pki
BoF Meeting to Discuss PKI Coordination - 16 May, 2001, Antalya, Turkey
BoF
Meeting to Discuss PKI Coordination
Wednesday 16 May 2001
Talya Hotel, Antalya, Turkey
Notes by John Dyer
21 June 2001
A Birds of a Feather (BoF) meeting to discuss the issues of Public Key
Infrastructure (PKI) was held during the TERENA Networking Conference in
Turkey on May 16th 2001. This was the second in a series of meetings of
persons from the research networking community involved in PKI/CA initiatives;
the first meeting having taken place in the TERENA offices in Amsterdam
on 6 December 2000 (see http://www.terena.nl/tech/projects/pki/pki-coord001206notes.html).
The main areas of discussion in the BoF were:
Comparison on the merits the Hierarchical and Bridge CA models
Survey of PKI activities
Recent Developments in PKI
Potential PKI Activities for TERENA
Action items
List of Attendees
Hierarchical CA vs Bridge CA models
There was an inconclusive discussion on the use of hierarchal trees
and CA bridges. The issue being that no-one yet has practical experience
on which approach will work best. A project known as the Federal Bridge
will start in June 2001 and in one year's time someone from US will be
able to come back and report on the results. The Corporation for Research
and Education Networking (CREN) has a hierarchical certificate authority
for the US (see http://www.cren.net/ca/index.html),
which is a parallel to the EuroPKI (see http://www.europki.org/).
Since there are now examples of each approach being used in production
services, in the fullness of time, TERENA should undertake a comparative
study of the merits of each solution. The major area in which differences
of opinion need to be resolved is that of scalability. Diego Lopez and
Antonio Lioy expressed their view that there is no inherent incompatibility
between the Bridge and Hierarchical models of running a CA infrastructure.
It was agreed that we should begin to aggregate PKI policies and prepare
a list of the differences between the documents. There are currently documents
available from SURFnet, EuroPKI, DFN, GRIDs and from US. It was reported
that Randy Butler is leading a comparative activity for the grids community.
The most recent CA policy document in the US is being written by Ken Klingenstein
and this document is significantly different from earlier versions. Ken
reported that they had been trying to follow the Federal model, but found
it too hard. Ken went on to say that he would be participating in a conference
call scheduled to take place in the next couple of weeks that may result
in some revisions and agreed to send the revised document to the pki-coord
email distribution list.
There was agreement that the main pressure for inter-boundary PKI infrastructure
in the academic and research community is coming from the GRID community.
In this context, there was a view that the GRID community are going to
use distributed local security domains using KX509 which allows Kerberos-authenticated
users to acquire a short-term X.509 certificate suitable for use with PKI-aware
applications. The reason for taking this approach being that some people
are of the opinion that a single central authority is not scaleable. In
further discussions it was not clear that there is a single view within
the GRID community and it is possible that some divergence may occur between
the model chosen by individual institutions and/or applications.
Round-up of Activities in Europe
Ton Verschuren of SURFnet, NL said that they have been updating their
PKI cookbook and this could be made available to the pki-coord list when
complete.
Diego Lopez of RedIRIS, Spain has been putting certificates in their
LDAP directory. To retrieve a certificate the search process looks for
the email element of the certificate and retrieves the certificate on that
key. Experience so far shows that this works well. Apart from this practical
activity, RedIRIS have submitted their CP to EuroPKI with the objective
of becoming accredited under the EuroPKI hierarchy. The authorative version
of the CP is in Spanish, but is being translated into English.
DFN, Germany has a new directory project where the support of a PKI
is one of the major issues. DFN are considering the possibility of storing
PGP and X.509 certificates in a common model, although as yet there is
no certainty that this can be achieved. Ton expressed his view that there
is no need to store PGP certificates in this way. SURFnet has a default
key server for the PGP (see http://pki.surfnet.nl/).
Sheffield Hallum University in the UK is exploring the issue of storing
certificates.
Recent PKI Developments
In the context of security of the certification systems, there was interest
expressed at looking into the use of OpenCA and OpenSSL for building CA
infrastructures. The OpenCA system makes the assumption that the CA is
always online. EuroPKI assumes an offline model where the certificates
are loaded onto the front end using an removable physical storage media.
The essential element of the system being that the directory containing
the live certificates is either connected to the network OR to the certificate
generating system, but never to both simultaneously. Ken Klingenstein reported
the US attempt to develop an offline model using an RS232 link between
front and back end to effectively decouple the backend from the IP network
making access for potential infiltrators very difficult.
Antonio explained the requirements to become a member of the EuroPKI.
An applicant must agree to have their CPS written down and validated by
EuroPKI but are not obliged to use the EuroPKI tools (which are freely
available). As an alternative, member CAs can use commercial tools.
