Got Directory?
January 28, 2004
TIP2004
23年 4月 18日 2
metadirectory
enterprisedirectory
directorydatabase
departmentaldirectories
OS directories(MS, Novell, etc)
borderdirectory
registries sourcesystems
Enterpriseapplications dir
A Campus Directory Architecture
23年 4月 18日 3
eduPerson
Schema for US Higher EducationLow hanging fruit, interoperable data
• Easy stuff that we can all agree is true
LocalEduPerson -- local stuff local probInternational efforts under wayUS Person? Will the Feds listen to us?eduOrg continues to be developedhttp://middleware.internet2.edu
23年 4月 18日 4
LDAP-Recipe
A hitchhiker’s guide to LDAP in H.E.• A user’s perspective (a discussion, not a manual) of how to deploy directories. Covering:
• Directory Tree, Access Control, Attribute Firewalls, Group Management, How all the name attributes work, Authentication, Schema Management and Design, RDN issues that most don’t know about, Considerations for directory enabled E-mail routing, Software reference, Replication
• eduPerson discussion (read recipe as well as eduPerson specification)
23年 4月 18日 5
Video Middleware (VID-MID)
Post 9/11/2001• Video on the Internet is how people will communicate due to US Airline Industry impact
Video and middleware folks get together• Video is largely a human managed process• How to integrate video into enterprise?• Directory enabling versus directory slurping
CommObject is born and H.350 results
23年 4月 18日 6
Traditional X.500 naming:
dn: cn=Michael R Gettes, ou=Server Group, ou=OIT, o=Duke University, c=US
domainComponent (DC) naming:
dn: uid=gettes,ou=People,dc=duke,dc=edu
Problems with Cisco and others in the past, fixed (mostly)
HEPKI has issued guidance and advice on DC= naming
domainComponent (DC=) Naming
23年 4月 18日 7
Group Toolset Architecture
23年 4月 18日 8
RADIUS serverNAS(terminal server)
DialupUsers
User calls202-555-1110
CalledId from NAS is mapped to guRadProf
DirectoryServer
Netid = gettesguRadProf = 2025550001guRadProf = 2025551110guRadProf = OracleFin
LDAP Filter is:guRadProf = 2025551110+ NetID = gettes
RADIUS + LDAP
23年 4月 18日 9
LDAP Analyzer
Todd Piket, Michigan TechWeb based tool to empirically analyze a directory
eduPerson compliance Indexing and namingLDAP-Recipe guidance (good practice)H.350 complianceeduOrg compliance
http://middleware.internet2.edu/dir/
23年 4月 18日 10
What’s up in Directory Land?
Directory Architecture +eduPerson +eduOrgLocal Schema (localEduPerson)Non-eduPerson Persons (international efforts)usPerson? Working the FedsLDAP-Recipe +Group Management +Video Middleware +
• H.350 for Video Infrastructure
23年 4月 18日 11
Directory Land (continued)
DC naming +
RADIUS Integration +
LDAP Analyzer +
Medical Middleware
MACE-CourseID
Authorization work (the holy grail)
23年 4月 18日 12
LDAP: Buyer Beware!!!
LDAP is LDAP is LDAP – yeah, right! “Sure! We support LDAP!” What does that mean?
Contract for functionality and performance Include your Directory/Security Champion!!! Verify with other schools – so easy, rarely done.
Beware of products that specify Dir Servers Get vendor to document product requirements and behavior. You paid for it!
23年 4月 18日 13
Higher Education Bridge Certification Authority
and USHERStatus Update
Michael R Gettes
Duke University
January 2004, TIP2004
23年 4月 18日 14
Technical Policy
PKI is1/3 Technical
and 2/3 Policy?
