PKI Activities at Virginia

Download Report

Transcript PKI Activities at Virginia 

PKI Activities at Virginia
September 2000
Jim Jokl
[email protected]
Campus PKI Deployment

Targeted functions
» UVa E-forms
– Authentication / Signing?
» Web applications
– authentication
– student mock election
» S/MIME
» Oracle ERP

Focus on Authentication and not Authorization
CA Plans

Standard Assurance CA
» Easy to obtain cert
» No serious business applications
» Simple policy, practices, and subscriber agreement

High Assurance CA
»
»
»
»

Hard to obtain certificate
Good for business apps, grades, etc
Authentication, signing only
More complicated policy, practices, and subscriber
agreement
Now: an Anonymous CA too
Standard Assurance CA

Authentication:
» Last Name, DoB, ID Number, Password on one of
our major systems

Lifespan:
» Faculty/Staff – one year
» Students – mid-September of next year
» Non-degree Continuing Education – end of
semester

Uses: S/MIME, Web Auth, Library, some
business apps, etc
High Assurance CA
(Less Defined at Present)

Authentication:
» Same as above, plus
» RA function – some form(s) of ID checked
Lifespan: longer – a few years
 Likely to require hardware token
 Applications:

» All of above plus ERP, real business
transactions, grades, etc
Anonymous CA

Authentication:
» Use any UVa certificate to authenticate
Truly anonymous – we keep no records
 No way to revoke certificate
 Lifespan: short (weeks)

Technical Infrastructure






Open source solution: OpenSSL on Solaris
Web site walks user through downloading root
certificate
Apache Web authentication module
Publish into LDAP directory
mySQL database for cert store
Demo Apps: authentication, Home Directory
browser, form signing
Technical Infrastructure
Profile & Hierarchy

Profile
» Use DC= naming for Issuer and Subject
» Left E= in Subject and Issuer fields

CA Hierarchy
» UVa Main
» UVa Annual
» EE Certificates
Technical Infrastructure
Protection of Private Keys

UVa Main private key
» Linux box – no network interface, removable hard
disk, CD burner
» Access only by two or more “systems” staff
» Stored in vault - under non-IT control, logged, etc

UVa Annual private key
»
»
»
»
Locked rack in secure, manned machine room
All possible network services disabled
Two “systems” staff required for access
All access logged by operators
Technical Infrastructure
Hardware Tokens and Issues

Hardware token work (mobility)
» Smart cards, iButtons
» Card services RFP
» Biometrics




Browser timeout of password for key store for
authentication and signing
Oracle ERP versions
Library concern about users
Dual keys, encryption, and the Standard
Assurance CA
Project Team - Cost



Technical
Support staff & Publications
Non-central computing
» library & sponsored programs
» Audit Department

Overall methodology helps
» User documentation
» Subscriber agreements
» Policy and Practices statements

Probably 1½ person years to date