Sheri Castro, CREN
Judith Boettcher, CREN
George F. Covert, Associate Director Computer Center, Iowa State University;
Michael Gettes, Lead Application Systems Integrator, Georgetown University;
Clair W. Goldsmith, Vice President of Information Technology/Chief Information Officer, University of Alabama-Birmingham;
Francis Grewe, Assistant Director, Central Computing Operations, Office of Academic and Distributed Computing Services, University of Minnesota Twin Cities;
Ken Klingenstein, Director of Information Technology Services, University of Colorado at Boulder and Director, Middleware Initiative, UCAID;
R.L. Bob Morgan, Senior Technology Architect, Networks and Distributed Computing, University of Washington;
Jeff Schiller, Network Manager, Massachusetts Institute of Technology;
David Wasley, Assistant to the Associate Vice President for Information Resources and Communications, University of California Office of the President
The role of directories and repositories and certificate authorities in supporting the development of efficient campus IT infrastructure has been evolving rapidly.
To support technology development, technology transfer and outreach, the Advanced Networking Infrastructure and Research Program of the National Science Foundation supported two workshops on these topics to be held in the period between January and September of 2001. The first of these two workshops on Directories/Repositories and Certificate Authorities was held on January 30-31st, 2001 in Washington, DC.
Prior to participating in the workshop, 23 seminar participants completed a pre-workshop survey on the state of testing and deployment of directories/repositories and certificate authorities on their campuses. The survey was designed to assess the degree to which campuses have begun to plan, discuss, and implement these new technologies.
This is a report of the survey findings. One of the most important outcomes was the revision of the survey to be completed by the participants in the June 2001 workshop. Additionally, this summary provides a snapshot of the “state of campuses” with regard to these new technologies, and helps to project the needs of the IT community as these technologies and services continue to evolve.
Executive Director, CREN
Workshop Survey Respondents (back)
Raul Archer, Senior Systems Programmer, Arizona State University
Christopher Larrivey, System Analyst, Bridgewater State College
Ric Miller, System Administrator, Colorado State University
Ron DiNapoli, Programmer/Analyst, Specialist, Cornell University
Charlie Reitsma, Systems Engineer, Denison University
Suzanne Maupin, Director, IT, Duke University
Peter Dragovitsch, Coordinator, Computer Applications, Florida State University
Stephen A. Felicetti, Senior Network Engineer, Fox Chase Cancer Center
John Douglass, Systems Support Specialist, Georgia Tech (Pilot)
Jeff Brailsford, Network Security and Louise Miller, Manager, Enterprise Services Group, The Johns Hopkins University
Bill Mayhew, Systems Administrator, NEOUCOM
Steven Kellogg, Pennsylvania State University (Pilot)
Dan Oberst, Director, Enterprise Services, Princeton University (Pilot)
Ben Poliakoff, System Administrator, Reed College
Mark Dumic, Manager, Networking, Systems and Telecom, Swarthmore College
Bob Goldstein, Asst Director, Computer Center, University of Illinois Chicago
Wesley Hubert, Associate Director, Academic Comp Services, University of Kansas
Christopher Misra, Network Analyst, University of Mass Amherst (Pilot)
Cory Snavely, Core Service Programmer, University of Michigan, Digital Library Initiatives
Randy Wiemer, Associate Director, Information Technology, University of Missouri
Bryan Scovill, Network Security Specialist, University of New Hampshire
Jay Leafey, Senior Systems Analyst, University of Tennessee Health Sciences
David Hicks, Computer Systems Control Specialist and Mary Ann Kingry, Coordinator, Application Development, The University of West Florida
EXECUTIVE SUMMARY (back)
The majority of the workshop survey participants maintain one or more directories on their campus, with the majority of the directories being managed by the central Information Technology office. The most common type of directory protocol being implemented is the LDAP directory protocol. Several of those who do not currently use the LDAP protocol indicated that they are planning to shift to the use of LDAP or are already in the process of doing so. Over 90% of respondents stated that there are several working applications linked to these directories. The most commonly cited applications are those for providing remote access authentication and authorization and email services.
Nearly all profiled institutions also maintain an existing university-wide system for granting computer or email accounts to their users. Most of these institutions use subscriber agreements of some sort that members of the campus community must agree to prior to being able to access and initiate their accounts. The process for initially registering campus community members for these services varies.
