HEBCA Overview Internet2 Meeting, Fall 2002 Michael R Gettes Georgetown University Gettes@Georgetown.EDU.

HEBCAOverviewInternet2 Meeting, Fall 2002

Michael R Gettes

Georgetown University

Gettes@Georgetown.EDU

2

Technical Policy

PKI is1/3 Technical

and 2/3 Policy?

Transforming Education Through Information Technologies

http://www.educause.edu/

3

Common Solutions Group, January, 2002 (Sanibel Island)

A Snapshot of the U.S. Federal PKI

Federal Bridge CA

NFC PKI

Higher Education Bridge CA

NASA PKI

DOD PKI Illinois PKI

University PKI

CANADA PKI

Transforming Education Through Information Technologies

http://www.educause.edu/

4

Common Solutions Group, January, 2002 (Sanibel Island)

Multiple CAs in FBCA Membrane

• Survivable PKI

• Cross Certificates

allow for

“one/two-way

policy”

• Directories are

critical in BCA

world.

5

UNIVERSITY

GeorgetownUniversity

NIH

Peer-to-peer

USA GovernmentFederal

BCA

DoD

NASA

Peer-to-peer

USAHigher Education

BCA

UNIVERSITY

. . .

UNIVERSITY

University ofWashington

Peer-to-peer

USA Health Care"Health Key"

BCA

NCHICA

Special Relationships

Peer-to-peer

EuropeanHigher Education

BCA

UNIVERSITY

University ofEdinburgh

UNIVERSITY

SpecialRelationships

MayoClinic

February 5, 2001 JA-SIG Winter Meeting

NIHca

trustanchor

““DAVE” DAVE” (Discovery and Validation Engine)(Discovery and Validation Engine)

sender(UA)

receiver(NIH)

NIHdirectory

FBCA

FBCAdir

crosscert

crosscert

DAVECAM

E-Lock

software

ca

directory

HEBCA HEBCAdir

crosscert

UAca

UAdir

issued

get Cert,CRLvia directory chaining

7

CampusSystems

The PKI Puzzle

Fed Bridge Educause HE Bridge

CREN Root CA

CampusSystems

CampusPKI

Directory

PKI provides:• Strong Authentication• Flexible Authorization• Secure Digital Signature• Powerful Data Security

CampusPKI

Directory

ServerCerts

VendorResources

CampusResources

Shib

By David Wasley, UCOP

EDUPKI

Hierarchy

COMPKI

Hierarchy

PKIHierarchy

Medical

8

HEBCA linkage

HEBCAFBCA

NIH

E-Auth Shib

CRENWeems’WackyWorld

MedicalHealthkey

MitreTek

Inter-Directories

EuroPKI

GRID

SEVISApacheSigned

EmailFDRM

StateBridges

VidMid

9ControlNumber

“Registry of Directories” Structure

Legend:

a subordinate referral

a superior referral

dc=educ=usc=japandc=intl

(Top)

dc=uabdc=ucop(else sup)

dc=edu

o=US Govto=HHSou=A, o=NASA(else sup)

c=us

ou=FBCAou=agency7(else sup)

o=US Govt, c=us

ou=FBCAou=agency7<no else>

ou=FBCA, o=US Govt, c=us

Content DirectoriesReferral Directories

• “Else superior referral” clause exists to allow any LDAP client (or content directory) to have option of pointing to a referral directory and be able to construct a desired path

• There is no “else” clause in content directories to prevent loops

10

HEBCA BID

Board of Instantiation and Development 10-12 of CIO, Techies, Lawyers (usual suspects) 1 Year to make HEBCA production

– Governance

– Stand up Policy/Operational Authorities

– Service (Business plan, structure, fees, management)

– Cross-certify with FBCA

– Funding and Technical development issues• Application interfaces, discovery, blah blah blah

11

HEBCA Issues

Certificates in Directories Gietz: Break out cert data in dir

objects (searchable certs) Chadwick: Certificate Parsing Server Likely a major impact on Bridge CA

model OpenSSL/OpenCA to be “bridge aware” Registry of Directories (Next-Gen)

12

HEBCA Issues

Deployment Web Server plugin (apache) Email validator (server based on receipt) Bill Weems and crew; many apps Application Integration CAM/DAVE extensions (server validation) OCSP, XKMS, SCVP, Novomodo, blah blah Understanding Java 1.4 and WinXP Develop appropriate APIs Browser awareness!!!!