CREN CAt

This is an overview of the transition from the CREN CA to a new Higher-Ed trust infrastructure suitable for use by InCommon, CAs for Higher ED Institutions, etc. AKA "CREN CAt".

TODO: separate out the descriptive information and links from the tasks and timeline. 

The Rise of the House of Usher - the latest blurb on USHER
USHER CPS - early draft

PKI Update - Fall 2003 Internet2 Member Meeting on USHER-Low and USHER-Basic

Name-that-CAt
 Current name: USHER
 Propose possible names: HE Trust Root, HE Trust Anchor,
  USHER - US Higher Ed Root
 Greg Woods from I2 will brainstorm and search for available domain names
 Make decision

Refine vision
 CA hierarchy: this is a tree turned on its side, where the entities on
 indented lines are certified by the next-higher CA.
 The institutional CAs will probably have some internal heirarchy,
 e.g. to put client certs and server certs under their own sub-CAs.
 Examples of how institutions are doing that now would be welcome.

   HECA root cert (in secure hardware and on CDs in safe deposit box)
     InCommon CA
       Institution B Shibboleth handle server cert
       Institution C Shibboleth handle server cert
       InCommon XML metadata signing key (Java)
	signed InCommon metadata for use by Shibboleth

     Institution A CA
       Institution A Shibboleth handle server cert? *
     Institution B CA

 * It is not yet clear how, when or if InCommon will accept server certs that
 are not directly signed by the InCommon CA.

Write CP
 Review related efforts:
  Original CREN CPS (which includes the CREN CP)
  CREN CA Application Process essentially CREN's "Operations and Procedures for Institutions"
    needs to be modified as discussed at HEPKI meeting 2003-04-23
  Related CREN documents

  HEPKI PKI-lite - templates for lightweight institutional CP and CPS, etc.
  USC PKI Lite CA Certificate Policy - based on the HEPKI PKI Lite template
  InCommon CP and CPS (in progress)
  Citizen and Commerce CP V1.0 Federal e-Authentication work
  Federal Bridge Certification Authority and their Certificate Policy and related documents
  Higher Education Certificate Policy (HECP) designed as replacement for CREN and
    institutions, and part of NMI Release 2.  Derived from the FBCA CP.
  Higher Education Bridge Certification Authority (HEBCA) Certificate Policy: (DOC) (Draft 2003-03-10 or so)
  Internet2 list of Certificate Policies
  Global Grid Forum Certificate Policy Model Version 6 and Version 7 (draft)
  Europe's TERENA Academic CA Repository
  EU DataGrid WP6 Certificate Authorities group:
  SURFnet PCA CPS
  IETF guidance: RFC2527 - PKI CP and CPS Framework and RFC2527-update (approved by IESG 2003-07-25)

  Microsoft Root Certificate Program - based on audit by WebTrust for Certification Authorities or equivalent

 Decide how its level of assurance fits in to federal definitions
  Levels_of_Assurance by David Wasley,
  FIPS 140-1 and now FIPS 140-2: Cryptographic Module Validation Program

 Draft CP and review it.
 Draft CPS and review it

Define Certificate Profiles
 http://middleware.internet2.edu/hepki-tag/
 Eric Norman's Key Life Cycle analysis
 Decide on AIA, CRL, Policy OID, etc

Generate new Root cert and get it operational
 Research available technology
        nCipher
	Aladdin eToken
	Axalto Cryptoflex
        Chrysalis Luna CA3
	IBM 4758
	Maxim Crypto iButton
	Rainbow/Safenet iKey 2000

	Protecting a Private Key in a CA Context - draft by Jeff Schiller

 Software: OpenSSL and OpenSC (for support of some smart cards)

 Acquire hardware
 Implement certificate revocation process
 Specify key generation, storage and transfer procedures
 Conduct initial key generation ceremony
 Audit requirements?
 Put relevant information in the Repository

 Using PGPv8 with an eToken either generating the private key
   on-token, or generating it on the desktop, and using PGP to import
   it into the token.

Get storefront in place
 Refine Institutional I&A process based on CREN's
 Generate and adapt procedures, web pages, forms and documentation
  Related CREN documents
  new revocation procedure
  Define staffing and support functions
 Do press announcement

InCommon CA, certified directly by HECA (at the same level as the institutional CAs)

 This CA is used to directly issue server certs to InCommon servers
 At some point also allow institutions to sign their own certs,
   if supported by Shibboleth, and federation policy

 An associated java signing key is also used to sign XML metadata for
   Shibboleth.
 Decide on operational security needs, etc.
 Decide who will run it

 We'll proably set up the InCommon CA as a self-signed CA before the
 HECA is ready, depending on the progress of each.

 InQueue Federation Policy and Configuration Guidelines - including
  examples of signed shibboleth metadata

Start the process up, accepting applications for institutional certs
 and InCommon server certs.
 Dartmouth PKI Lab Outreach Web Home
 PKI-Lite Recipe
 Guide for Getting Started with Digital Certificates from CREN

Links:
 A Bridge for Trusted Electronic Communications in Higher Education and the Federal Government - by Mark Luker of EDUCAUSE, 2002
 Federating Organizations Organization (FOO)
 Shibboleth
Neal McBurnett
Last modified: Wed Sep 22 11:32:37 MDT 2004