Several campuses maintain systems in which users create and set up their own accounts through an on-line process, and require users to "click through" the subscriber agreement before permitting account access. Other campuses maintain systems that create and remove email and computer accounts for faculty, staff, and students in "batch" at the beginning of the academic year. Users must "sign" an on-line or paper form that they accept the terms of the agreement before account access is permitted. Data for this account management is most commonly received from the information databases in Human Resources and the Registrar’s offices on campus.
Princeton provided a url for their Rights, Rules, and Responsibilities document (http://www.princeton.edu/pr/pub/rrr/00/index.html.) that includes a reference to computer acceptable use policies. Some policies are spelled out in that document, and others are detailed in a companion document: Princeton University IT Resources and Internet Access—Guidelines for Use. (http://www.princeton.edu/guidelines.html.)
The majority of workshop survey participants indicated that their campus has several planned uses for digital certificates. These uses include email encryption and remote access authentication and authorization. Only a few participants provided detailed information on specific details of their technical certificate authority implementation — such as the planned process for registering users, the departments to be involved, planned changes to their existing subscriber agreements, and the hardware and software to be used. Most of the respondents did not provide this information, indicating that it was "to be determined" once they learned more about the new technologies and the standards for implementation.
Overall, it was clear that many of the workshop participants were in early stages of planning and were looking for information about how to proceed. According to several participants, the workshop was to be the first, important step in securing this information, as it gave time and resources to begin a detailed discussion on the pros, cons, and standards of practice in these technical areas of implementation. The participants from the pilot institutions were generally further along and more specific in their planning and their implementation plans.
The biggest short-term and long-term issues institutions face over the coming months reflected this difference in implementation between the pilot and non-pilot institutions. The majority of non-pilot institutions profiled cited short-term goals of migrating away from their old directory systems and structuring their directory information to prepare for PKI. Many institutions also cited developing a plan for PKI implementation as a high-priority short-term goal. In contrast, pilot institutions cited very specific short-term goals, such as "finishing phase II and user education" (Georgia Tech) and "customized scripting to implement a general purpose, multi-copy certificate for peripatetic users" (Princeton University).
Finally, several institutions had definite "outstanding issues" that they identified for the future of certificate authority implementation on their campus. Many of the issues centered around (1) securing campus/system-wide buy-in of digital certificates and (2) estimating/discussing the cost of maintaining, distributing, and administering certificates. Educating management about the benefits of PKI and directories over alternative solutions was also an oft-noted issue.
SECTION ONE: DIRECTORIES/REPOSITORIES (back)
Question 1.1 Do you have directories of any sort (ph, ldap, active directory, other) operational on your campus? If yes, please list. Who manages them?
All the institutions profiled (23) maintain one or more directories or repositories on their campus. Most of the institutions —about two-thirds— reported that they maintained one directory, while the remaining third reported that they maintained two or more directories.
The most common type of directory protocol maintained is the LDAP directory protocol. About two-thirds of the institutions report having an LDAP directory, while an additional three institutions are planning or have recently shifted to or integrated the use of LDAP. Six of the LDAP institutions maintain LDAP alone; the remaining institutions maintain an additional ph, Active Directory, or Novell Directory Service directory as well.
Four institutions reported having an Active Directory in operation. Other directories mentioned include 1 DND and 2 NDS directories. System administrators within the central Office of Information Technology most commonly manage these directories
Question 1.3. Do you have any applications linked into your directory/repository?
Over 90% of respondents indicated that they have several applications linked to their campus directories. The most common applications are those that support remote access authentication and authorization for users, and email services such as email account creation, routing, and aliases. Other linked applications included phone directories and account/billing applications.
Selected Individual Responses: (back)
SECTION TWO: CAMPUS ENVIRONMENTS FOR COMPUTER AND EMAIL ACCOUNTS (back)
Question 2.1 Do you have an existing university-wide system for granting computer or email accounts? If yes, what process are you using for initially registering students, faculty and staff for computers and email accounts?
All the institutions that responded to the survey have a university-wide system for granting computer or email accounts, though the process for initially registering campus community members for these services varies. At least four institutions, users are responsible for creating their own email accounts via a web application. Other institutions have fully-automated systems that "require no human intervention" and rely on systems such as Directory Synchronization Service (DDS) that automatically create, maintain, and remove email accounts for all students and employees at the University upon "official" entry into or exit from the payroll/registration system. The majority of institutions generate automatic accounts for new faculty, staff and students from bulk Human Resources (HR) or Registrar data run through a series of scripts or spreadsheets at the beginning of each academic year. Two institutions profiled still perform email accounts manually via paper-and-pencil request forms.
