160 likes | 250 Vues
PKI: News from the Front. Ken Klingenstein, Project Director, I2 Middleware Initiative Chief Technologist, University of Colorado at Boulder. PKI Components. X.509 certificates, profiles, PKCS CA’s and CRLS, RA’s, ARL’s policies and practices trust models
E N D
PKI: News from the Front Ken Klingenstein, Project Director, I2 Middleware Initiative Chief Technologist, University of Colorado at Boulder
PKI Components • X.509 certificates, profiles, PKCS • CA’s and CRLS, RA’s, ARL’s • policies and practices • trust models • viable products that generate, invalidate, manage, and store keys and certs
Why Is PKI Important • Its now time to put people versus machines on net in a secure way • First possible scalable security/authentication tool • Confounded by real world issues, such as mobility, formalizing trust, inadequate infrastructure, etc.
General Developments • Businesses deploying internal, “hard-coded” installations • Federal government developing external, limited use installation and agency interoperability • Foreign governments developing centralized national services
What’s Happening in HE/R • A very few campuses have deployed a limited infrastructure for specific, generally web-based, applications - MIT,Stanford • Use of junk certs in some instances • DLF pilot project - UCOP, Columbia • CREN is working on a top-level CA • Educause is working in policy space
Higher Ed/Research and PKI • loosely coupled management structures • people are usually an intersection of a number of communities of interest • regulations - FERPA, Open Records, state govs, federal agencies • pre-market needs; small market appeal
Why Are We Important • Higher Ed a proven scaling testbed and market precursor • Educated user base • Need to push edge to support research mission • Can assess societal impacts • In this area, our multi-role characteristics presage the future
Access token (eg Libraries) Session authentication (real time) Authorization (native, or carrying of attributes) Encryption of email or files (S/MIME) Session integrity and confidentiality (e.g. SSL, TLS, IPSEC) Digitally signed objects Functional Uses of Certs
Archiving Escrow CRL Automatic cert renewal Mobility Exportability Overseas On-line or off-line operation Technical support needs - 1
Non-repudiation NTP Directories Identifiers CPS Load (number of pages) Technical support needs - 2
Rows are functional uses Columns are technical requirements Entries represent the ways in which desired uses require specific infrastructural components Important aspects for entries include what is needed to do it right how can it be done wrong need it interoperate An Undeveloped Matrix
Does it work for the end-user Does it work for the enterprise Does it work for the community of interest Three Critical Contexts
X.509 and PKCS • X.509 defines certificates, trust models, and uses • PKCS defines critical implementation details - eg specific encryption algorithm choices, key formats for portability, etc. • PKCS is RSA-oriented; patent burning party next year.
Isolation layers • To separate application programmers from the turmoil at the security layer • Allows service providers to change service implementations • Implemented as API’s and associated libraries • GSSAPI, GAAAPI, MS CryptoAPI (version 2), Novell NICI, Java
Higher Ed PKI Open Issues - I • profiles - common certificate templates for standard academic uses • policies - stating eligibilities, roles and responsibilities • practices - standard specific operating conventions • trust models - hierarchy, bridge, none; on and off-campus • risk abatement - minimize consequence
Higher Ed PKI Open Issues - II • CRL’s - where to store, what frequency to publish • viable products - cost, flexible, mobility, integration with embedded bases, public domain/open source alternatives • research opportunities - apps that use policies