CREN DIGITAL CERTIFICATE PRODUCTS AND SERVICES
Why are digital certificates important? Digital certificates support more secure authentication and authorization and more efficient web services for:
- Campus-wide applications and services
- Communications within the campus
- Communications between campuses and service providers
- Communications between campus community members and agencies and providers
CREN Digital Certificate Products
CREN offers a set of digital certificate services designed to meet the needs of various campus environments:
Now, institutions at all stages of certificate need and interest can use CREN's digital certificates to support secure data exchanges and web services.
- CREN-signed campus certificates for institutions: These CREN-signed certificates are for institutions issuing certificates for their campus community - in the range of 20 or more web server certificates and for issuing hundreds and thousands of client certificates.
- CREN web server certificates: These certificates are for campuses to secure web servers supporting a whole range of campus web applications.
- Client certificates: CREN issues client certificates from an internal CRENNet CA that is equivalent to a campus certificate issuing application. A registration contact at a campus validates /approves individuals and CREN issues the certificates. These certificates can be used to communicate with vendors, agencies, etc.
CREN Digital Certificate Support Services for 2002-2003
CREN offers education, training and support services for members of the campus community, and in particular, for the campus IT personnel responsible for providing authentication and authorization services for campus web services. One of these training and support services is offering client certificates for testing purposes from the CREN Test CA (http://ca.cren.net). This CREN Test CA is designed for members and non-members to test and experience the process of requesting and using a digital certificate to develop a comfort level of using digital certificates. These client certificates can be used for education purposes and pilot project implementations.
The digital certificate services from CREN support the accessibility and usability of digital certificates; the educational and demonstration services help to move this powerful set of enabling technologies from the research and development arena to active operational use. Campuses are starting to deploy digital certificates spurred by the security needs of research communities, federal agencies, and other vendor communities doing business with higher education.
CREN Digital Certificate Trust Environment
CREN supports the dissemination and use of digital certificates on campuses using the trust environment of PKI-LITE as well as higher levels of assurance. The PKI-Lite environment implements full-featured PKI (Public-Key Infrastructure) effectively and efficiently by leveraging existing local authentication practices on campuses. The PKI-LITE environment was designed and developed by the HEPKI (Higher Education Public-Key Infrastructure) working groups composed of representatives of Internet2, EDUCAUSE and CREN.
The PKI-LITE Trust Environment documents are as follows:
The CREN-signed institutional certificates and the CREN-signed web server certificates operate within a higher level of assurance. While PKI-LITE ensure a rudimentary level of assurance, the CREN CA services operate on a basic to medium level of assurance.
- PKI-LITE Policy & Practices Statement
- HEPKI-TAG Certificate Profiles - institutional certificate profile and client certificates
- Relying Party Statement - for content providers and other relying parties who will trust the certificates
MORE ABOUT CERTIFICATES
CREN-signed campus certificates for institutions are part of the CREN CA hierarchy of Certificate Authorities. These certificates are created when the CREN CA signs an institution's public key that is generated with the public/private key pair from the campus CA application. Campuses then use this campus certificate to issue client certificates for faculty, staff, and students. Having CREN sign an institution's public key creates assurance that certificates with an institution's name in the issuer field are actually from that institution's digital certificate service application. This campus certificate can also be used to issue web server certificates. The CREN CA repository on the CREN website holds the institutional certificates that have been issued to date. The number of institutions requesting certificates has increased significantly over the last six months. PKI-Lite is having a very positive effect!
Web Server Certificates
CREN members can obtain webserver certificates using the CREN root in two ways.
Client Certificates from the CRENNet CA
- CREN members can generate campus web server certificates from their own institutional certificate described above or:
- CREN members can request web server certificates from the CREN Web Server CA service.
Client certificates - also called individual, personal or end-entity certificates - provide authentication and authorization, if designed, for email and web services applications. Client certificates can be used to support signed and encrypted email. CREN is issuing client certificates to members for use with the rudimentary level of assurance for authentication. Client certificates from the CRENNet CA are for members only.
Client Certificates from the CREN Test CA
The CREN Test CA issues certificates for training and testing purposes.
COMMUNITY AND EDUCATIONAL INITIATIVES FOR 2002-2003
CREN works to provide campuses with the knowledge and community linkages useful in making campus decisions about digital certificates for authentication, and if desired, authorization for web services. Here are the top priorities for 2002-03.
Seminars and Workshops and TechTalks on Digital Certificates
CREN is planning seminars, workshops and TechTalks on digital certificates for 2002-03. The workshops and seminars provide opportunities for a focused, structured experience for campus and IT professionals to get jump-started on technologies for security and digital certificates. Watch for the updated schedules of Seminars, Workshops and TechTalks at the CREN web site.
CREN Digital Certificate Website - Newly Launched Work in Progress
In March 2002 CREN launched its new digital certificate website: www.cren.ca/crenca. This site brings together information on the basics of digital certificates, exemplary applications, and how to get started. Also included are the PKI-Lite Trust documents and scenarios. This site includes links to other digital certificate and PKI-related resources. It is an excellent starting point for digital certificate information. We welcome additional suggestions and enhancements to be sent via email or by taking our on-line survey.
Working Groups for Digital Certificate Pilot Projects
CREN is supporting two working groups on digital certificate pilot projects that are open to members.
- One group is the Wave One group working with publishers to recognize digital certificates for access to content resources. This group meets monthly and is chaired by Bob Brentrup, Dartmouth.
- The second group focuses on the use of open source CA software called Papyrus from John Douglass, Georgia Tech. This group is looking for interested campuses to use this open source software and contribute to its development.
The "Getting Started with Digital Certificates" Guide
This guide resulted from joint Mellon and NSF supported projects. This guide collects into one document critical PKI implementation information for higher education in an easily readable and understandable format. Members can access the guide by visiting www.cren.net/crenca.