PKI Activities at Virginia
Download
Report
Transcript PKI Activities at Virginia
PKI Activities at Virginia
September 2000
Jim Jokl
[email protected]
Campus PKI Deployment
Targeted functions
» UVa E-forms
– Authentication / Signing?
» Web applications
– authentication
– student mock election
» S/MIME
» Oracle ERP
Focus on Authentication and not Authorization
CA Plans
Standard Assurance CA
» Easy to obtain cert
» No serious business applications
» Simple policy, practices, and subscriber agreement
High Assurance CA
»
»
»
»
Hard to obtain certificate
Good for business apps, grades, etc
Authentication, signing only
More complicated policy, practices, and subscriber
agreement
Now: an Anonymous CA too
Standard Assurance CA
Authentication:
» Last Name, DoB, ID Number, Password on one of
our major systems
Lifespan:
» Faculty/Staff – one year
» Students – mid-September of next year
» Non-degree Continuing Education – end of
semester
Uses: S/MIME, Web Auth, Library, some
business apps, etc
High Assurance CA
(Less Defined at Present)
Authentication:
» Same as above, plus
» RA function – some form(s) of ID checked
Lifespan: longer – a few years
Likely to require hardware token
Applications:
» All of above plus ERP, real business
transactions, grades, etc
Anonymous CA
Authentication:
» Use any UVa certificate to authenticate
Truly anonymous – we keep no records
No way to revoke certificate
Lifespan: short (weeks)
Technical Infrastructure
Open source solution: OpenSSL on Solaris
Web site walks user through downloading root
certificate
Apache Web authentication module
Publish into LDAP directory
mySQL database for cert store
Demo Apps: authentication, Home Directory
browser, form signing
Technical Infrastructure
Profile & Hierarchy
Profile
» Use DC= naming for Issuer and Subject
» Left E= in Subject and Issuer fields
CA Hierarchy
» UVa Main
» UVa Annual
» EE Certificates
Technical Infrastructure
Protection of Private Keys
UVa Main private key
» Linux box – no network interface, removable hard
disk, CD burner
» Access only by two or more “systems” staff
» Stored in vault - under non-IT control, logged, etc
UVa Annual private key
»
»
»
»
Locked rack in secure, manned machine room
All possible network services disabled
Two “systems” staff required for access
All access logged by operators
Technical Infrastructure
Hardware Tokens and Issues
Hardware token work (mobility)
» Smart cards, iButtons
» Card services RFP
» Biometrics
Browser timeout of password for key store for
authentication and signing
Oracle ERP versions
Library concern about users
Dual keys, encryption, and the Standard
Assurance CA
Project Team - Cost
Technical
Support staff & Publications
Non-central computing
» library & sponsored programs
» Audit Department
Overall methodology helps
» User documentation
» Subscriber agreements
» Policy and Practices statements
Probably 1½ person years to date