Non-profit, member-based IT support for research & educational institutions

Scenario for Certificate Authority Infrastructure & Policy

June 14, 2000
Institution: University of Minnesota Twin Cities
Representative: Frank Grewe (
Manager, Enterprise Internet Services
University of Minnesota
192 Shepherd Labs, 100 Union Street SE
Phone: 612-626-8343
Fax: 612-626-7593

    Document History:

  • Initial Draft/Interview: June 2000
  • Update

    What are some planned First Uses of Digital Certificates on Campus?

  • Digital Library Foundation Pilot during summer (until he gets production capability on October 1. Patent expires RSA technology for Open SSL).
  • Access to JSTOR : Issue certs to limited number of people (under 30) to technical people & “politically correct” (faculty eagles) people who want to access JSTOR from home. Short-lived certs (3 months) only for authentication (not for digitally signing or encrypting purposes).
  • Central authentication hub (one to one relationship; X.500 directory) on website. Cert will create cookie to authenticate on that page. PKI enable every web application. Central authentication hub talks to X.500 directory (application in directory) . Alternative …. Everyone has 2 passwords – one is internet password (moderate level of security); second is enterprise password (Higher level -- never been clear-texted anywhere & never been in any application, only central authentication hub.) Cookie will have higher level of security than password itself. Will need to use at least enterprise password for authentication. May need to authenticate and allow access only through certificate. (interdependency btwn cookies and certificate) Cookie authenticated by central authentication hub. Send redirect to client to go get cookie.
PKI third

    Getting Started: Processes for Initially Registering Students

  • In order to get internet password, initally same as opening your account. Goes to webpage, types in student or employer id., soc sec & birthdate. Told what X.500 account is, given their internet password (email; can be clear text).
  • Can initialize their enterprise id at the same time. Same info needed (employer, soc sec, birthdate) but enterprise id is never clear texted. Less likely to be snooped, but same level of security as to that person is who he/she is.
  • PKI: place where you can change internet or enterprise id., same certainty that the person is who he/she says he/she is.

Further Registration – after issuing, a secondary step. But not right now. Don’t want legal digital certificate right now.

Policies and Procedures

Subscriber agreement? Any in place currently? When person initilizes X.500 user id, student or staffer reads through (terms of service), to agree. People who put this into place is policy person/group – digital certs aren’t that much different. Different groups put together (tech staff so it can be enforceable -- ). URL coming.

Enforcing – networking & telecommunication for any networking abuse.

Top level generated at key party three months ago – group of individuals witness.

Machine completely different from 3 CD Roms, 4 copies of private key on each CD rom; each private key encrypted by different staffer of Frank’s. Each CD rom taken over to General Counsel’s office and are kept in his/her office. Private key is in posession of GC’s office – they have no way of reading. 4 people do know how to decrypt it. GC’s office can’t give Frank/staff the CD ROM.

Next level: witness group can go to GC office. They can’t read it. They will bring it to Frank. Key generation party. Next level created wen they get CREN-signed . that private key is on internet, but this is a short-lived key. Only threat is to pilot. Lower level keys .

Machine wiped after pilot private key is created.

After pilot – creating CAs for specific purpose. First round of keys – short-lived due to risk of compromising.

Physical location – same location as two copies of directories. Three machines are in secured – one is main switch; one is main computer facility; one is telecommunications. Need passcode. Need to be employee of University; need to have key to cabinet.

Lower level certs -- software that they’re writing. On internet for pilot. New machine for beyond pilot, not routable.


SUN systems. X.500 run Ultra 2100/70s (three of them).

Initially pilot CA will be on one of them.

Beyond pilot – CA will be on own Spark 20. Security reasons.

Software – Syntegra (owned by British Telecom). CA signing software is Open/SSL. Operating – SUN, Solaris (Version 7).

Where users’ keys are stored -- smart card, floppy, work station, on-line retrieval? Both Verisign and Entrust have on-line retrieval.

How go into lab and use PKI? (haven’t spent a lot of time on). We issue you a key, assume that you’re going to put it on your workstation. (big critical issue in the future) [can’t do smart cards due to cost] – assume that you will put it on home where you don’t have umn address. In the lab, don’t need cert because you have umn address.

Problems/Outstanding Issues/Experimentation:

Getting certs with a greater degree of certainty as to who Cert increases applications you can use/do. Increased value parameter – financial, grant application.

Cert profile

Directory situation – software in place X.500 (metadirectory capabilities, but aren’t using) Daily updates of directories. 3 sources can create people objects – staff & faculty database, affiliate database, and alumni database. Sources of information – depts supply info.

PeopleSoft -- $6 million.

Issues to be addressed soon…

People involved in the various projects…