PKI Matrix Questionnaire

We are surveying Higher Education Institutions that have deployed PKI for end users in order to develop a matrix of information to share among schools deploying PKI and those considering deploying PKI. We will publish the results of our survey in the PKI section of the Net@EDU web site. If you have a production PKI that is issuing end user certificates for production use in S/MIME and/or authentication, then please answer these questions and return your answers to barry.r.ribbeck@uth.tmc.edu so we can share your experience and knowledge with others.

Your Institution1. Name of your institution: University of Virginia

2. Name and contact information for person filling out the survey (we won’t publish this on the web): James Jokl – jaj@Virginia.EDU

3. What is the size of your institution (total head count)? 30,000

The Decision to Deploy PKI

4. What specific use case(s) drove your institution’s decision to deploy PKI?A desire for a secure modern infrastructure for authentication coupled with an early belief that digital signatures would be important for various business processes.

5. What was the business case to deploy PKI on your campus?See #4 above

6. What other factors influenced your institution’s decision to deploy PKI?The energy level on PKI in the federal government, the work being done within higher education, and interest at the state level at the time.

7. Who were your institution’s PKI champions, and why were they the champions? A couple of directors were primarily interested and in state-level interagency applications. Other directors were more focused on the campus-level deployment.

8. Was the decision to get started with PKI top-down or bottom-up?It depends on the definition of “the top” and “the bottom”. The project idea began at the director level within central computing and was approved as part of the normal new project initiation process involving the VP/CIO.

9. How is your institution's management involved and to what degree?They have been briefed about the project. One of the issues with some campus PKI efforts is that they are sometimes focused on PKI itself instead of the applications

being enabled. Users and senior administration should not need to think in terms of PKI but instead in terms of the applications that are enabled or made more secure.

Implementation Information10. Is your Certificate Authority internal our outsourced?

Both Certification Authorities are internal.

11. How is PKI being used within the institution, how is it planned to be used? Please list the applications.Production: VPN authentication, some Web authentication, and limited SSH authenticationBeing deployed now: EAP-TLS, S/MIMEIn testing: GlobusNext possibly: Globus, Smart Card Windows login, Pubcookie and Shibboleth authentication

12. How long has your PKI been operational and what is its growth rate?Since October 30, 2002. Rate unknown - ~5,000 certificates issued.

13. What policies did you put in place to support the use of PKI by end users?No new policies were needed.

14. What policies have you been able to put in place because of your PKI capabilities?No new policies were developed.

Cost Information15. What was the cost of initial deployment? Please list FTE/PTE.

One FTE with part-time assistance from a project team.

16. What are ongoing operational costs? Please separately list equipment, FTE the ongoing costs to license or outsource each certificate per year?Don’t know – its part of our basic support infrastructure. Certificate creation is in-sourced with our own code so there are no per-certificate costs and no software maintenance charges.

Certificate Management17. What is your vetting process for end user certificates?

Standard Assurance CA (PKI-Lite): An on-line CA where users prove their knowledge of their netid and password along with a few other database attributes about themselves. Once they correctly provide the information on the web form, the certificate their certificate is immediately downloaded into their operating system.High Assurance CA: Users must show picture ID before receiving the hardware token containing their private key and certificate. High assurance certs/keys are only available via tokens. The key pair is generated on the token.

18. What are the Levels of Assurance (LOAs) that your PKI supports?PKI-Lite for the standard assurance CA and relatively high for the High Assurance CA. We have not done a formal evaluation on where these might fit into the Federal model.