Selected Individual Responses:
Question 2.2 Do your users sign, read or accept a policy statement on the use of their computer account or email access (i.e. a subscriber agreement)?
Almost all institutions maintain subscriber agreements that users sign, read or accept describing the use of their computer account or email access.
Institutions vary in the methods used to make sure users have read the subscriber agreement. Several institutions require users to "click through" the subscriber agreement to acknowledge their acceptance of the agreement; a few institutions merely direct users to a URL containing the subscriber agreement. One institution has users read "a very short statement of use that refers to a much more detailed policy", while another institution has an on-line statement that will soon be supplemented with an on-line "quiz" on the policy to ensure users have read and understand the agreement.
Selected Individual Responses:
SECTION THREE: CAMPUS ENVIRONMENTS AND USES OF DIGITAL CERTIFICATES (back)
Question 3.1 What are some of your planned first uses for digital certificates on campus?
Several institutions had distinct ideas for their planned uses of digital certificates. The most frequent planned uses include the following:
Plans for student uses for digital certificates included access to course materials, schedules, and grades. Plans for faculty and staff uses included trusted access to university records, various electronic forms, and/or the university's budget management system.
A few institutions clearly prioritized their uses for digital certificates: One institution’s first priority application for digital certificates is for student grades, while their next highest priority is using digital certificates for e-commerce purchasing. Similarly, another institution states that health records are their first priority, but encrypted email is a close second as it is a big request from their students.
Some of the schools that have been piloting the CREN certificate have very detailed plans for digital certificate use. One institution cites plans to create client certificates for a select group of users and link these certificates to an LDAP directory implementation. It is anticipated that these client certificates will include external (off campus IP addresses) access to various third party resources via a local web proxy, as well as controlled access to local campus resources.
Another pilot institution cites digital signature and encryption for official university business as a planned use of certificates. Another institution that is part of the Digital Library Initiative hopes to establish certificate-based trust relationships with other institutions that license its online content, "thereby enabling us to provide off-campus access to affiliates of those institutions in addition to our own patrons."
Selected Individual Responses:
Question 3.2 What process are you using, or do you plan on using for initially registering students for certificates, faculty, and staff? Which office(s) within the university will have responsibility for approving the issuing for certificates?
Most campuses were unsure of the process they plan on using for initially registering students, faculty, and staff for digital certificates. Most respondents indicated that this was to be determined at a later date, when they were closer to providing the infrastructure for PKI. One of the two respondents whose campus had a planned process for registering digital certificates stated that the process they plan to use is their existing Registration Authority for issuing Kerberos user principals, which in turn apply toward certificate application. Another institution stated that their certificate registration will be based on LDAP authentication.
A few respondents listed the departments they thought would be involved in the certificate registration process. These included the following: Directory Services, Registrar's office, IT/Technical Services, Admissions, Student Services, and/or Human Resources. Staff at one institution noted that they are thinking of involving their "badge issuing offices", since this office sees faculty, staff, and students upon arrival and is already issuing campus badges based on photo and ID number authorizations.
Selected Individual Responses:
Question 3.3 If you have an existing subscriber agreement, how will you be modifying it (if at all) for the use of Digital Certificates? Question 3.4 If you do not have a subscriber agreement, will you create one for the use of Digital Certificates?
The pilot schools were best prepared to share their plans for modifying their subscriber agreements for the use of digital certificates. One institution plans on designing a separate document as an addendum to their current acceptable use policy. A second institution notes that their subscriber agreements are updated annually, and that changes will be considered at that time. Possible planned additions include educating users about how PKI should be used, and spelling out Key Recovery policies and procedures.
The majority of respondents did not respond as to whether they would modify their existing subscriber agreements for the use of Digital Certificates. A few respondents indicated that verbiage describing added responsibilities and security issues for certificates, such as non-disclosure and non-sharing policies, would most likely be added; however, most indicated that they have not yet reached this level of planning.
Selected Individual Responses:
Question 3.5. What are the policies and procedures that you are using to protect the private key of your institution?
Nearly all of the respondents indicated that they are not yet at the stage of planning the policies and procedures they will use to protect the private key of their institution. Many added that they hoped to learn the "standards of practice" at the upcoming workshop. One institution stated that they are currently in the process of developing this plan now, and are considering issues such as the physical security of the private key as well as a dual control method for private key usage of the institution.
Two pilot schools noted that the private keys will be kept on secured machines. For example, one institution noted that they have the CREN Institutional Root CA certificate on a standalone, secure RS/6000 machine located in a restricted-access machine room.
