cren-mellon conference, december 1, 2001 university of texas pki status
TRANSCRIPT
CREN-Mellon conference, December 1, 2001
University of Texas PKI Status
CREN-Mellon conference, December 1, 2001
PKI TEAM Gene Titus, Systems Architect
(U.T. System Office of Telecommunication Services)
Jim Lyons, Developer and DBA (U.T. Austin ITS/Telecommunications and Networking)
Frank Sayre, Coordination, Policy (U.T. Austin ITS/Telecommunications and Networking)
U.T. System Associate Vice-Chancellor, Chief Information Officer U.T. System System Audit Office U.T. System Office of Information Resources
U.T. Austin Vice-President for Information Technology (ITS) ITS Administrative Computing ITS Security Office U.T. Austin Office of Internal Audits
CREN-Mellon conference, December 1, 2001
Management of Community Data
Directory organized as X.500 hierarchy
Campus-wide, 100% coverage of entire community
Populated through daily ‘feeds’ from HR and Registrar
Managed via OpenLDAP v. 1.2x
Accessible via Richter/TU Chemnitz web500gw-2.1b3 at http://directory.utexas.edu/
Operated on RedHat Linux 6.x on generic Pentium II 450 MHz rackmount system
CREN-Mellon conference, December 1, 2001
Current Network Authentication Scheme
Electronic ID (EID) -- pre-PKI
Campus-wide 100% of community using network-based electronic services (grades, transcript requests, class rosters, time sheets, bio updates, etc, etc)
Username/password credential providing single-sign-on for network-based services
Established at face-to-face presentation of identity credentials at University ID Center
User logon through HTTPS connection to HPUX systems tied in with central authorization records residing in MVS. Authorization data is passed inside RSA MD5-encrypted cookie
Viable authentication mechanism for end-user certificate requests through HTTPS-based PKI Registration Authority
CREN-Mellon conference, December 1, 2001
Planned Initial Uses, 2002/03
SSL server certificates
Authentication for network-based services (to some degree replacing EID)
Digitally signed documents (S/MIME protocol) for special groups
Digitally signed and encrypted e-mail (S/MIME protocol) for special groups
CREN-Mellon conference, December 1, 2001
Current Deployment Status: U.T. System
Certification Authority implemented with PERL/OpenSSL tested
Private key storage in Chrysalis Luna CA3 (FIPS 140-1, level 3) HSM tested
CA certificate to be signed by CREN January, 2002
System operated on RedHat Linux 6.x on generic Pentium II 450 MHz rackmount system
Issuance of Institutional CA certficates for U.T. component campuses Spring, 2002
Policy governing CA certificate issuance due early Spring, 2002
CREN-Mellon conference, December 1, 2001
Current Deployment Status: U.T. Austin
Certification Authority implemented with PERL/OpenSSL tested
HTTPS-accessible Registration Authority implemented in PERL tested
Registration Authority integrated with current EID network authentication tested
Issuance of end-entity certificates to Schlumberger CyberFlex smartcards tested
Back-end storage and management of certficates in Unix dbm tested
Initial, informal testing of CRL publication to OCSP server completed
Initial, informal testing of PKI-enabled client applications signficant problems revealed
Operated on RedHat Linux 6.x on generic Pentium II 450 MHz rackmount system
CA certificate signed by U.T. System CA Spring, 2002
Policy governing issuance of SSL server certificates early Spring, 2002
Issuance of SSL server certificates commence Spring, 2002
Policy for end-entity certificates for special groups drafted Spring, 2002
Publication of end-entity certificates to Directory need additional testing in Spring, 2002
Publication of CRLs to OCSP server need additional testing in Spring, 2002
Formal testing of PKI-enabled client applications commence Summer, 2002
Formal testing of OCSP client-server functions commence Summer, 2002
Preparation of user documentation and support procedures commence Summer, 2002
End-entity certificate issuance for special groups Fall, 2002, or Spring, 2003
CREN-Mellon conference, December 1, 2001
Content Providers
Most widely used content providers include: Elsevier, OCLC, JSTOR, Bowker, Gale
Access allowed for campus IP address range and by scripted logon
Library staff would like ‘electronic library card’ to be implemented as part of U.T. Austin campus PKI.
CREN-Mellon conference, December 1, 2001
Readiness to Issue Certs to Select Groups
Fall, 2002, or Spring, 2003, at earliest
Significant administrative effort in area of PKI policy
Identification of funds
Significant user support for essential PKI concepts and for configuration and use of PKI-enabled client apps