US PKI and Bridge PKIScott ReaeFormsDigital Signatures

PKI in US Higher EducationTAGPMA Meeting,March 2006 Rio De Janeiro,Brazil2HEBCA:Higher Education Bridge Certificate Authority Bridge Certificate Authority for US Higher Education Modeled on FBCA Provides cross-certification between the subscribing institution and the HEBCA root CA Flexible policy implementations through the mapping process The HEBCA root CA and infrastructure hosted at Dartmouth College Facilitates inter-institutional trust between participating schools Facilitates inter-federation trust between US Higher Education community and external entities3HEBCA Project What will it provide?The HEBCA Project will create and maintain three new Certificate Authority(CA)systems for EDUCAUSE and will also house the existing HEBCA Prototype CA The three CA systems to be created are:HEBCA Test CA HEBCA Development CA HEBCA Production CA The HEBCAs will be used to cross-certify Higher Education PKI trust anchors to create a bridged trust network The HEBCA Test CA will also be cross-certified with the Prototype FBCA(other emerging Bridge CAs are also targets)and the HEBCA production CAs will be cross-certified with the production FBCA.4HEBCA Project What does it look like?(Artists impression only)5HEBCA Policy Authority The HEBCA PA establishes policy for and oversees operation of the HEBCA.HEBCA PA activities include approve and certify the Certificate Policy(CP)and Certification Practices Statement(CPS)for the HEBCA set policy for accepting applications for cross-certification and interoperation with the HEBCA certify the mapping of policy between the HEBCA CP and applicants CPs establish any needed constraints in cross-certification documents represent the HEBCA in establishing its own cross-certification with other PKI bridges set policy governing operation of the HEBCA oversee the HEBCA Operational Authority keep the HEBCA Membership and the HEPKI Council informed of its decisions and activities.6HEBCA Operating AuthorityThe HEBCA OA is the organization that is responsible for the issuance of HEBCA certificates when so directed by the HEBCA PA,the posting of those certificates and any Certificate Revocation Lists(CRLs)or Certificate Authority Revocation Lists(CARLs)into the HEBCA repository,and maintaining the continued availability of the repository to all parties relying on HEBCA certificates.Specific responsibilities of the HEBCA OA include:Management and operation of the HEBCA infrastructure;Management of the registration process;Completion of the applicant identification and authentication process;and Complying with all requirements and representations of the Certificate Policy.Key personnel from the Dartmouth PKI Laboratory were chosen as the HEBCA Operating Authority by the HEBCA PA under the direction of EDUCAUSE(the project sponsor).7HEBCA What is the value presented by this initiative?HEBCA facilitates a trust fabric across all of US Higher Education so that credentials issued by participating institutions can be used(and trusted)globally e.g.signed and/or encrypted email,digitally signed documents(paperless office),etc can all be trusted inter-institutionally and not just intra-institutionally Extensions to the Higher Education trust infrastructure into external federations is also possible and proof of concept work with the FBCA(via BCA cross-certification)has demonstrated this inter-federation trust extension Single credential accepted globally Potential for stronger authentication and possibly authorization of participants in grid based applications Contributions provided to the Path Validation and Path Discovery development efforts Facilitates compliance with legal requirements(GPEA,HIPAA)8USHER:US Higher Education Root Trusted Root for US Higher Education Only signs subordinate CA certificates Bootstraps institutional PKIs by providing policy infrastructure and a CA The USHER root CA and infrastructure hosted at Dartmouth College Facilitates inter-institutional trust between participating schools Different levels of assurance supported9USHER Project What will it provide?The USHER Project will create and maintain four new Certificate Authority(CA)systems for Internet2 and will share the existing HEBCA infratsructure The four CA systems to be created are:USHER Foundation CA USHER Basic CA*USHER Medium CA*USHER High CA*Not officially named yet The USHERs will be used to provide institutions of higher education PKI trust anchors with a common policy The USHER CAs may also be potentially cross-certified with the HEBCA to allow interoperation outside the USHER community.10USHER Policy Authority The USHER PA establishes policy for and oversees operation of the USHER initiatives.USHER PA activities include approve and certify the Certificate Policy(CP)and Certification Practices Statement(CPS)for the USHER set policy for accepting applications for CA issuance under USHER CAs represent the USHER in establishing cross-certification with other PKI bridges e.g.HEBCA set policy governing operation of the USHER CAs oversee the USHER Operational Authority keep the USHER Membership informed of its decisions and activities.11Solving Silos of TrustDept-1InstitutionDept-1Dept-1SubCACASubCASubCASubCACASubCASubCASubCACASubCASubCAUSHERHEBCAFBCA12 ProposedInter-federationsFBCACA-1CA-2CA-nCross-certHEBCADartmouthWisconsinTexasUniv-NUVAUSHER DSTACESCross-certsSAFEAeroNIHCA-1CA-2CA-3CA-413HEBCA Project-OverviewHEBCA PA and CP oversiteHEBCAInfrastructureCARootCertHEBCADirectoryCrossCertPairCrossCertPairCrossCertPairCrossCertPairRootCertCrossCertPairCACRLsRootCertCrossCertPairCACRLs University 1 PKIUniversity 2 PKIBorder DirBorder DirRootCertCrossCertPairCACRLsBorder DirFBCA PKIOther CrossCertified PKIsRODFBCAReferralUniversity 1ReferralUniversity 2ReferralCRLsRootCertFBCA PA and CP oversiteFBCA InfrastructureCARootCertFBCADirectoryCrossCertPairCrossCertPairCrossCertPairCrossCertPairRootCertCrossCertPairCACRLsRootCertCrossCertPairCACRLsDST ACES PKIOther CrossCertified PKIBorder DirBorder DirX.500 DSP Protocol(ChainingAgreements)betweenFBCA and CrossCertified PKI providerRootCertCrossCertPairCACRLsBorder DirHEBCA PKIOther CrossCertified PKIsCRLsRootCertX.500 Based DirectoryDirectories Interconnect via Chaining(X.500 DSP)LDAP Based Directory Utilizing the Registry of Directories Utilizing LDAP Referrals14HEBCA Project-ProgressWhats been done so far?Operational Authority(OA)contractor engaged(Dartmouth PKI Lab)MOA with commercial vendor for infrastructure hardware(Sun)MOA with commercial vendor for CA software and licenses(RSA)Policy Authority formed Prototype HEBCA operational and cross-certified with the Prototype FBCA(new Prototype instantiated by HEBCA OA)Prototype Registry of Directories(RoD)deployed at Dartmouth Draft of Production HEBCA CP produced Draft of Production HEBCA CPS produced Preliminary Policy Mapping completed with FBCA Test HEBCA CA deployed and cross-certified with the Prototype FBCA Test HEBCA RoD deployed Production HEBCA development phase underway Infrastructure has passed interoperability testing with FBCA15USHER Project-Progress Whats been done so far?Operational Authority(OA)contractor engaged(Dartmouth PKI Lab)MOA with commercial vendor for infrastructure hardware(Sun)MOA with commercial vendor for CA software and licenses(RSA)Policy Authority formed Prototype USHER operational on the Prototype HEBCA infrastructure Draft of Production USHER CP produced Draft of Production USHER CPS produced Production USHER Foundation CA created(2/23/06)and distributed USHER Foundation being embedded in applications(e.g.Lionshare)USHER Foundation run from InCommon infrastructure16For More Information HEBCA Website:http:/www.educause.edu/HEBCA/623 USHER Website:http:/usher.internet2.edu/Scott Rea-Scott.Readartmouth.edu