Digital Certificate Operation in a Complex Environment
description
Transcript of Digital Certificate Operation in a Complex Environment
![Page 1: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/1.jpg)
03 December 2003
Digital Certificate Operation in a Complex Environment
Consultation/Stakeholders Meeting
3 December 2003
![Page 2: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/2.jpg)
03 December 2003
DCOCE
dΛ’kŊtfi:
Der-kot-chee
![Page 3: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/3.jpg)
03 December 2003
The DCOCE project
• DCOCE is about authentication with digital certificates
• Digital certificates use Public Key Infrastructure (PKI)– PKI is very secure
– but can be difficult to administer
![Page 4: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/4.jpg)
03 December 2003
The DCOCE project
• Digital certificates and PKI rely upon trust
• Trust relies upon co-operation (or understanding) between organisations
• Oxford University is a Complex Environment– DCOCE
– If it can work here...
![Page 5: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/5.jpg)
03 December 2003
What DCOCE is not about
• Authorisation– but…
• Single sign on– but…
• e-Science and the grid– but…
![Page 6: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/6.jpg)
03 December 2003
Project team
EvaluatorsAlun Edwards (OUCS)
Johanneke Sytsema (SERS)
• Based within the RTS at OUCS in collaboration with SERS
Project Manager
Mark Norman
Systems DeveloperChristian Fernau
![Page 7: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/7.jpg)
03 December 2003
Project partners
• Research Technologies Service at Oxford University Computing Services in collaboration with:
– the Systems and Electronic Resources Service at Oxford University Library Services (SERS)
– Manchester Information and Associated Services (ZETOC)
– the Athens Devolved Authentication Service (at EduServ)
– the Oxford e-Science Centre (OeSC)
![Page 8: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/8.jpg)
03 December 2003
What is DCOCE?
• 2-year project funded by the (Joint Information Systems Committee) – feasibility of using digital certificates for authentication
and simplified access to remote services
– researching and running a pilot of a PKI (public key infrastructure)
– evaluating and documenting all of the major stages and of the user experience
![Page 9: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/9.jpg)
03 December 2003
Why at Oxford?
• The complex environment is here…– the Departments and Colleges of the University of Oxford
• everyone may have a different requirement
• desires secure access to central IT support applications
• desires to optimise access to licensed content
• Oxford hosts regional e-Science Centre
– OUCS • secure access to web-based email; LDAP services; VPN service
• developing account management packages for RDN Subject Portals Project
• Information flow is very important to a PKI
![Page 10: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/10.jpg)
03 December 2003
Admin & LegalServices
Research Technologies Service
IT Support Staff servicesUser registration
Project Team
Stakeholder group
Oxford UniversityComputing Services
E-Science Centre
Library Services
![Page 11: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/11.jpg)
03 December 2003
Stakeholder group
• We need to know what you think:– are the ideas difficult?
– what do you think you need?
• Early 2004 we need people to trial the use of our digital certificates– to discover the advantages and difficulties as they
appear to you
![Page 12: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/12.jpg)
03 December 2003
Modelling
• Admin. architecture– select and review 4 PKI
implementations
– build an administration architecture model for Oxford
– Athens, MIMAS and OeSC to advise and review initial proposals for models
• System architecture– review the 4 PKI
implementations
– build a system architecture model for Oxford
– Athens, MIMAS and OeSC to advise and and review initial proposals for models
![Page 13: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/13.jpg)
03 December 2003
Development and implementation
• Implement, and develop, the systems and administrative processes to support a certificate life-cycle within a PKI– architectures
• very small-scale rollout
– a certification authority • initial testing
– OeSC to advise
![Page 14: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/14.jpg)
03 December 2003
Athens Devolved Authentication
• Enable access to remote resources subscribed to by Oxford compliant with Athens single sign-on (SSO) via digital certificate authentication– examine Athens requirements and standards
– ensure certificates and ‘presentment’ mechanisms comply and PKI can be trusted
![Page 15: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/15.jpg)
03 December 2003
MIMAS
• Enable access to remote Zetoc/British Library resources via digital certificate authentication mechanism– examine MIMAS/Zetoc requirements and standards
– ensure certificates and ‘presentment’ mechanisms comply and PKI can be trusted
![Page 16: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/16.jpg)
03 December 2003
Real-world rollout
• Distribute the certificates much more widely– test – examine revocation and recovery issues – document the issues arising
• Extensive set of users will receive certificates– IT support staff in devolved roles throughout the
University – selected end users of many types and roles
• Trial revocation and recovery/re-issuing mechanisms
• OeSC, Athens and MIMAS to advise
![Page 17: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/17.jpg)
03 December 2003
Certificate Policy Statement
• Develop and publish a detailed Certificate Policy Statement (CP) – in accordance with the Internet Engineering Task Force
PKI X.509 Certificate Policy and Certification Practice Statement (CPS) Framework
– produce an early draft of the CP• consult about trust issues
– final version of the CP will be produced after rollout
![Page 18: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/18.jpg)
03 December 2003
Legal and administrative issues
• Input from Oxford University Legal Services– issuing and revoking certificates – running the PKI– the final Certificate Policy Statement (CP)– the administration issues of managing:
• a registration authority • and certificate authority • and revocation list
– research legal and administration issues
• OeSC to advise
![Page 19: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/19.jpg)
03 December 2003
Evaluation and dissemination
• Technical and user-oriented evaluations– the implementation of PKI at UK HE establishments – final report
• Project progress report– successes and failures and points of difficulty
• Via web pages, email lists and at real 'events' – http://www.dcoce.ox.ac.uk/ Web site – [email protected] mailing list – Useful to others considering PKI within UK FE and HE
• formative evaluation of decisions made • summative evaluations
– decision-making processes and the experiences of end users etc.
![Page 20: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/20.jpg)
03 December 2003
Summary of deliverables
• Evaluation reports – for different stages of the process
• Policies – overall Certification Practice Statement (CPS)
• Systems architecture details – any open source adaptations
• Project Web site– http://www.dcoce.ox.ac.uk/
• Summative report – practical manual
![Page 21: Digital Certificate Operation in a Complex Environment](https://reader033.fdocuments.us/reader033/viewer/2022052414/56814816550346895db54200/html5/thumbnails/21.jpg)
03 December 2003
Ideas for discussion at the moment
• Sending server certificates on a CD-ROM • Ideas for a Local Institution Certificate Store • Ideas for issuing certificates (enrolling)