19. What is your process for issuing end user certificates?Standard Assurance CA: The user goes to a web site and enters authenticating information about themselves including Netid/Password and other attributes. After authentication: (a) Windows IE and Netscape browsers generate the key pair and certificate request, send the request to the CA where it is signed, and the certificate and the UVa certificate chain are automatically downloaded and installed (b) Macintosh and Linux users are directed to a different interface to the CA where the certificate request and keypair are generated for them and a PKCS-12 containing their certificate, their keys, and the whole certificate chain is downloaded to their desktop via their browser. In all cases the user agrees via a click-through form to protect and not share their private key. A copy of the text from the form is emailed to the user.High Assurance CA: The user makes a request. The Certification Authority prepares a Rainbow iKey hardware token, has the token generate the key pair, issues the certificate, and stores it on the iKey. The user then shows a photo id, picks up the token, and signs a form where the acknowledge receiving the iKey, promise to protect it, to never share it or its password, etc, etc.

20. What is your process for revoking end user certificates?User requests revocation and we revoke the certificate. Revocation is available for key compromise situations. When it matters applications have authorization steps that enable them to not provide services to users with valid certificates and who are no longer affiliated with the university.

21. What is your process for renewing end user certificates and how often?Certificates from the Standard Assurance CA have a one-year lifetime. Users simply obtain a new certificate using the procedures described above. We email reminders a few weeks before their certificate is about to expire.Certificates from the High Assurance CA are all based on hardware tokens, have a long life span, and thus do not require renewal. All High Assurance CA-authenticated applications include an authorization step that is validated/revalidated per the application’s policy.

22. Do you use two factor PKI (tokens, smartcards, biometrics)?If so, why did you implement two factor authentication, and why did you pick the type you did?Standard Assurance CA: hardware tokens are supported by the CA but their use is rare and only for mobility purposes.High Assurance CA: certificates are only issued on Rainbow iKey hardware tokens where the private key never leaves the device. We use the Rainbow iKey model 2032-FIPS device which is does all crypto on the device, stores multiple certificates and keys, and is able to support Windows smart card login. Macintosh support is

promised for the future. Two-factor authentication is a requirement for some applications – HiPAA and for certain types of access to our ERP.

Support23. How do you provide support for end user PKI use?

Standard assurance certificates are supported via the help desk when needed. The use of high assurance certificates is supported by the user department’s technical support staff with our central group providing backup support only.

24. How do you support multiple end user computers (e.g. work, home, parents, friends, public)?High Assurance CA: via the hardware tokensStandard Assurance CA: when the operating system supports multiple user logins, it also generally protects keys for each user. We do not support certificates in our public computing labs.

Applications25. Have you deployed S/MIME email?

We are starting a deployment now and have just released our first client build with support enabled. However, we have not started publicity yet. The questions below are answered based on our future plans.If so, what users can use S/MIME? Any user can use S/MIMEDo you require S/MIME use for any users? NoIf so, which users and under what conditions?

What S/MIME clients do you support?The CA is designed and tested against most S/MIME capable clientsFull support: Mulberry and Communigate Pro WebMailDocumentation-only support: Outlook/OE and Netscape

How do you manage private keys for S/MIME encryption? Do you support dual keys (one for signing, another for encryption?)We recommend that users not use the encryption features of S/MIME although our certificate profiles do enable it. We document that we won’t be able to help them recover messages if they lose their private key. We do not support dual keys or key escrow although since users can obtain multiple certificates they could use dual-keys themselves.

26. Do you use PKI authentication for any web applications? Yes, but we do not have a large number of web applications that are PKI-enabled.If so, which ones?26.1.Certificates are optionally used for some campus licensed software downloads26.2.Departmental support staff access web-based network management tools

requiring High Assurance certificates. Some internal management tools are web-based and use PKI for authentication.

27. Do you use PKI authentication for any network appliances? No

28. Do you have any applications or appliances for which you require PKI authentication? Yes, indirectly. 2-factor authentication for VPN access to some protected network areas requires PKI. PKI is also required for SSH authentication for system administrators on our ERP systems.

29. Do you have any PKI deployment projects underway?If so, what are they?Yes, as discussed above we are currently rolling out EAP-TLS for wireless authentication.

Comments30. Do you have any words of wisdom for others deploying PKI for end users?

31. Do you have any other comments to share?