pki: a high level view from the trenches ken klingenstein, project director, internet2 middleware...
TRANSCRIPT
![Page 1: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/1.jpg)
PKI: A High Level View from the
TrenchesKen Klingenstein,
Project Director, Internet2 Middleware Initiative
Chief Technologist, University of Colorado at Boulder
![Page 2: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/2.jpg)
Agenda
Fundamentals - Components and Contexts The missing pieces - in the technology and in the
community Current Activities - feds, chime, anx, overseas,
pkiforum, etc. Higher Ed Activities (CREN, HEPKI-TAG, HEPKI-PAG,
Net@edu, PKIlabs)
![Page 3: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/3.jpg)
PKI : A few observations
Think of it as wall jack connectivity, except it’s connectivity for individuals, not for machines, and there’s no wall or jack…But it is that ubiquitous and important
Does it need to be a single infrastructure? What are the costs of multiple solutions? Subnets and ITP’s...
Options breed complexity; managing complexity is essential
![Page 4: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/4.jpg)
A few more...
IP connectivity was a field of dreams. We built it and then the applications came. . Unfortunately, here the applications have arrived before the infrastructure, making its development much harder.
Noone seems to be working on the solutions for the agora.
![Page 5: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/5.jpg)
Uses for PKI and Certificates
authentication and pseudo-authentication signing docs encrypting docs and mail non-repudiation secure channels across a network authorization and attributes and more...
![Page 6: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/6.jpg)
A framework
PKI Components - hardware, software, processes, policies
Contexts for usage - community of interests Implementation options (in-source, out-source, roll-
your-own,etc.) Note changes over time...
![Page 7: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/7.jpg)
PKI Components
X.509 v3 certs - profiles and uses Validation - Certificate Revocation Lists, OCSP, path
construction Cert management - generating certs, using keys,
archiving and escrow, mobility, etc. Directories - to store certs, and public keys and
maybe private keys Trust models and I/A Cert-enabled apps
![Page 8: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/8.jpg)
PKI Contexts for Usage
Intracampus Within the Higher Ed community of interest In the Broader World
![Page 9: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/9.jpg)
PKI Implementation Options
In-source - with public domain or campus unique In-source - with commercial product Bring-in-source - with commercial services Out-source - a spectrum of services and issues what you do depends on when you do it...
![Page 10: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/10.jpg)
Cert-enabled applications
Browsers Authentication S/MIME email IPsec and VPN Globus Secure multicast
![Page 11: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/11.jpg)
X.509 certs
purpose - bind a public key to a subject standard fields extended fields profiles client and server cert distinctions
![Page 12: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/12.jpg)
Standard fields in certs
cert serial number the subject, as x.500 DN or … the subject’s public key the validity field the issuer, as id and common name signing algorithm signature info for the cert, in the issuer’s private key
![Page 13: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/13.jpg)
Extension fields
Examples - auth/subject subcodes, key usage, LDAP URL, CRL distribution points, etc
Key usage is very important - for digsig, non-rep, key or data encipherment, etc.
Certain extensions can be marked critical - if an app can’t understand it, then don’t use the cert
Requires profiles to document, and great care...
![Page 14: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/14.jpg)
Cert Management
Certificate Management Protocol - for the creation and management of certs
Revocation Options - CRL, OCSP Storage - where (device, directory, private cache,
etc.) and how - format escrow and archive - when, how, and what else
needs to be kept Cert Authority Software or outsource options Authority and policies
![Page 15: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/15.jpg)
Certificate Management Systems
Homebrews OpenSSL and OpenCA Baltimore, Entrust, etc. W2K, Netscape, etc.
![Page 16: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/16.jpg)
Directories
to store certs to store CRL to store private keys, for the time being to store attributes implement with border directories, or acls within the
enterprise directory, or proprietary directories
![Page 17: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/17.jpg)
Inter-organizational trust model components
Certificate Policy- uses of particular certs, assurance levels for I/A, audit and archival requirements
Certificate Practices Statement- the nitty gritty operational issues
Hierarchies vs Bridges• a philosopy and an implementation issue• the concerns are transitivity and delegation• hierarchies assert a common trust model• bridges pairwise agree on trust models and policy
mappings
![Page 18: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/18.jpg)
Certificate Policies Address (CP)
Legal responsibilities and liabilities (indemnification issues)
Operations of Certificate Management systems Best practices for core middleware Assurance levels - varies according to I/A processes
and other operational factors
![Page 19: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/19.jpg)
Certificate Practice Statements (CPS)
Site specific details of operational compliance with a Cert Policy
A single practice statement can support several policies (Chime)
A Policy Management Authority (PMA) determines if a CPS is adequate for a given CP.
![Page 20: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/20.jpg)
Trust chains
Path construction• to determine a path from the issuing CA to a trusted
CA• heuristics to handle branching that occurs at
bridges Path validation
• uses the path to determine if trust is appropriate• should address revocation, key usage, basic
constraints, policy mappings
![Page 21: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/21.jpg)
Trust chains
When and where to validate• off-line on a server at the discretion of the
application• depth of chain
some revocations better than others - major (disaffiliation, key compromise, etc.) and minor (name change, attribute change)
sometimes the CRL can’t be found or hasn’t been updated
![Page 22: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/22.jpg)
Mobility Options
smart cards usb dongles passwords to download from a store or directory proprietary roaming schemes abound - Netscape,
Verisign, etc SACRED within IETF recently formed for standards integration of certificates from multiple stores
![Page 23: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/23.jpg)
More current activities
HEPKI the Grid
![Page 24: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/24.jpg)
Current Activities
PKIX (http://www.ietf.org/html.charters/pkix-charter.html)
Federal PKI work (http://csrc.nist.gov/pki/twg/) State Govs (http://www.ec3.org/) Medical community (Tunitas, CHIME, HIPAA) Automobile community (ANX) Overseas
• Euro government - qualifying certs• EuroPKI for Higher Ed
(http://www.europki.org/ca/root/cps/en_index.html)
![Page 25: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/25.jpg)
All the stuff we don’t know…
Revocation approaches Policy languages Standard profiles Mobility Path math User interface
![Page 26: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/26.jpg)
PKI and Higher Ed
ah, the public sector life… Key issues Current activities
![Page 27: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/27.jpg)
ah, the public sector…
almost universal community of interests cross-agency relationships complex privacy and security issues limited budgets and implementation options sometimes ahead of the crowd and the obligation to
build a marketplace
![Page 28: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/28.jpg)
Key issues
trust relationships among autonomous organizations interoperability of profiles and policies interactions with J.Q. Public international governance issues
![Page 29: PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado](https://reader035.vdocuments.net/reader035/viewer/2022062511/551b84cc550346167e8b4c2c/html5/thumbnails/29.jpg)