Emerging PKI

July 28, 2005

LockThis week four of us attended the 2005 EDUCAUSE/Dartmouth PKI Deployment Summit. Our intention was to get a feel for the status of client-side PKI.

Before I get into that, here is a definition of PKI from the UK Department of Health: (just happened to be the clearest, most concise one I could find.)

“A public-key infrastructure (PKI) is the set of policies, people, processes, technology and services that make it possible to deploy and manage the use of public-key cryptography and digital certificates on a wide-scale.”

What about the client-side part? I can’t find a clean definition of this alone, but here’s my summary. Client-side PKI is the assignment of digital certificates to end users for the purpose of authentication without the need for usernames and passwords. An end user could then present their personal certificate as either a soft-copy or on a hardware token to gain access to systems and services they are authorized for. In general deployment of client-side PKI gives a much greater level of assurance (LOA) that the user is in fact who they claim to be.

With the vast number and variety of integrated and disparate systems in most higher education institutions, coupled with a need to be sure only appropriate users are gaining access to them, client-side PKI becomes an attractive technology.

One of the more interesting presentations was from Peter Alterman on behalf of the Federal Public Key Infrastructure Authority. He spoke at great length about LOA and what levels would allow you to map to other levels of access to federal services through the Federal Bridge. I assume there will eventually be a great number of services provided through the bride which will be of interest to higher ed, so institutions need to be aware of the hoops you may need to jump through to get certified. Keep in mind that usernames and passwords will only qualify you for minimal connectivity and services.

So why not roll out client-side PKI at your institutions as quickly as possible? Well… it is complex, the road is mostly unpaved, and it is hugely expensive. Each user needs to have a certificate assigned to them and renewed annually. The outright cost of these are usually $8-$15. Under the newly formed EDUCAUSE Identity Management Services Program (IMSP) a reduced price has been negotiated with VeriSign dropping the price to about $4 (or less depending on volume). Looking at a basic higher education institute with say 7000 users, that gives an annual price tag of $28,000. Put alumni in the same mix and that price gets worse. Then there is a cost associated with hardware tokens if you decide to use those. My understanding is that these run about $30 ($210,000 for 7000). The only way this could actually be funded would be to pass this cost along to the students in their technology fee and have departments budgets handle it for faulty and staff.

Many institutions are avoiding all of this by signing their own certificates. Of course this then prompts users about unknown signing authority which might cause calls to the help desk with confused users. This is the solution MIT, USC, and others have adopted.

There is another solution nearing availability, USHER, the US Higher Education Root. According to Neal McBurnett of Internet2, USHER will:

provide a basis for campuses to deploy signed documents, secure email, and other applications. Serving as both an infrastructure and an initiative, it will include a root (AKA trust anchor or certification authority) to identify campus roots [CA's], and recommended applications, tools and metadata. It will coordinate with the InCommon federation.

Assuming the USHER CA finds its way into the major browsers as an accepted signing authority, it will provide higher education with an affordable solution for digital certificates. USHER is a key player in multiple Internet2 initiatives including the InCommon Federation and Shibboleth. USHER does not yet seem to have its own web site, but is being coordinated by HEPKI-TAG. I believe USHER is the lynch pin for general deployment of PKI in higher education.

Amazon Resources: PKI

authentication, certificates, digital certificates, educause, federal bridge, federated identity management, federations, HEPKI-TAG, higher education, identity management, incommon, internet2, loa, middleware, pki, public key infrastructure, SSL, USHER, verisign

Tags: , , , , , , , , , , , , , , , , , ,

Related:

Posted by zbtirrell | Filed Under Technology Bits 


Comments

2 Responses to “Emerging PKI”

  1. Jeremy Smith's blog on August 4th, 2005 5:46 pm

    Emerging PKI

    [[ITS:Middleware_Engineering|We]] have a lot of projects on our plates. One of them that sits in the background as a…

  2. Guillermo Villalon on January 24th, 2007 11:55 pm

    i need a token map of the ultimate spiderman complete!!!.

    i have one wirh 97/100 secret tokens, 15/15 landmark Tokens and 71/75 comic Book tokens

Got something to say?





