03 December 2003

Digital Certificate Operation in a Complex Environment

Consultation/Stakeholders Meeting

3 December 2003

03 December 2003

DCOCE

dΛ’kŊtfi:

Der-kot-chee

03 December 2003

The DCOCE project

• DCOCE is about authentication with digital certificates

• Digital certificates use Public Key Infrastructure (PKI)– PKI is very secure

– but can be difficult to administer

03 December 2003

The DCOCE project

• Digital certificates and PKI rely upon trust

• Trust relies upon co-operation (or understanding) between organisations

• Oxford University is a Complex Environment– DCOCE

– If it can work here...

03 December 2003

What DCOCE is not about

• Authorisation– but…

• Single sign on– but…

• e-Science and the grid– but…

03 December 2003

Project team

EvaluatorsAlun Edwards (OUCS)

Johanneke Sytsema (SERS)

• Based within the RTS at OUCS in collaboration with SERS

Project Manager

Mark Norman

Systems DeveloperChristian Fernau

03 December 2003

Project partners

• Research Technologies Service at Oxford University Computing Services in collaboration with:

– the Systems and Electronic Resources Service at Oxford University Library Services (SERS)

– Manchester Information and Associated Services (ZETOC)

– the Athens Devolved Authentication Service (at EduServ)

– the Oxford e-Science Centre (OeSC)

03 December 2003

What is DCOCE?

• 2-year project funded by the (Joint Information Systems Committee) – feasibility of using digital certificates for authentication

and simplified access to remote services

– researching and running a pilot of a PKI (public key infrastructure)

– evaluating and documenting all of the major stages and of the user experience

03 December 2003

Why at Oxford?

• The complex environment is here…– the Departments and Colleges of the University of Oxford

• everyone may have a different requirement

• desires secure access to central IT support applications

• desires to optimise access to licensed content

• Oxford hosts regional e-Science Centre

– OUCS • secure access to web-based email; LDAP services; VPN service

• developing account management packages for RDN Subject Portals Project

• Information flow is very important to a PKI

03 December 2003

Admin & LegalServices

Research Technologies Service

IT Support Staff servicesUser registration

Project Team

Stakeholder group

Oxford UniversityComputing Services

E-Science Centre

Library Services

03 December 2003

Stakeholder group

• We need to know what you think:– are the ideas difficult?

– what do you think you need?

• Early 2004 we need people to trial the use of our digital certificates– to discover the advantages and difficulties as they

appear to you

03 December 2003

Modelling

• Admin. architecture– select and review 4 PKI

implementations

– build an administration architecture model for Oxford

– Athens, MIMAS and OeSC to advise and review initial proposals for models

• System architecture– review the 4 PKI

implementations

– build a system architecture model for Oxford

– Athens, MIMAS and OeSC to advise and and review initial proposals for models

03 December 2003

Development and implementation

• Implement, and develop, the systems and administrative processes to support a certificate life-cycle within a PKI– architectures

• very small-scale rollout

– a certification authority • initial testing

– OeSC to advise

03 December 2003

Athens Devolved Authentication

• Enable access to remote resources subscribed to by Oxford compliant with Athens single sign-on (SSO) via digital certificate authentication– examine Athens requirements and standards

– ensure certificates and ‘presentment’ mechanisms comply and PKI can be trusted

03 December 2003

MIMAS

• Enable access to remote Zetoc/British Library resources via digital certificate authentication mechanism– examine MIMAS/Zetoc requirements and standards

– ensure certificates and ‘presentment’ mechanisms comply and PKI can be trusted

03 December 2003

Real-world rollout

• Distribute the certificates much more widely– test – examine revocation and recovery issues – document the issues arising

• Extensive set of users will receive certificates– IT support staff in devolved roles throughout the

University – selected end users of many types and roles

• Trial revocation and recovery/re-issuing mechanisms

• OeSC, Athens and MIMAS to advise

03 December 2003

Certificate Policy Statement

• Develop and publish a detailed Certificate Policy Statement (CP) – in accordance with the Internet Engineering Task Force

PKI X.509 Certificate Policy and Certification Practice Statement (CPS) Framework

– produce an early draft of the CP• consult about trust issues

– final version of the CP will be produced after rollout

03 December 2003

Legal and administrative issues

• Input from Oxford University Legal Services– issuing and revoking certificates – running the PKI– the final Certificate Policy Statement (CP)– the administration issues of managing:

• a registration authority • and certificate authority • and revocation list

– research legal and administration issues

• OeSC to advise

03 December 2003

Evaluation and dissemination

• Technical and user-oriented evaluations– the implementation of PKI at UK HE establishments – final report

• Project progress report– successes and failures and points of difficulty

• Via web pages, email lists and at real 'events' – http://www.dcoce.ox.ac.uk/ Web site – dcoce-disc@jiscmail.ac.uk mailing list – Useful to others considering PKI within UK FE and HE

• formative evaluation of decisions made • summative evaluations

– decision-making processes and the experiences of end users etc.

03 December 2003

Summary of deliverables

• Evaluation reports – for different stages of the process

• Policies – overall Certification Practice Statement (CPS)

• Systems architecture details – any open source adaptations

• Project Web site– http://www.dcoce.ox.ac.uk/

• Summative report – practical manual

03 December 2003

Ideas for discussion at the moment

• Sending server certificates on a CD-ROM • Ideas for a Local Institution Certificate Store • Ideas for issuing certificates (enrolling)