Gary W. Chapman, Senior IT Architect
gary.chapman@nyu.edu
Information Technology Services (ITS)
New York University
[Please send comments and suggestions to gary.chapman@nyu.edu]
1. Introduction
2. Technology Investigation and Assessment
3. Experimental Implementation
4. Outputs and Recommendations
5. Specific Activities
1. Introduction
In order to assess the current state of PKI (Public-Key Infrastructure) technologies and possible roles for PKI at New York University, it is proposed that we undertake a PKI Pilot Project in the spring of 2002. This project aims
o to deepen our technical understanding of PKI
o to understand how a PKI implementation could relate to existing and planned IT services
o to identify candidate applications for PKI at NYU
o to explore implementation requirements and strategies
Participants in the pilot include representatives from many groups within Information Technology Services (including eServices, Network Services, Policy & Planning) and from the NYU Libraries.
In order to achieve the project goals, two types of activities will take place:
o technology investigation and assessment
o experimental implementation of PKI elements
2. Technology Investigation and Assessment
The following main areas of investigation and assessment will be pursued, with a view to relating PKI technologies and developments to NYU services and business objectives.
A. PKI background, elements, references
Create an ITS reference web site with basic documents and links to PKI-related documents and standards (X.509, IETF, FIPS, etc).
B. State of PKI
Identify the primary approaches currently being adopted by other institutions - in the research and education community and in the corporate world.
C. Trends and related technologies
What are the major technological trends in PKI and related areas?
What is the current state of external PKI (and closely related) efforts, such as
o IETF working groups
o NIST PKI Program
o XML developments (XKMS, the XML key management specification)
o Liberty Alliance project (internet-wide single sign-on)
o Internet2 middleware initiatives, such as PKI-Lite and EduPerson
How might these trends and activities influence our PKI choices?
How can we participate in or track PKI evolution in a meaningful way?
D. Applications for PKI
Identify potential PKI applications at the university:
o near-, mid-, and long-term applications
o internal uses such as in work-flow applications
o external uses such as in authenticated access to external data sources
How would a production PKI relate to existing and evolving IT services, such as
o single sign-on
o NYUHome portal access to administrative and academic services
o database management of person identifiers
o ID card'ing
o emerging work-flow applications
o self-service capabilities
o potential HIPAA-related implementations
o present use of commercial (Verisign) server certificates for SSL
Does PKI offer a set of viable point solutions, and/or does it represent a central technology would should influence the evolution and operation of (many) other IT services?
E. Policy framework
PKI implementations are strongly grounded in policy and in the operational procedures that ensure policy conformance. In particular, a PKI needs
o a CP (Certificate Policy)
o a CPS (Certificate Practices Statement)
drafted, presumably, in accordance with RFC 2427, Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.
In addition to drafting such statements on a preliminary basis, we shall attempt to identify steps necessary for the university to authorize ITS to create and operate an official PKI.
F. Implementation Issues
A PKI implementation calls for many, many choices to be identified and made in areas such as:
o Types of certificates our PKI would offer
o Approved purposes
o Periods of validity
o Certificate contents (especially in certificate extensions)
o PKI architecture options such as:
o hierarchical versus mesh
o single versus multiple CAs
o independent CA and RA?
o anonymous or authenticated repository access?
o repository access methodology (e.g. LDAPv3)
o Certificate management protocol options, e.g. PKCS #7 & #10, CMC, CMP, SCEP
o Options which will ease external interoperability, such as Bridge CA use?
o Client (e.g. browser) capabilities
o Choices which would facilitate use of external tokens such as smart-cards
o Roaming capabilities
o Hardware, network, and security provisions
o Buy versus build?
o Commercial versus open-source?
o End-user capabilities? In-person registration required?
o Key recovery provisions
o Tools to PKI-enable existing or new applications
o Scaling issues
o Fault-tolerance and disaster-recovery provisions
o Assessment and auditing steps
o Cost factors
G. Operational requirements and issues
o How might a PKI be implemented and managed at NYU?
o Staffing requirements?
3. Experimental Implementation
PKI implementations use a set of hardware and software components which enable creation, distribution, and maintenance of digital certificates. At this time, in addition to outsourcing options, both commercial and non-commercial sources may provide viable elements. To gain hands-on experience, we shall install two types of systems and experiment with their use:
A. Commercial certificate management system
Claiming to contain all the necessary elements for a PKI implementation, the iPlanet Certificate Management System. This software is available at no cost for evaluation purposes, will run on our Sun Solaris hardware, and will interoperate with our iPlanet LDAP directory services implementation.
B. Non-commercial software
Any promising non-commercial/open-source tools which we are able to obtain; a Linux-based server has been set up to run this software.
In order to test the use and interoperability of digital certificates generated in these test-beds, we shall also implement one or more test applications, for example a web-server application which requires authentication via an end-user's digital certificate, or certificate-enabled TLS access to an e-mail server.
4. Outputs and Recommendations
These parallel efforts of investigation and implementation are intended to provide us with an up-to-date and broad understanding of the "state of PKI" within the information technology and educational communities, with a grasp of the technical and policy dimensions of a professional PKI implementation, and with the insight that comes from hands-on use of technical components.
A project report will be completed by May 1, 2002 which summarizes the results of the pilot and offers a set of recommendations for future steps.
5. Specific Activities
Develop Reference Web Site with Docs & Links
Current State of PKI Efforts and Evolution
o Gartner presentation
o In middleware world, e.g. I2 MW Initiative
o In networking world, e.g. IETF
Identify potential PKI applications at NYU
o Network level: e.g. ipsec uses, pkinit
o Application level: e.g. s/mime, tls
Policy Development
o Articulation of what policies needed
o Articulation of what procedures needed
o Articulation what approvals needed
o Review of available samples
o Drafting of NYU policies
Third-party Pieces
o How could ID cards and other portable components play?
o Hardware CA private key repository
o Development tools
Experimental Implementations
o Open Source CA on Linux
o Commercial on Solaris (iPlanet CMS)
Experimental Trials
o Higher Ed S/MIME pilot project
o PKI-Lite project
o Cisco vpn stuff?
Implementation Planning
o Possible designs for hardware, software, network components
o Hypthetical implementation plan/schedule