Higher Education PKI Technical Activities Group (HEPKI-TAG) A Joint Project of Internet2, EDUCAUSE, and Net@EDU

Mailing List || Completed Projects || Work in Progress || References || Minutes

PKI Early Adopters' Initiative: Call for Proposals (PDF)

Charter

• Open Source CA software
• Interactions with directories
• Client customization issues
• Validity periods
• Technical issues in cross-certification
• Inter-institutional testbeds
• Recommendations for higher education PKI deployments

NOTE WELL: All Internet2 Activities are governed by the Internet2 Intellectual Property Framework.

Mailing List

To subscribe to the HEPKI-TAG mailing list, send email to pubsympa at internet2 dot edu, with the *subject line*:

subscribe <list name> <your name>

subscribe hepki-tag Jane Doe

To unsubscribe, send email to pubsympa at internet2 dot edu, with the *subject line*:

unsubscribe hepki-tag

Completed Projects

• Certificate Profile Maker (CPM) 1.1 (Part of NSF Middleware Initiative - NMI)
  CGI-program package for making a certificate profile in XML format. It simultaneously produces a sample X.509 certificate in XML format according to the certificate profile. CPM supports almost all of the standard extensions defined in RFC2459. Additional information about the Certificate Profile Maker is available in the README file. [Description || Service || Download]
  
  
• Two mechanisms for installing a root certificate into Internet Explorer
  Schools planning to issue SSL server certificates as part of their PKI project may want to read this section on alternatives for the installation of campus root certificates into Internet Explorer. The less frequently used mechanism is likely to be the process that is easiest for your users to complete successfully. We use the CREN root certificate for the download demo and provide the code that implements the less frequently used mechanism.
  

• PKI-Lite Campus Public Key Infrastructure Framework (Part of NSF Middleware Initiative - NMI)
  PKI-Lite focuses on employing PKI technology for standard assurance applications that already have established and implemented requirements for initial user authentication and overall system security. The idea behind the PKI-lite effort is that one of the barriers to the more rapid deployment of PKI on many campuses is likely to be the relatively intense policy, user identity verification, and practices frameworks that are typically associated with PKI deployments. PKI-lite recognizes that many useful applications can be supported using a Public Key Infrastructure that is based on a relatively brief policy and practices framework that emulates the mechanisms presently used on-campus to operate most existing campus central authentication services. The PKI-Lite framework facilitates the use of strong cryptography within a school's traditional authentication practices environment and assurance levels.
  
  • PKI-Lite Project Assumptions
  • PKI-Lite Draft Certificate Policy & Practices    (MS Word format)
  
  The certificate profiles listed below were developed as part of the PKI-Lite effort. They have been designed to support a wide range of likely PKI-enabled campus applications and have been reviewed by several schools who have implemented campus PKI systems. By using these profiles and following the recommendations for PKI imlementors at the bottom of the documents, you will minimize the chance of running into interoperability problems with your deployment. These certificate profiles, updated with any local campus changes, should be incorporated into Section III of your PKI-Lite Policy and Practices document.
  
  • PKI-lite End Entity Certificate Profile
  • PKI-lite CA Certificate Profile
  
  See the PKI-Lite section below under Work In Progress for the draft PKI-Lite Implementation Recipe for additional helpful information.

  Also look in the References section below for pointers to open source Certificate Authority software.

Work in Progress

• InCommon and Usher Certification Authority Draft Profiles
  • Usher CA Root Profile
  • InCommon CA Root Profile
  • InCommon EE Certificate Profile
    
    
• CA Private Key Protection
  A starting draft on CA Private Key Protection by Jeff Schiller at MIT.
  
  
• Demonstration CA
  A demonstration CA issuing HEPKI certificates for testing and demonstration purposes by Eric Norman at Wisconsin. Eric has recently made the source code available for this CA. This CA is designed for demonstration purposes and isn't necessarily something that you should plan to download and install for a campus CA.

• PKI-Lite Work in Progress
  
  • Getting started with PKI - The PKI-Lite Recipe
    A recipe for getting started with PKI using PKI-Lite by Steve Carmody at Brown University
    
    
  • PKI-lite Client Authentication Demo
    This simple demo accepts Black Helicopter, CREN-rooted, Dartmouth, HEPKI Demo, SURFnet, Wisconsin, and Virginia certificates. Please email your institutional root certificate(s) to participate.
    
    
  • PKI-lite Institutional Root Certificate download site
    Download organizational and/or institutional root certificatates for groups participating in HEPKI activities. Please email your institutional authority certificate(s) to participate.
    
    
• S/MIME Activities
• PKI-lite Inter-institutional S/MIME Test Project
  • Test project requirements (draft)
  • Supported clients feature table (draft)
  • Participating Schools
    
    
• A wish list of S/MIME functionality for Outlook and Outlook Express
  
  
• Mailing List Software
  Some experiments with various email list processing software has found that some software modifies the message body and thus causes signature verification failures. Suspected problems include the accidental removal of trailing spaces and tabs.
  Known to work:
  • Listproc with all email clients except Eudora with the Tumbleweed plugin.
  Testing in progress:
  • L-Soft

• PKI Bridge Trust Models and Windows XP
  • PKI Bridge Test Environment
    A test environment consisting of three hierarchical CAs, a bridge CA, a cross certificate repository (HTTP and LDAP), and test certificates from the various CAs with differing Authority Access Information profiles to test the various possible configurations. All certs and cross certs are available for download and further testing.
    

References: HEPKI-TAG Recommendations and Documents
TAG Recommendations

• DC Naming
  
  
• Certificate Profile Recommendations
  Work is presently in progress to develop a set of recommended profiles for identity certificates used in higher education. A collection of certificate profiles from various institutions is available here.
  
  
• Browser Issues
  A document describing various credential management issues in current browsers with recommendations for browser implementors. A great reference for campus PKI developers.

Information and Suggestions for Institutional PKI Implementors

• Planned PKI applications at various schools (Excel)
• Certificate Profiles from HEPKI schools
  A repository of certificate profiles from various higher education sites deploying PKI technology.
• A very incomplete list of campus PKI activity websites. Please email if you have a campus PKI activity website that you would like to list.
  • Dartmouth
  • Wisconsin
  • Alabama
  • Michigan PKI and Smart Cards
  • New York University
  • University of Southern California
  • Virginia
• Directories and LDAP
• How to obtain a Policy OID (Word document)
• Institutional private key protection (see work in progress below)
  
• End Entity private key mobility issues
  

• Introduction to PKI references
• Open Source PKI Software
• Hardware Tokens and Software Mobility Solutions
• Kerberos and PKI
• HEPKI-PAG PKI RFP Repository
• Internet2 Middleware Directory Documents
• Schneier on Security: 307-Digit Number Factored

Minutes of HEPKI-TAG Conference Calls