Untitled Document

Technical Activities Group Meeting Minutes
HEPKI-TAG Internet2 Fall Member Meeting BoF

September 27, 2004
Discussion

Presentations will be posted at: http://events.internet2.edu/2004/fall-mm/sessionDetails.cfm?session=1705&event=219 when received.
Where is PKI being used?

Barry Ribbeck – UT – Health Science Center at Houston (UTHSC-H)

The University of Texas has entered into an agreement with VeriSign for a certificate to issue as an institutional signing cert. Part of the intent is they don't want to accept individually signed certs when forcing password changing. They will issue an SSL-like cert with S/MIME capabilities for such purposes.

EDUCAUSE is working on an agreement with VeriSign that will allow any institution in the United States to leverage the same structure as UT has in standing up PKI.

A number of institutions using end user certs and having a CA on their campus were surveyed. The goals of the survey were: to identify higher education institutions who have deployed production PKI and are issuing End Entity Certificates, gather information from those institutions on the methods of deployment, support and management of their PKI, and make that information available to higher education. The results of the survey are available online at: http://www.dartmouth.edu/%7Edeploypki/net_at_edu/PKISurvey/PKI_deployment_matrix.html. General information on PKI is available at: www.dartmouth.edu/~deploypki.

Shelly Henderson University of Southern California (USC)

USC has a PKI-lite certificate authority, a posted certificate policy and practices statement at www.usc.edu/authx, and a web site for their Grid Computing project at www.usc.edu/uscgrid. They also have PubCookie through the NMI testbed, for online authentication.

They are working with Blackboard to Shibbify their Blackboard installation and have a Shibboleth origin that uses PKI for trust relationships, which they are using with Napster.

Jim Jokl University of Virginia (UVa)

The first application at PKI at UVa was for authentication to VPN services. There is a chicken and egg problem with deploying PKI. Once users have certificates they can be mandated to be used for a variety of things. But until users have the certificates you don't want to make too many things mandatory. UVa considered a large cert rollout but the price of commercial certs was too high at the time. They are doing a slow rollout on S/MIME, with a focus on signing e-mail not encryption.

Authentication for the wireless campus network was rolled out this summer. Currently there are up to 11,000 users. Wireless has become a significant driver for user adoption.

UVa is working on a high assurance CA, requiring in person authentication. The user is issued a device where the key pair is generated on the device. The first use of the high assurance CA was for system administrator's access to certain systems. The second use is for school of medicine certain servers.

Q: Are there any proximity devices that actually work in the hospital environment?

A: Not yet. There are tokens that have a timeout requiring a re-authentication. There are also experiments with biometric systems.

Q: Are there email clients that work with smart cards?

A: In general email clients that use the operating system resident key store correctly will work. For example in Windows, Outlook and Outlook Express work perfectly with smart cards since they use the key store in Windows. The difficulty is that most other clients don't leverage the operating system key store.

HEPKI-TAG is looking for schools to send letters to Qualcomm, urging them to include a S/MIME certificate store in Eudora. Please contact Jim Jokl jaj@virginia.edu if you are interested.

Q: Are there other efforts that would be helpful to know about?

A: Secure Internet Live Conferencing (SILC) http://silcnet.org/. SILC is a conferencing and instant messaging protocol. It encrypts and authenticates both the client-to-server and server-to-server connections. Sending plain text or unprotected messages is not possible and security features of the protocol cannot be turned off. SILC also supports multimedia, videoconferencing, and MIME messages.

Q: Is there software to enforce encrypting student reports, HIPAA requirements etc.?

A: That is an issue that is policy, not technology driven. The goal is to get users to think of encryption as part of the transport cycle.

Cost has been perceived as a barrier to deploying PKI, though there has been more traction with PKI recently. PKI does have deployment costs, and they can be large, so the need for it must be carefully assessed. PKI does not offer multi-level assurance authentication but it does offer asymmetric cryptography as a mechanism for key exchange for secure authentication.

The HEPKI-TAG group work in progress is located at: http://middleware.internet2.edu/hepki-tag/

There are links to documents on PKI-lite (a less policy intense version of PKI), S/MIME, and Certificate Policies.