN CA Hierarchy and one for CREN CA Bridge • Evolving to a recommendation that Campus CAs need both CP and CPS www.cren.net

  19. Possible PKI Infrastructure- Higher ED HEPKI- PA Mn UCOP MIT HeBCA/CREN HeHRCA/CREN GeorgeT Princeton UAB GaTech • HeBCA Group shares“close enough” • CP, CPS- but might map to higher • level of assurance or have different • granularities of relationships • Bridge acts as trust conduit or transport MIT UTenn UWI HeI Penn State UT-Austin www.cren.net

  20. Evolving PKI InfrastructureHigher ED and Links to Others HEPKI- PA HeI HeBCA/CREN HeHRCA/CREN HeI FPKI-PA FBCA HeI Relying Parties Community DOE DOJ ETC Note: Not clear how vendors should be represented. www.cren.net

  21. June 2000 CREN CA Pilot Meeting • Jeff demonstrated first version of CREN repository • Certificate profile work reviewed • Working Groups: • Validity period working group: Chair Michael Gettes • Protecting private keys: Co-Chairs are Jeff Schiller & Ariel Glenn • Vendor Solutions Group - Chair Kevin Unrue www.cren.net

  22. CREN CA Continuing work Fall, 2000 (1) • Continue working the issues and issuing institutional certificates • Work on building community awareness and expertise via scenarios, FAQs, and workshops plus support of HEPKI activities • Examine feasibility of issuing server certificates to institutions with institutional certificates www.cren.net

  23. CREN CA Continuing work Fall, 2000 (2) • FAQ on Directories is in review • Complement for FAQ on PKI • Complements the “LDAP Recipe” • CA Pilot Schools meeting in October with Internet2 in Atlanta • Planning for Seminars on Directories and Certificate Authorities in late January 2001 • Plan for CREN CA Production Levels • Work on the browser challenge... www.cren.net

  24. Continuing Open Questions • Certificate Profiles - Can we achieve a common profile? Also common CPs and CPs? • How will the CA relationships within higher education in the US evolve? • How to get the CREN Root in the Netscape and IE browsers? • What might the links to Euro-PKI look like? • What community of interest does the Euro-PKI Certificate Policy address? www.cren.net

  25. For More Information…and to Get Involved... • HEPKI is the place to start • website: www.educause.edu/HEPKI • CA List at CREN • Send request to cren@cren.net • CREN Web site - www.cren.net • CA Section • Archived TechTalks • FAQ on PKI Infrastructure at web site • Campus scenarios www.cren.net

More Related