User contributed tags: spiderman 3 token locations (193) - ultimate spiderman token map (174) - World Of WarCraft Authentication Key crack (109) - spiderman 3 token map (97) - ultimate spider man token map (60) - wow authentication key (58) - WOW Authentication Key crack (52) - ultimate spiderman secret token map (43) - "ultimate spiderman" tokens map (43) - t (34) - "ultimate spiderman map" (34) - mss (33) - spiderman 3 token locations map (30) - spiderman 3 token maps (29) - spiderman 3 token location? (29) - spiderman 3: tokens map (29) - ultimate spider-man secret token map (28) - Ultimate Spiderman token locations (28) - ultimate spiderman maps (26) - ultimate spiderman token maps (26) - ultimate spiderman secret tokens map (22) - WoW authentication key hack (21) - ultimate spiderman secret token locations (20) - world of warcraft authentication key (19) - world of warcraft authentication key hack (19) - "ultimate spiderman" map Tokens (18) - spiderman 3 secret token locations (18) - "tokens map" ultimate spiderman (17) - wow usernames and passwords (16) - Ultimate Spiderman - Token Locations Map (15) - spiderman 3 secret tokens map (15) - spider-man 3 token map (14) - Authentication Key wow crack (14) - token map- ultimate spiderman (14) - ultimate spiderman token location (13) - warcraft authentication key (13) - ultimate spider-man secret "tokens map" (12) - ultimate spider-man tokens map (12) - wow usernames (11) - token map for ultimate spiderman (11) - spider-man 3 token locations (11) - Wow authentication keys (11) - Ultimate Spiderman-secret tokens (11) - authentication key world of warcraft crack (11) - ultimate spiderman secret tokens pics (11) - World of Warcraft authentication key torrent (10) - WOW Authentication (10) - spiderman 3 tokens locations (10) - spiderman 3 secret token map (10) - "ultimate spider-man map" (10) - Ultimate Spiderman Secret Map (10) - world of warcraft crack authentication key (10) - ultimate spiderman token location map (9) - "spiderman 3 tokens" (9) - authentication key for world of warcraft crack (9) - "spiderman 2" map (9) - map of secret tokens in ultimate spiderman (9) - spiderman3 tokens (9) - "ultimate spiderman tokens" (9) - SpiderMan 3 token (9) - spiderman3 token map (9) - USHER PKI (9) - spiderman token locations (8) - f (8) - secret token map (8) - client side pki (8) - Ultimate Spider-Man Secret Token Locations (8) - spiderman map (8) - pki (7) - spiderman 3 token location map (7) - ultimate spider-man map of tokens (7) - authentication key for wow (7) - wow authentication key cracks (7) - SpiderMan 2 Token map (7) - Ultimate Spider Token Map (6) - ultimate spider-man token locations (6) - Ultimate Spiderman/token map (6) - Authentication Key crack world of warcraft (6) - spiderman 3 map tokens (6) - map of tokens in ultimate spiderman (6) - WoW Authentication Number (6) - ultimate spiderman, location of all tokens (6) - all (6) - token locations in spiderman 3 (6) - ultimate spiderman map of tokens (6) - hack WoW Authentication Key (6) - ultimate spiderman map for tokens (6) - ultimate spiderman map token (6) - spiderman3 token locations (6) - wow authentication key cracker (6) - ultimate spider man secret token location (6) - nosheep net (5) - PKI definition (5) - PKI client (5) - WoW authentication hack (5) - crack wow Authentication Key (5) - 1) Cost of using PKI. (5) - pki rfid (5) - wow retail authentication key crack (5) - WoW Key hacken (5) - spiderman3 maps (5) - ultimate spider-man token location (5) - spiderman3 token (5) - WoW authentication crack (5) - world of warcraft Retail Authentication Key crack (5) - ultimatespiderman (5) - spiderman token map (5) - cracked world of warcraft authentication key (5) - "spider-man 3"" secret token locations (5) - Authentication Key wow (5) - authentication key crack for WoW (5) - wow authentication key torrent (5) - "ultimate spiderman token" (5) - "authentication key crack" (5) - client (5) - "Ultimate Spiderman" secrets map (5) - spiderman secret token map (5) - Authentication Key for wow crack (5) - spiderman 2 token maps (5) - +rfid +pki (5) - crack world of warcraft Authentication Key (5) - clearest spiderman 3 comic-con trailer (4) - map of ultimate spiderman (4) - secret tokens in ultimate spiderman (4) - token map spiderman 3 (4) - spiderman token (4) - location of secret tokens ultimate spiderman (4) - ultimate spider-man secret tokens (4) - google pki (4) - ultimate spider-man secret tokens locations (4) - world of warcraft authentication key cracks (4) - PKI Client 4 55 password (4) - map Ultimate Spider-Man (4) - spiderman token maps (4) - spiderman 2 tokens map (4) - warcraft Authentication key crack (4) - crack Authentication key world of warcraft (4) - token locations spiderman 3 (4) - spiderman tokens map (4) - ultimate spider-man tokens (4) - all secret tokens in ultimate spiderman (4) - cracked wow authentication key (4) - world of warcraft usernames and passwords (4) - spiderman maps (4) - shibbolith authentication (4) - wow key crack (4) - crack Authentication Key wow (4) - world of warcraft authentication crack (4) - spiderman 3 secret token location (4) - secret token map +ultimate spiderman (4) -