US PKI and Bridge PKIScott ReaeFormsDigital Signatures

1、PKI in US Higher EducationTAGPMA Meeting, March 2006 Rio De Janeiro , Brazil2HEBCA : Higher Education Bridge Certificate Authority Bridge Certificate Authority for US Higher Education Modeled on FBCA Provides cross-certification between the subscribing institution and the HEBCA root CA Flexible poli

2、cy implementations through the mapping process The HEBCA root CA and infrastructure hosted at Dartmouth College Facilitates inter-institutional trust between participating schools Facilitates inter-federation trust between US Higher Education community and external entities3HEBCA Project What will i

3、t provide? The HEBCA Project will create and maintain three new Certificate Authority (CA) systems for EDUCAUSE and will also house the existing HEBCA Prototype CA The three CA systems to be created are: HEBCA Test CA HEBCA Development CA HEBCA Production CA The HEBCAs will be used to cross-certify

4、Higher Education PKI trust anchors to create a bridged trust network The HEBCA Test CA will also be cross-certified with the Prototype FBCA (other emerging Bridge CAs are also targets) and the HEBCA production CAs will be cross-certified with the production FBCA. 4HEBCA Project What does it look lik

5、e?(Artists impression only)5HEBCA Policy Authority The HEBCA PA establishes policy for and oversees operation of the HEBCA. HEBCA PA activities include approve and certify the Certificate Policy (CP) and Certification Practices Statement (CPS) for the HEBCA set policy for accepting applications for

6、cross-certification and interoperation with the HEBCA certify the mapping of policy between the HEBCA CP and applicants CPs establish any needed constraints in cross-certification documents represent the HEBCA in establishing its own cross-certification with other PKI bridges set policy governing op

7、eration of the HEBCA oversee the HEBCA Operational Authority keep the HEBCA Membership and the HEPKI Council informed of its decisions and activities. 6HEBCA Operating AuthorityThe HEBCA OA is the organization that is responsible for the issuance of HEBCA certificates when so directed by the HEBCA P

8、A, the posting of those certificates and any Certificate Revocation Lists (CRLs) or Certificate Authority Revocation Lists (CARLs) into the HEBCA repository, and maintaining the continued availability of the repository to all parties relying on HEBCA certificates. Specific responsibilities of the HE

9、BCA OA include: Management and operation of the HEBCA infrastructure; Management of the registration process; Completion of the applicant identification and authentication process; and Complying with all requirements and representations of the Certificate Policy. Key personnel from the Dartmouth PKI

10、 Laboratory were chosen as the HEBCA Operating Authority by the HEBCA PA under the direction of EDUCAUSE (the project sponsor).7HEBCA What is the value presented by this initiative? HEBCA facilitates a trust fabric across all of US Higher Education so that credentials issued by participating institu

11、tions can be used (and trusted) globally e.g. signed and/or encrypted email, digitally signed documents (paperless office), etc can all be trusted inter-institutionally and not just intra-institutionally Extensions to the Higher Education trust infrastructure into external federations is also possib

12、le and proof of concept work with the FBCA (via BCA cross-certification) has demonstrated this inter-federation trust extension Single credential accepted globally Potential for stronger authentication and possibly authorization of participants in grid based applications Contributions provided to th

13、e Path Validation and Path Discovery development efforts Facilitates compliance with legal requirements (GPEA, HIPAA)8USHER : US Higher Education Root Trusted Root for US Higher Education Only signs subordinate CA certificates Bootstraps institutional PKIs by providing policy infrastructure and a CA

14、 The USHER root CA and infrastructure hosted at Dartmouth College Facilitates inter-institutional trust between participating schools Different levels of assurance supported9USHER Project What will it provide? The USHER Project will create and maintain four new Certificate Authority (CA) systems for

15、 Internet2 and will share the existing HEBCA infratsructure The four CA systems to be created are: USHER Foundation CA USHER Basic CA* USHER Medium CA* USHER High CA*Not officially named yet The USHERs will be used to provide institutions of higher education PKI trust anchors with a common policy Th

16、e USHER CAs may also be potentially cross-certified with the HEBCA to allow interoperation outside the USHER community. 10USHER Policy Authority The USHER PA establishes policy for and oversees operation of the USHER initiatives. USHER PA activities include approve and certify the Certificate Policy

17、 (CP) and Certification Practices Statement (CPS) for the USHER set policy for accepting applications for CA issuance under USHER CAs represent the USHER in establishing cross-certification with other PKI bridges e.g. HEBCA set policy governing operation of the USHER CAs oversee the USHER Operationa

18、l Authority keep the USHER Membership informed of its decisions and activities. 11Solving Silos of TrustDept-1InstitutionDept-1Dept-1SubCACASubCASubCASubCACASubCASubCASubCACASubCASubCAUSHERHEBCAFBCA12 ProposedInter-federationsFBCACA-1CA-2CA-nCross-certHEBCADartmouthWisconsinTexasUniv-NUVAUSHER DSTAC

19、ESCross-certsSAFEAeroNIHCA-1CA-2CA-3CA-413HEBCA Project - OverviewHEBCA PA and CP oversiteHEBCAInfrastructureCARootCertHEBCADirectoryCrossCertPairCrossCertPairCrossCertPairCrossCertPairRootCertCrossCertPairCACRLsRootCertCrossCertPairCACRLs University 1 PKIUniversity 2 PKIBorder DirBorder DirRootCert

20、CrossCertPairCACRLsBorder DirFBCA PKIOther CrossCertified PKIsRODFBCAReferralUniversity 1ReferralUniversity 2ReferralCRLsRootCertFBCA PA and CP oversiteFBCA InfrastructureCARootCertFBCADirectoryCrossCertPairCrossCertPairCrossCertPairCrossCertPairRootCertCrossCertPairCACRLsRootCertCrossCertPairCACRLs

21、DST ACES PKIOther CrossCertified PKIBorder DirBorder DirX.500 DSP Protocol(ChainingAgreements) betweenFBCA and CrossCertified PKI providerRootCertCrossCertPairCACRLsBorder DirHEBCA PKIOther CrossCertified PKIsCRLsRootCertX.500 Based DirectoryDirectories Interconnect via Chaining (X.500 DSP)LDAP Base

22、d Directory Utilizing the Registry of Directories Utilizing LDAP Referrals14HEBCA Project - ProgressWhats been done so far? Operational Authority (OA) contractor engaged (Dartmouth PKI Lab) MOA with commercial vendor for infrastructure hardware (Sun) MOA with commercial vendor for CA software and li

23、censes (RSA) Policy Authority formed Prototype HEBCA operational and cross-certified with the Prototype FBCA (new Prototype instantiated by HEBCA OA) Prototype Registry of Directories (RoD) deployed at Dartmouth Draft of Production HEBCA CP produced Draft of Production HEBCA CPS produced Preliminary Policy Mapping completed with FBCA Test HEBCA CA deployed and cross-certified with the Prototype FBCA Test HEBCA RoD deployed Production HEBCA development phase underway Infras