1 11 th fed/ed pki meeting some quick updates from recent hepki-tag and sura work jim jokl...
TRANSCRIPT
1
11th Fed/Ed PKI Meeting
Some quick updates from recent HEPKI-TAG and SURA work
Jim Jokl [email protected]
2
US Higher Education Root(USHER) and Policy
Background A hierarchical CA for Higher Education
Issue authority certificates to campus CAs Replace and offer more than the old CREN hierarchy
Initial discussions on LOA for USHER Strong procedures for USHER operations Strong process to identify campuses
Discussions on requirements for schools Something heavy, PKI-Lite, etc? Implications for when USHER cross-certifies with HEBCA
Early focus decisions Strong procedures for USHER itself; use the InCommon
I&A process for schools Architect for an USHER-heavy and an USHER-Lite Focus deployment on USHER-Lite
3
USHER & Policy: Enter LionShare
LionShare needs a trust fabric that works logically like PKI-Lite Verify PKI-Lite OID in cert
Question: can/should USHER require at least PKI-Lite from campuses? Schools doing this anyway Strong pushback on TAG call
How does USHER certify campuses Campus liability concerns Why is a requirement needed?
USHER
Campus CA
Campus CA
LionShare SASL CA
Short-life user certificates
4
Grid Computing & PKI Bridges
Started in the NMI Testbed Grid project Tradition in the grid community appeared to be
to run a CA for each Grid or install root certificates for each site
We wanted an approach that scaled more easily, leveraged central campus authentication, and enabled researchers to get out of the identity management business
Logical solution Attempt to leverage HEBCA with Globus
Project Do the technical work needed to pilot this idea
in parallel with the development of HEBCA
5
Schematic of Original SURA NMI Testbed Grid PKI
Integration Goal
Campus E Grid
A’s PKI
Testbed Bridge CA
Testbed CA
Campus B Grid
Campus C Grid
Campus D GridCampus A
Grid
Campus F Grid
B’s PKI C’s PKI
Cross-cert pairsUser Certs
6
Inter-campus NMI Testbed Globus Project Activity
Built simple Testbed Bridge CA Off-line system Used Linux and OpenSSL to
build bridge Stored securely when not is
use Cross-certifications
UVA UAB TACC USC LSU Univ of Arkansas in progress
www.pki.virginia.edu/nmi-bridge
7
Globus & PKI Bridges Some issues
Globus uses OpenSSL which is not bridge-aware Preload cross-certificates Signing policy files
Certificate profiles used by some campus CAs caused problems
Continuing forward with the SURA Grid Cross-certification of sites Developing
Directory-based infrastructure to automate management of gridmap-file
Web-based tool for sites to easily add/remove their users Tools to automatically deploy the cross-certificates and
signing policy files
8
HEPKI-TAG Update
New revision of PKI-Lite Clarifications to Policy/Practices document Profiles updated
Support for EAP-TLS wireless authentication recommending use of Microsoft OID
Specified Authority Key Identifier to be compatible with bridges
More specified with more notes for implementers
Supporting some other USHER topics Signing tools project
Internet2 and Educause HEPKI-TAG site links