Certs, Federated Wireless, and other new InCommon Services 1 INTERNET2 MEMBER MEETING A TLANTA, G EORGIA N O V E M B E R 2, 2 0 1 0 J I M J O K L U N I V E R S I T Y O F V I R G I N I A
InCommon Certificate Services A (relatively) new service to provide Digital Certificate services to its members Contract with Comodo Widely trusted by browsers and on mobile platforms Services for: Standard SSL Certificates Personal Certificates Code Signing Certificates SSL EV Certificates Related services (Campus CAs) Excellent early participation in the program 2
InCommon Certificate Services Participants 3 60+ schools have already subscribed to the service Another dozen or so are in various stages in the application process Most signed up primarily for SSL and could justify the cost based on SSL savings Service will soon provide much more than just SSL certificates California Institute of Technology California Maritime Academy California Polytechnic State University- San Luis Obispo California State Polytechnic University, Pomona California State University, Bakersfield California State University, Channel Islands California State University, Chico California State University, Dominguez Hills California State University, East Bay California State University, Fresno California State University, Fullerton California State University, Long Beach California State University, Los Angeles California State University, Monterey Bay California State University, Northridge California State University, Office of the Chancellor California State University, Sacramento California State University, San Marcos California State University, Stanislaus California State University-San Bernardino Carleton College Clemson University Fort Lewis College Georgetown University Humboldt State University Indiana University at Bloomington Iowa State University Lafayette College Medical University of South Carolina Ohio Northern University Penn State (The Pennsylvania State University) Princeton University San Diego State University San Francisco State University San Jose State University Skidmore College Sonoma State University University of Alaska Statewide System University of California-Berkeley University of California-Davis University of California-San Diego University of Iowa University of Minnesota-Twin Cities University of Nebraska - Lincoln University of North Carolina At Greensboro University of Richmond University of Texas at Arlington University of Texas at Austin University of Texas At Brownsville University of Texas at Dallas University of Texas at El Paso University of Texas at San Antonio University of Texas At Tyler University of Texas Health Science Center At Houston University of Texas Health Science Center At San Antonio University of Texas M. D. Anderson Cancer Center University of Texas Medical Branch At Galveston University of Texas of the Permian Basin University of Texas Southwestern Medical Center at Dallas University of Texas System University of Texas-Pan American University of Vermont University of Virginia University of Wisconsin-Madison
InCommon SSL PKI Hierarchy 4 Comodo AddTrust Root Certificate Comodo EV Root Certificate InCommon Intermediate SSL Certificate.... Subscriber Campus SSL Certificate Subscriber Campus EV SSL Certificate
Phase II: Personal Certificates 5 Common Applications Authentication with anti-phishing Signed email Personal email Broadcast messages Encrypted email Grid authentication Ease of use and added security VPN authentication Wireless authentication Windows smart-card login Authentication section of UVa s Web SSO system login page (PubCookie)
Personal Certificates: what about LoA? What is the Level of Assurance? Our popular question for personal certificates Answer: there are many opportunities 6 Certificates for Authentication and Digital Signature With the right supporting infrastructure, certificates can support a gold LoA Widespread use cases exist for the current InCommon standard LoA
PKI Applications and Expected LoA Signature Applications InCommon LoA Basic Bronze Silver Gold S/MIME: end users; anti-spam; 7 1 1 1 S/MIME: official announcements 3 2 2 Document Signatures (IRB, transcripts) Signed documents for email workflow 7
PKI Applications and Expected LoA Authentication Application 8 InCommon LoA Basic Bronze Silver Gold Grid/Globus SSH Web Authentication to SSO Windows smart card login 2 Web authentication directly to application
PKI Applications and Expected LoA Encryption Application S/MIME Hard Disk encryption Remote (cloud?) data storage 9 InCommon LoA Basic Bronze Silver Gold
Expected Personal Certificate Hierarchies 10 Comodo AAA Root Certificate InCommon EE Intermediate Certificate A Comodo Root Certificate InCommon EE-II Intermediate Certificate Standard Assurance Silver Assurance Hosted Campus CA Campus Hosted CA Bronze Assurance Gold Assurance End User Certificates
SSL Certificates Campus Service Access Simple web site for uploading requests and receiving certificates An API is also available User Certificates Web site API much more important Widespread deployment vs. occasional use Timing and real-time issuance are critical for large-scale deployments 11
Our Current Priorities SSL certificates have been available for some time now Based on many discussions, we are focusing to deliver personal certificate services in the following order: 1. InCommon Standard Assurance 2. New Gold Assurance Level 3. InCommon Silver for PKI 4. If demand: InCommon Bronze for PKI Parallel work Hosted Campus CA Campus Hosted CA (signed by Comodo) APIs 12
Next Steps Thoughts, questions, etc.? Is there something that doesn t work for your campus? Are working in the wrong order to meet your needs? Want to help with the deployment? Personal certificate profile questions e.g., is having separate signing and encryption certificates important to your campus? PKI BoF Wednesday 12:00 to 1:00 Waverly Room Or email: We do need to hear more about what you might need 13