1 / 9

A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)

A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN). The CA formerly known as CREN. Lots of discussion for a looong time – HEPKI-TAG, HEBCA-BID, PKI Labs Plan is finally emerging A few related certificate services USHER - Level 1 - soon

viho
Télécharger la présentation

A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A community-based CA:The (slow) rise of the house of Usher (The CA former known as CREN)

  2. The CA formerly known as CREN • Lots of discussion for a looong time – HEPKI-TAG, HEBCA-BID, PKI Labs • Plan is finally emerging • A few related certificate services • USHER - Level 1 - soon • USHER – Level 2 - start detailed planning for implementation • USHER CP • Others if warranted, eventually • All operate on high levels of assurance in I/A of the institution, and in their internal operation at both Internet2 and subcontractors • Place varying degrees of pain, and power, to the institutions • Helping on a packaging of open-source low-cost CA servers • Work with EDUCAUSE on their related initiatives

  3. Usher-Level 1 • Modeled after Federal Citizen and Commerce CP/CPS (www.cio.gov/fpkipa/documents/citizen_commerce_cpv1.pdf) • Issues only institutional certs • Those certs can be used for any purposes • CP will place few constraints on campus operations • User identification and key management • Campus CA/RA activities • Will be operated itself at high levels of confidence • Will recommend a profile for campus use • Good for building local expertise, insuring some consistency in approaches among campuses, and may be suitable for many campus needs and some inter-campus uses • Will not work for signing federal grants, etc… • Operational soon

  4. Usher - Level 2 • Modeled after FBCA Basic level CP • Issues only institutional certs • Those certs can be used for most purposes • CP will place more constraints on campus operations • User identification and key management • Campus CA/RA activities • Will be operated itself at high levels of confidence • Will recommend a profile for campus use • Good for many campus needs, many inter-campus uses, and many workings with the federal government • Will peer at the HEBCA • Detailed planning now starting; stand up sometime mid-next year

  5. Interesting and Open Issues… • Policy Authority for USHER? • Conservation of policy groups • HEBCA PA? InCommon-Exec? • Final pricing and packaging • Working numbers <$2K first year, <$1K renewal • Includes strong institutional I/A, strong USHER operations • Leverages InCommon operations • Applications and use

  6. Interesting and Open Issues 2 • Cost for Usher to peer at bridges • Ability to put Usher into various browsers • Relation to InCommon • Distinguishing one from the other • To applications • To users • Leveraging one with the other

  7. +/- of Usher • Pluses • Pricing and lack of usage constraints on campus roots • Strong institutional I/A – external and for subdomains • Community-consistent • ??? • Negatives • Not easily in browsers • Uncharted peering with feds, commercials, etc • Places more emphasis on running your own campus CA. • ??

  8. Early version HEBCA FBCA USHER-Level 2 USHER -Level 1

  9. Caveats • Progress has been very slow • On the other hand, good progress is being made with InCommon and much of that can be highly leveraged, at least operationally • HIPAA interpretations and priorities vary dramatically across campuses. • Terena has begun to set up a registry of national R&E CA’s root. It is not clear what leverage that offers.

More Related