Antonio said that the NASTEC tools are being developed as part of the
project TESI (Trusted European Security Infrastructure) and are to be widely
deployed within the NASTEC project. More details will be made available
at the TESI homepage: http://www.tesiconsortium.org/.
TESI is a project aiming to develop and foster the adoption of a software
security environment under European control.
It was agreed that there should be some work undertaken on mobility
related PKI issues. The Internet2 community have sent a list of a number
of areas that we want to be handled by the Securely Available Credentials
(Sacred) Working Group of the IETF. The document has been issued as an
RFC, but not much progress has been made. Ken Klingenstein said the Sacred
Working Group could use some help and people interested in this area should
volunteer. Yuri Demchenko agreed to send information on the Sacred WG to
the pki-coord email distribution list. See http://www.ietf.org/html.charters/sacred-charter.html
for more information regarding Sacred.
Potential PKI Activities for TERENA
David Williams & Brian Gilmore asked the meeting if anyone could
identify activities that TERENA should undertake or if TERENA should work
more closely with EuroPKI.
Ton Verschuren from SURFnet explained he thinks that there is an inherent
issue of trust involved in PKI work. The PKI should reflect the real trust
relationships that exist in the real world. There is a trust relationship
between the NREN's and TERENA - That does exist in the real world and maybe
EuroPKI should be associated with TERENA more closely to capitalise on
this relationship that has been built over many years. Karel Vietsch explained
that TERENA was already involved in brokering a web of trust through its
work with IRTs and the Trusted Introducer.
A further suggestion that received some support from the attendees was
the building of a European Education CA Bridge.
Ingrid Melve of UNINETT, Norway said that it is important to include
commercial servers in academic certification authorities. It is clear that
academic users need access to both academic and commercial information
sources and facilities. TERENA should take the initiative to publicise
this sort of issue.
Action Items
Action 0-2-1. Begin to aggregate PKI CP's and prepare a list
of the differences between these documents. TERENA to form group of volunteers
for this work.
Action 0-2-2. Ken Klingenstein agreed mail the new Internet2
CP to the pki-coord email distribution list.
Action 0-2-3. Yuri Demchenko agreed to send information on the
IETF SACRED WG to the pki-coord email distribution list.
Action 0-2-4. Antonio Lioy & Diego Lopez will send information
regarding the NASTEC project and software to the pki-coord email distribution
list.
Action 0-2-5. Antonio Lioy & Diego Lopez also agreed to investigate
the use of CA bridges and report back to the group on their findings
Action 0-2-6. The Americans agreed to report-back on the progress
made with using the Federal bridge PKI model.
Action 0-2-7. TERENA to organise another PKI-COORD meeting in
October/ November time frame.
List of Attendees
Ton Verschuren, SURFnet, NL
Antonio Lioy, Politechnico Torino/EuroPKI, IT
Michael Walsh, Kerma Communications, IE
David Williams, CERN, CH
Peter Alterman, Federal PKI Steering Committee, US
Michael Gettes, Georgetown University, US
Mika Kivilompolo, CSC/Funet, FI
Diego Lopez, RedIRIS, ES
Urs Eppenberger, SWITCH, CH
Christoph Graf, SWITCH, CH
Konstantin Chuguev, DANTE, UK
Milan Sova, CESNET, CZ
Alf Hansen, UNINETT FAS, NO
Ingrid Melve, UNINETT, NO
Almerindo Graziano, Sheffield Hallum University, UK
Peter Gietz, DFN Directory Services, DE
Maja Gorecka-Wolniewicz, NCU, PO
Ken Klingenstein, Univ. Colorado/Internet2, US
Keith Hazelton, Univ. Wisconsin, US
Roland Hedberg, Catalogix, SE
Michalis Konstatopoulos, GRNET, GR
Brian Gilmore, TERENA, NL
Karel Vietsch, TERENA, NL
John Dyer, TERENA, NL
Valentino Cavalli, TERENA, NL
Yuri Demchenko, TERENA, NL
разделы
санфаянс
санфаянс
санфаянс
санфаянс
пп-пленка
создание анимационный клип
северский доломит
гравировальный бур
фирменый цвет
8800 white gold
trinity hi-fi
лак эмаль
корпоративный иностранный
система перемешивание
головка винторезный
дренаж
охота лис
продать кайт
ивановец
дружкова кружка
стелажи
snr
черный кофе
разогреть вчерашний обед
купить минимойку
купить nokia 9300i
химчистка доставка
альтернативный медицина
поставка тройник
перевод итальянский
папиллома
эфирный антенна
курьерский почта
бензопила dolmar
кислород
1000 холодильник
inerta краска
shimadzu
мачта флагшток
сглаз
высокотемпературный электроизоляция
protherm
intex
газонокосилка elmos
доставка окон
pki