cren-mellon conference, december 1, 2001 university of texas pki status

CREN-Mellon conference, December 1, 2001

University of Texas PKI Status


PKI TEAM Gene Titus, Systems Architect

(U.T. System Office of Telecommunication Services)

Jim Lyons, Developer and DBA (U.T. Austin ITS/Telecommunications and Networking)

Frank Sayre, Coordination, Policy (U.T. Austin ITS/Telecommunications and Networking)

U.T. System Associate Vice-Chancellor, Chief Information Officer U.T. System System Audit Office U.T. System Office of Information Resources

U.T. Austin Vice-President for Information Technology (ITS) ITS Administrative Computing ITS Security Office U.T. Austin Office of Internal Audits


Management of Community Data

Directory organized as X.500 hierarchy

Campus-wide, 100% coverage of entire community

Populated through daily ‘feeds’ from HR and Registrar

Managed via OpenLDAP v. 1.2x

Accessible via Richter/TU Chemnitz web500gw-2.1b3 at http://directory.utexas.edu/

Operated on RedHat Linux 6.x on generic Pentium II 450 MHz rackmount system


Current Network Authentication Scheme

Electronic ID (EID) -- pre-PKI

Campus-wide 100% of community using network-based electronic services (grades, transcript requests, class rosters, time sheets, bio updates, etc, etc)

Username/password credential providing single-sign-on for network-based services

Established at face-to-face presentation of identity credentials at University ID Center

User logon through HTTPS connection to HPUX systems tied in with central authorization records residing in MVS. Authorization data is passed inside RSA MD5-encrypted cookie

Viable authentication mechanism for end-user certificate requests through HTTPS-based PKI Registration Authority


Planned Initial Uses, 2002/03

SSL server certificates

Authentication for network-based services (to some degree replacing EID)

Digitally signed documents (S/MIME protocol) for special groups

Digitally signed and encrypted e-mail (S/MIME protocol) for special groups


Current Deployment Status: U.T. System

Certification Authority implemented with PERL/OpenSSL tested

Private key storage in Chrysalis Luna CA3 (FIPS 140-1, level 3) HSM tested

CA certificate to be signed by CREN January, 2002

System operated on RedHat Linux 6.x on generic Pentium II 450 MHz rackmount system

Issuance of Institutional CA certficates for U.T. component campuses Spring, 2002

Policy governing CA certificate issuance due early Spring, 2002


Current Deployment Status: U.T. Austin

Certification Authority implemented with PERL/OpenSSL tested

HTTPS-accessible Registration Authority implemented in PERL tested

Registration Authority integrated with current EID network authentication tested

Issuance of end-entity certificates to Schlumberger CyberFlex smartcards tested

Back-end storage and management of certficates in Unix dbm tested

Initial, informal testing of CRL publication to OCSP server completed

Initial, informal testing of PKI-enabled client applications signficant problems revealed

Operated on RedHat Linux 6.x on generic Pentium II 450 MHz rackmount system

CA certificate signed by U.T. System CA Spring, 2002

Policy governing issuance of SSL server certificates early Spring, 2002

Issuance of SSL server certificates commence Spring, 2002

Policy for end-entity certificates for special groups drafted Spring, 2002

Publication of end-entity certificates to Directory need additional testing in Spring, 2002

Publication of CRLs to OCSP server need additional testing in Spring, 2002

Formal testing of PKI-enabled client applications commence Summer, 2002

Formal testing of OCSP client-server functions commence Summer, 2002

Preparation of user documentation and support procedures commence Summer, 2002

End-entity certificate issuance for special groups Fall, 2002, or Spring, 2003


Content Providers

Most widely used content providers include: Elsevier, OCLC, JSTOR, Bowker, Gale

Access allowed for campus IP address range and by scripted logon

Library staff would like ‘electronic library card’ to be implemented as part of U.T. Austin campus PKI.


Readiness to Issue Certs to Select Groups

Fall, 2002, or Spring, 2003, at earliest

Significant administrative effort in area of PKI policy

Identification of funds

Significant user support for essential PKI concepts and for configuration and use of PKI-enabled client apps

cren-mellon conference, december 1, 2001 university of texas pki status

Documents