8/3/2019 Dec 0103

1/3

For E2001 Evolving Technology Committee site:

Mark Luker

__________________________________________________

What is a Public Key Infrastructure, or PKI?

A PKI is a collection of technical services, policies, and business practices that can beused together to provide for networked communications many of the legal and business

capabilities that have long been assumed in the paper world. These are often summarized

in five concepts---Authentication assures that the persons or resources involved in anetworked communication have been identified correctly. Authorization assures that

persons and systems have the proper permissions to perform the requested activities.Data integrity assures that the content has not been altered, either on purpose or byaccident. Confidentiality assures that the content is available only to the intended

audience. Non-repudiation assures that the signer of a message cannot later deny signing

it. Together, these capabilities establish for networked communications the social andlegal fabric provided by signatures, witnesses, the notary public, sealing wax, and other

technologies in traditional communications. Such assurances are absolutely required in

order to use the network for the full range of business and academic communications.

Applications in higher education

There are many potential applications of PKI in higher education. These include mostsituations that now require "wet" or ink signatures, including promissory notes, financial

authorizations, grades, personnel evaluations, license agreements, and contracts. A PKIcan also be used to replace passwords in present networked applications that control

access to networked resources. The complete suite of services will be required for full

implementation of distributed learning applications, in which students, institutions,content, questions and responses, tests and evaluations all must be correctly matched and

identified without recourse to face-to-face recognition. More mundane, but equally

important, applications arise as institutions shift much of their normal businessadministration to the network. Of particular importance will be a large set

communications that involve education institutions and the federal government, such as

student financial aid and research administration, since the federal government is movingrapidly to adopt PKI as one way to reduce paper transactions. PKI will also play an

important role is protecting the security of the network itself from attack or accident

through a much more rigorous regimen of identification and authorization betweensystem components and network administrators.

The present state of PKI in higher education

PKI technology is now available on the market in the form of products that can be

purchased and operated on campus as well as services that are operated by offsiteproviders. Prices are falling rapidly even while capabilities expand in a growing

competitive marketplace. Several campuses and even entire systems have embarked on

1

8/3/2019 Dec 0103

2/3

their first implementation of a PKI. These initial efforts might best be characterized as

prototypes or pilot projects, however, since they often do not yet include the businessprocess re-engineering required for full-scale implementation.

One significant barrier to implementation is the complexity of the technology and policy

foundation required for PKI. Campuses face a steep learning curve and a complex arrayof alternative implementations. Staff members with expertise in the technical and policy

issues of PKI are few and far between, even at out largest institutions. Standards for PKIexist at a technical level, but have not yet been established for content and policies. Most

institutions will use LDAP directories, for example, to store an authoritative view of the

members of their community and X.509v3 certificates to communicate technicalinformation required for authentication and digital signatures. There is no technical

standard, however, for exactly how such information is to be represented in the

directories or certificates. This presents a significant barrier to PKI-enabledcommunications between institutions.

Implementing PKI across the community of higher education

Several organizations are currently working in collaboration on the development of

standardized, simplified approaches to PKI that will make it easier for an institution to

adopt these technologies and will result in systems that can communicate betweencampuses themselves and partners in the federal government and industry. One key group

is an informal collaboration called the Higher Education PKI group

(http://www.educause.edu/hepki/) involving the EDUCAUSE Net@EDU PKI WorkingGroup, the Internet2 Middleware Project, and CREN, as well as representatives of the

Federal PKI Steering Committee and several corporate partners. Campus members ofHEPKI organizations are working on common approaches to both technology and policy

for PKI. They are also developing an initial standard called eduPerson

(http://www.educause.edu/eduperson/) for the content of campus directories. Initialcontacts have been made with related stakeholder organizations such as the National

Association of College and University Attorneys, the National Council of University

Research Administrators, the National Association of College and University BusinessOfficers, the American Association of Collegiate Registrars and Admissions Officers,

and the American Council on Education. The goal is to cooperate in a common

definition of policies and technology standards for PKI to facilitate communicationsacross the entire community later.

Another community project of considerable interest is the definition of a HigherEducation Bridge Certification Authority, modeled on a similar Federal Bridge

Certification Authority. This project, under the policy umbrella of EDUCAUSE, should

greatly reduce the complexity of PKI for individual institutions by providing a frameworkfor translating authentication information from one implementation of PKI to another.

Although these projects are in the early stages of definition and testing, they point to a

common understanding and approach to the issues involved.

The timing of PKI

2

8/3/2019 Dec 0103

3/3

The technical components of a campus PKI now can be purchased or outsource in amatter of months. A working implementation usually takes much longer, however,

because it depends on the creation of an authoritative institutional directory of persons

and services, a new set of policies and business practices to govern its use, and a set of

PKI-enabled applications that can take advantage of such capabilities. These parts of theproblem are typically much more difficult than the technical platform because they

require significant institutional change. The implementation of a new ERP has manysimilar features. Boundaries of authority for standardization make it relatively easier to

introduce PKI applications within a campus and more difficult between campuses.

It will be more than a few years before higher education has established PKI as a

common foundation for all of its critical communications and transactions. There is

pressure today to get started, however, in the form of emerging federal systems that mayrequire PKI, state laws that require digital signatures, privacy regulations that increase

campus liability for security lapses, and the simple savings to be enjoyed by the transition

to e-commerce. It can be expected, then, that many intuitions will adopt PKI for parts oftheir operations in the next few years and gradually expand their capabilities as PKI-

enabled applications become more commonly available in the market. Fortunately for

higher education, the same technologies and services are under rapid development in the

commercial marketplace to serve the general needs of e-commerce.

3