UICU Project
Download
Report
Transcript UICU Project
University of
Texas PKI Status
CREN-Mellon conference,
December 1, 2001
PKI TEAM
Gene Titus, Systems Architect
(U.T. System Office of Telecommunication Services)
Jim Lyons, Developer and DBA
(U.T. Austin ITS/Telecommunications and Networking)
Frank Sayre, Coordination, Policy
(U.T. Austin ITS/Telecommunications and Networking)
U.T. System Associate Vice-Chancellor, Chief Information Officer
U.T. System System Audit Office
U.T. System Office of Information Resources
U.T. Austin Vice-President for Information Technology (ITS)
ITS Administrative Computing
ITS Security Office
U.T. Austin Office of Internal Audits
CREN-Mellon conference,
December 1, 2001
Management of
Community Data
Directory organized as X.500 hierarchy
Campus-wide, 100% coverage of entire community
Populated through daily ‘feeds’ from HR and Registrar
Managed via OpenLDAP v. 1.2x
Accessible via Richter/TU Chemnitz web500gw-2.1b3 at
http://directory.utexas.edu/
Operated on RedHat Linux 6.x on generic Pentium II 450
MHz rackmount system
CREN-Mellon conference,
December 1, 2001
Current Network
Authentication Scheme
Electronic ID (EID) -- pre-PKI
Campus-wide 100% of community using network-based
electronic services (grades, transcript requests, class rosters,
time sheets, bio updates, etc, etc)
Username/password credential providing single-sign-on for
network-based services
Established at face-to-face presentation of identity credentials at
University ID Center
User logon through HTTPS connection to HPUX systems tied in
with central authorization records residing in MVS. Authorization
data is passed inside RSA MD5-encrypted cookie
Viable authentication mechanism for end-user certificate requests
through HTTPS-based PKI Registration Authority
CREN-Mellon conference,
December 1, 2001
Planned Initial Uses,
2002/03
SSL server certificates
Authentication for network-based services (to some
degree replacing EID)
Digitally signed documents (S/MIME protocol) for special
groups
Digitally signed and encrypted e-mail (S/MIME protocol)
for special groups
CREN-Mellon conference,
December 1, 2001
Current Deployment
Status: U.T. System
Certification Authority implemented with PERL/OpenSSL tested
Private key storage in Chrysalis Luna CA3 (FIPS 140-1, level 3)
HSM tested
CA certificate to be signed by CREN January, 2002
System operated on RedHat Linux 6.x on generic Pentium II 450
MHz rackmount system
Issuance of Institutional CA certficates for U.T. component
campuses Spring, 2002
Policy governing CA certificate issuance due early Spring, 2002
CREN-Mellon conference,
December 1, 2001
Current Deployment
Status: U.T. Austin
Certification Authority implemented with PERL/OpenSSL tested
HTTPS-accessible Registration Authority implemented in PERL tested
Registration Authority integrated with current EID network authentication tested
Issuance of end-entity certificates to Schlumberger CyberFlex smartcards tested
Back-end storage and management of certficates in Unix dbm tested
Initial, informal testing of CRL publication to OCSP server completed
Initial, informal testing of PKI-enabled client applications signficant problems revealed
Operated on RedHat Linux 6.x on generic Pentium II 450 MHz rackmount system
CA certificate signed by U.T. System CA Spring, 2002
Policy governing issuance of SSL server certificates early Spring, 2002
Issuance of SSL server certificates commence Spring, 2002
Policy for end-entity certificates for special groups drafted Spring, 2002
Publication of end-entity certificates to Directory need additional testing in Spring, 2002
Publication of CRLs to OCSP server need additional testing in Spring, 2002
Formal testing of PKI-enabled client applications commence Summer, 2002
Formal testing of OCSP client-server functions commence Summer, 2002
Preparation of user documentation and support procedures commence Summer, 2002
End-entity certificate issuance for special groups Fall, 2002, or Spring, 2003
CREN-Mellon conference,
December 1, 2001
Content Providers
Most widely used content providers include: Elsevier,
OCLC, JSTOR, Bowker, Gale
Access allowed for campus IP address range and by
scripted logon
Library staff would like ‘electronic library card’ to be
implemented as part of U.T. Austin campus PKI.
CREN-Mellon conference,
December 1, 2001
Readiness to Issue
Certs to Select Groups
Fall, 2002, or Spring, 2003, at earliest
Significant administrative effort in area of PKI policy
Identification of funds
Significant user support for essential PKI concepts and
for configuration and use of PKI-enabled client apps
CREN-Mellon conference,
December 1, 2001