Overview of PKI progress in Higher Education

Overview of PKI progress in Higher Education

Jeanne Hermann

Overview of PKI progress in Higher Education

The Net@EDU PKI for Networked Higher Education working group is focused on developing and documenting best practices for implementation of PKI in higher education. This session gave a summary of the progress the working group, along with Internet2 and CREN, has made in the last year.

Private key infrastructure, or PKI, is a system of digital certificates, certificate authorities, and other registration authorities that together are able to provide verification and authentication of parties involved in Internet transactions. PKIs are still in the evolutionary stage; there is not yet a common standard for setting up PKI. The main thrust of the Net@EDU PKI working group has been to help establish a system of certificate authorities, policies and practices, trust models, and to help publicize best practices for generation, invalidation, management and storage of private keys and certificates. PKI used intra-institutionally allows internal single authority decisions for these issues, but when PKI is used inter-institutionally, there must be an established system in place for the interacting institutions to work as one. Implementing a system to coalesce the requirements of the participating institutions will require some standardization at each level in the PKI system: certificate structure, certificate policies, certificate issuing and acceptance practices, and trust models. The working group has begun to address each of these issues.

Certificate Structure

The committee suggested using a standardized LDAP object class named eduperson for use in building certificates. This eduperson object has attributes characteristic of most people on a higher education campus today and can be found at http://www.educause.edu/eduperson. Additionally, there is a document called the LDAP recipe that describes some of the group's efforts to provide a common directory schema and deployment. The LDAP recipe can be found at http://www.georgetown.edu/giia/internet2/ldap-recipe/ Certificates issued by certificate authorities (CAs) would contain as much or as little of this information as the CA desired; the important issue is that all information would follow the same structure and nomenclature. It is also recommended that the use of domain component naming be used to include the issuing institution's domain name. Inclusion of the issuing institution's domain name would allow enabled applications to query the issuing institutions LDAP directory after receipt of the certificate. The LDAP query would be limited by the issuing institution and would allow for a minimum amount of personal data to be stored in the certificate itself.

Certificate Policies

Certificate authorities must have in place written policies that describe their technical systems, the Concept of Operations and Certificate Policy Statement. The Concept of Operations Statement is an internal document describing the CA system design and architecture. The Certificate Policy (CP) describes all of the operating rules used in issuing certificates. It will contain all of the technical information needed to build and use the system. The CP is a public document others may use to assist in trustworthiness determination. Information regarding the latest progress can be found at http://www.educause.edu/hepki/.

Certificate Issuing and Accepting Practices

Certificate authorities must also have in place a statement regarding their procedures for issuing and accepting certificates. The Certificate Practices Statement (CPS) describes certificate issuing and validating practices. The CPS is also a public document. The CPS allows determination by other institutions of the level of standard of operation in place at the issuing institution and related levels of trust in the resulting certificates.

Trust Models

Interoperability between institutions using PKI can be facilitated through the use of a bridge CA. The bridge CA determines policy mapping between the bridge's participants. Two bridge CAs are being developed, the Federal Bridge Certificate Authority and the Higher Education Bridge Certificate Authority. These groups are working together to create the structure needed for them to assign trust levels to each other. A joint letter from CREN, CNI, UCAID, and EDUCAUSE has been sent to the Federal CIO Council as part of this interoperability initiative and can be found at http://www.educause.edu/netatedu/groups/pki/fedCIOcouncil.doc. The Federal group includes representatives from the Departments of Treasury, ONR, NIH, HHS, NSF, DE, and DoE.

Work towards implementation of PKI in higher education continues with EDUCAUSE working in the policy areas and CREN working in the Certificate Authority area. Some functional uses of certificates include access tokens (libraries), session authentications, email and file encryption; session integrity (SSL, TLS) and digitally signed objects are being explored. EDUCAUSE maintains information regarding the progress of its working groups PAG and TAG at http://www.educause.edu/hepki/ CREN has information posted about certificates and their new Certificate Authority service at http://www.cren.net/ca/index.html

PKI is being used on many higher education campuses today. As we move to a level of institution interoperability we will all need to be familiar with the technology and how it will enable us to bring better service to our clients. This seminar gave an extensive overview of progress in PKI policy development over the past year. The diversity of people in attendance attests to the broad reaching effects PKI will have.

Information about the Net@EDU PKI working group can be found at http://www.educause.edu/netatedu/groups/pki

Jeanne Hermann is Director, Computing Systems, University of Tennessee Health Science Center, Memphis, Tennessee. jhermann@utmem.edu