Non-profit, member-based IT support for research & educational institutions


PKI Project @ Princeton University At A Glance

Date: June 6, 2001
William J. Sproule, sproule@Princeton.EDU
Collaboration Services Group, Princeton University


Software and Hardware
Princeton University is deploying the iPlanet Certificate Management System, http://docs.iplanet.com/docs/manuals/cms.html, currently version 4.2 sp2. CMS is being deployed on three Sun Ultra 250s; one each for the Registration Manager, Certificate Manager, and Data Recovery Manager. Clients will use Netscape Communicator 4.77 with Personal Security Manager 1.4.

Status
We are currently testing Netscape Communicator with PSM 1.4 with dual-key certificates. This provides separate signing and encryption keys as well as requires the user to create a backup of the certificates when they are generated. We currently do not plan to generate keys directly for IE but have verified users can export and import their pair of keys from Netscape to IE for use within Outlook. Testing has included:

LDAP authentication to obtain certificate
Dual key generation using Netscape Comm 4.77 with PSM 1.4.
Export and Import of keys to IE and Outlook.
Key recovery requiring 3 of 5 administrators authorization.
Automatic LDAP publishing of Certificates.
Certificate Revocation and CRL LDAP publishing.
CPS being reviewed by Princeton legal.

Pilots
Internal testing of Signed/Encrypted Email
Internal testing of Authentication
Health Services Secure email between students and Health Services
Office of the Dean of the Faculty Secure and signed email between DoF and Visa office.
Library-Treasurer Secure and signed email.
JSTOR - Authentication.
Boise Cascade Authentication.
Certificate issued to Desktop Systems Council program participants.

TO DO
Sign new CA by CREN Status: Waiting for new VP of computing to start.
OCSP testing with CMS 4.2sp2
Add CPS pointer in cert
Create subordinate CA to issue short-lived user, anonymous, and pseudo-anonymous certificates for authentication and for vendor required payloads.