A community-based CA:The (slow) rise of the house of Usher(The CA former known as CREN)
1723年 4月 18日
Usher-Level 1
Modeled after Federal Citizen and Commerce CP/CPS (www.cio.gov/fpkipa/documents/citizen_commerce_cpv1.pdf)
Issues only institutional certs Those certs can be used for any purposes CP will place few constraints on campus operations
• User identification and key management• Campus CA/RA activities
Will be operated itself at high levels of confidence Will recommend a profile for campus use Good for building local expertise, insuring some consistency in approaches
among campuses, and may be suitable for many campus needs and some inter-campus uses
Will not work for signing federal grants, etc… Operational soon
23年 4月 18日 18
Usher - Level 2
Modeled after FBCA Basic level CP
Issues only institutional certs
Those certs can be used for most purposes
CP will place more constraints on campus operations
• User identification and key management
• Campus CA/RA activities Will be operated itself at high levels of confidence
Will recommend a profile for campus use
Good for many campus needs, many inter-campus uses, and many workings with the federal government
Will peer at the HEBCA
Detailed planning now starting; stand up sometime mid-next year
23年 4月 18日 21
+/- of Usher
Pluses• Pricing and lack of usage constraints on campus roots• Strong institutional I/A – external and for subdomains• Community-consistent• ???
Negatives• Not easily in browsers• Uncharted peering with feds, commercials, etc• Places more emphasis on running your own campus CA.• ??
23年 4月 18日 22
What’s a Bridge anyway?
Traditional PKIWith Root CAPre-Existing?
23年 4月 18日 23
Board of Instantiation and Development (BID) Clair Goldsmith, Chair, UT System
– Augustson (PSU), Klingenstein (Internet2), Levine (Dartmouth), Wasley (UCOP), Hazelton (Wisconsin-Madison), Brentrup (Dartmouth), Gettes (Duke), Jokl (Virginia)
– EDUCAUSE: Luker, Worona Staff: Faut Purpose is to instantiate a HE Bridge, organization and
policy structures by November, 2003 (or sometime around that point -- okay, so we are running a tad behind schedule, sosu-us)
Foster Deployment and Development of Bridged PKI Supported by EDUCAUSE
23年 4月 18日 24
HEPKI Council Jack McCredie, Chair
– Michael Baer, Sr VP ACE– Rich Guida, Johnson & Johnson– Mark Luker, EDUCAUSE– Mark Olson, EVP of NACUBO– Dave Smallen, CIO @ Hamilton College– Nancy Tribbensee, Counsel @ ASU
Not operational, policy and oversight Will approve the creation of the HEBCA Policy Authority Charged with Higher Education direction and strategy for
PKI initiatives, not just Bridge Supported by EDUCAUSE
23年 4月 18日 25
HEPKI National PKI
23年 4月 18日 26
Current Status: January, 2004 Charter HEBCA Certificate Policy (brother Wasley)
– Will develop CPS from this policy Dartmouth College
– Contracted to implement HEBCA in 12/03– EDUCAUSE funded– Received AEG from Sun Microsystems ($50K)
• Equipment ordered and received• Signing Hardware -- not yet.• Working software agreement with RSA as first CA in bridge
– Maybe even further deal with Higher Ed for CA services & s/w
Begin process of cross-certification with US Gov Recommending to PKI Council to create the HEBCA Policy
Authority
23年 4月 18日 27
EDUCAUSE/NIH Interoperability Project December 2003, NIH demonstrated the
latest ability to submit doubly digitally signed documents to a web site that is validated using Bridge PKI. UCOP, Wisconsin, Dartmouth, UT Health Science Center (Barry Ribbeck)
Directory Infrastructure at Duke :-) General doc submission facility -- freely
available -- cool stuff.
23年 4月 18日 28
National PKI
Levels of Assurance / HE CP– Get mapped all the way down, the key to
interop
Business/Marketing: Separate Prob Policy Authorities likely to merge HEPKI umbrella should be org
structure for all PKI activities in HE
23年 4月 18日 29
Global? Trust Diagram (TWD)
23年 4月 18日 30
Sample InterFederation
23年 4月 18日 31
Shib/PKI Inter-Federations
This model demonstrates the similarities of the PKI communities and Shib Federations. This does not mean that Shib == PKI, just that we can leverage the trust infra of a global PKI to maybe solve some larger inter-federation issues of other techno / policy spaces in a common fashion.
23年 4月 18日 32