us higher education root ca usher update n.
Skip this Video
Loading SlideShow in 5 Seconds..
US Higher Education Root CA (USHER) Update PowerPoint Presentation
Download Presentation
US Higher Education Root CA (USHER) Update

US Higher Education Root CA (USHER) Update

167 Vues Download Presentation
Télécharger la présentation

US Higher Education Root CA (USHER) Update

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. US Higher Education Root CA (USHER) Update Fed/Ed MeetingDecember 14, 2005 Jim Jokl University of Virginia

  2. USHER - US Higher Education Root CA • Philosophy • Lots of discussions about the needs of our community • Eventual decision to implement what we call USHER-Basic first • A different version of USHER may appear in the future to support applications that require a higher levels of assurance

  3. USHER Basic Summary • Purpose: facilitate inter-institutional use of campus issued PKI credentials • USHER-Basic target • Campuses that operate their PKI infrastructure at the same LOA as their common password-based systems • Email, scheduling, and commodity computing, etc • The USHER CA itself will operate at a relatively high level of assurance

  4. PKI Applications • USHER was designed with some of these example applications in mind • LionShare • Grids (Globus toolkit) • Electronic mail (S/MIME) • VPN (IPSec), Wireless (EAP-TLS), & SSH authentication • Web authentication

  5. Expected Practices • When campuses join USHER, they are expected to adhere to a set of “Expected Practices” • Will operate their PKI using processes that are at least as strong as how they manage accounts for email and calendaring • Campuses may issue certificates to anyone affiliated with their institution – the campus definition of affiliation applies

  6. Expected Practices • The campus will actively maintain all services that are implied in their certificates, e.g., • CRLs • Policy and practices if Policy OID is present • Campuses will not join USHER if they can not or will not meet the expected practices • Expected practices are still being finalized

  7. CA/RA Process • Signed Participation Agreement • Signed by a campus official authorized to commit the university • Designates the operational campus entity • A strong process similar to the one that was used by CREN is used to validate the campus operator and establish a secure communications channel • The campus generates a request which is then signed by the USHER CA

  8. USHER: Some Q&A • Can a campus have multiple USHER CAs? • Yes, and some may do this for organizational reasons • Also, one campus USHER CA can issue an Authority Certificate to another as long this is consistent with existing campus ID management practices • Eligibility • US Higher Education Institutions • Other entities sponsored by a US Higher Education member

  9. USHER: Some Q&A • What is the minimum LOA that a relying party can assume? • A campus official designated a campus organization to operate the USHER CA • USHER used a strong process to validate the organization and establish a secure communications channel • The USHER CA signs campus authority certificates using a strong technical process

  10. PKI and USHER/HEBCA • (How) do all of these PKI pieces fit together? • USHER – US Higher Education Root CA • HEBCA – Higher Education Bridge CA • Campus Certification Authorities • EDUCAUSE contract for outsourced certificates • What should a campus be doing? • Where’s the glue?

  11. FBCA HEBCA SAFE Commercial Others A Higher-level View of Inter-organizational Trust Educause Verisign CA Campus CA Campus Users Campus CA Campus CA Campus Users Campus Users USHER CA Campus CA Campus CA Campus CA

  12. Thank you • Questions/Discussion