Selected Individual Responses:
SECTION FOUR: TECHNICAL IMPLEMENTATION (back)
With the exception of the pilot schools, nearly all of the institutions declined to answer the questions regarding the technical implementation of certificate authority services. Most respondents indicated that they are still searching for and gathering data on the "best practices" and best-recommended configurations for technical implementation. They are expecting to learn from the workshop content and the higher education IT community on the recommended technical infrastructure for digital certificates, registration authorities and certificate authorities.
Question 4.1 What is the infrastructure that you are setting up for your certificate authority?
Most of the respondents did not have any clear plans at this time regarding the infrastructure for setting up for their certificate authorities. Again, the pilot schools provided more detail in this area. One of the pilot institutions is currently setting up separate hardware for their Certificate Authority, their Registration Authority, and their Key Recovery Authority. Another pilot mapped out a plan for archiving the master private key and using the CREN institutional certificate as the higher-level CA service.
Of the non-pilot schools, one of the institutions was planning on setting up a root CA and subordinate CA's, "where the root private key will be stored in hardware and only activated when required". Another institution stated that they will most likely use a Windows 2000/Active Directory on a stand-alone system in a physically secure area behind a switch limiting network traffic for their CA service.
Selected Individual Responses:
Question 4.1.1 Software being used, including version number
The most commonly cited software currently being used for the CA was the iPlanet Certificate Management System 4.2 Other software mentioned includes Windows 2000; Microsoft SQL server 7.0; Open SSC 0.9.6; the latest versions of Apache and ModSSL, and PERL5+; and Windows and Exchange 2000.
Question 4.1.2. Hardware being used, including current and planned, if appropriate. Similarly, only a few respondents replied to the question of the current and planned hardware for their CA implementation. Two of the pilot schools are using Netra and three SUN E-250 Servers. Another institution is piloting PKI on a Sun ES250 (SPARC) server running Solaris 7. Another respondent replied that their CA service will most likely be hosted on a Sun E250 with Solaris 8, and that they are considering using distributed firewall appliances from Watchguard. Another institution is using Dell PowerEdge 4400 and 6300 servers using both internal RAID and attaching to a Storage Area Network via Fibre Channel.
Question 4.2 How do you secure your CA server? How many levels of access do you have? Which office(s) within the university has responsibility for the secure CA environment?
Again, only a few of the respondents (6) replied to the question of how the CA server was, or would be, secured. The majority of respondents maintained two or more levels of access. Two institutions maintain the Root CA inside a locked cabinet inside a card and key access restricted room, managed by the IT department and Network Services, respectively. One institution noted that their CA Server is “hardened” Solaris 2.8, and that there are 2 levels of access required. Another institution plans on using restricted SSH access along with secure ID card, while another institution plans on using a secured (physical) computer facility managed by IT. Another institution stated that there will most likely three tiers of access, managed by the Infrastructure group that maintains responsibility for servers and networks.
SECTION FIVE: GENERAL PLANNING AND ISSUES (back)
The most important short-term and long-term issues mentioned by the survey respondents over the coming months varied considerably. Some institutions were already in the midst of technical implementation issues; others were still in the early planning stages of securing support and identifying pilot initiatives for the use of digital certificates and PKI. Many had decided that getting their directories “in order” was the first order of business. It is also possible that the directory work was more “do-able” and a known activity, and thus a more comfortable place to start the process.
5.1 Question: What are your biggest issues in the short term, in the next 4 months?
As might be expected there was more consistency in the short-term goals. Many respondents cited short-term goals of migrating away from their existing directory systems configurations to structuring their directory information to prepare for PKI by moving to the use of the LDAP protocol. Many respondents also listed “Developing a plan for PKI implementation” as a high-priority short-term goal. Additional common short-term issues that the respondents mentioned included the need to secure buy-in for the Certificate Authority service from administrators and staff. Educating users in the manner and purposes of CA services were also frequently mentioned.
Selected Individual Responses:
5.2 Question: What are your outstanding issues that you see in the future?
Several institutions had definite "outstanding issues" that they foresaw in the future of CA implementation on their campus. These issues included:
The results of this survey are being used to continue refining the design of the workshop to be held in Minneapolis on June 6-8, 2001 and to revise the survey to be completed by the participants in the next workshop. Some of the new questions to be asked attempt to capture more detail on the specific barriers or “help” that campuses would find useful in their next steps towards building a campus with a secure and authenticated set of applications and services.
This survey and other interactions with the workshop participants suggests that campuses might find useful some set of the following: