Non-profit, member-based IT support for research & educational institutions


Scenario for Certificate Authority Infrastructure & Policy

June 16, 2000
Representative:
Jay Leafey
Senior Systems Analyst
University of Tennessee Memphis
877 Madison
Memphis, TN 38163
Email: jleafey@utmem1.utmem.edu
Phone: 901-448-6534
Fax: 901-448-8199

    Document History:

  • Initial Draft/Interview: June 2000
  • Draft reworked: August 2000

    What are some planned First Uses of Digital Certificates on Campus?

  • Securing web-based applications and communication channels.
  • Directory updates
  • Researchers who are working on collaborative efforts, and whose efforts are confidential.
  • Trials of demographic data on individuals. (Haven’t been using JSTOR).
  • Within the College of Dentistry, data entry workers would receive certs for administrative applications, such as scheduling appointments and to transcribe schedules.

    Getting Started: Processes for Initially Registering Students

  • May use face to face registration, or manual authentication, over the phone by asking a series of questions such as DOB, SSN, etc.
  • Or, they may set up PGP channel similar to the procedures CREN has in place to register faculty in preparation for institutional certs. This method would be Jay’s preference.
  • The system set up in order to complete directory updates includes a manually assigned password for LDAP. A digital cert is issued in a walk-up to a help desk process and having the person present a picture id., and answering some questions such as DOB, SSN, etc. (set up computer accounts – HR let computer know about new hire, give tech. Info they need. SAP (doesn’t subscribe to LDAP) – student info network/create live links from SAP to LDAP directory.
  • Most applications can authenticate against LDAP.
  • In the future, there will be certain applications that a student or faculty member will not be able to use without a digital cert. (General store’s, Pharmacy inventory-related.)
  • Researchers – GCC (Univ of Wisc) database (genetic modeling) – web-based interface. Need to secure (not strong authentication from individual; securing website with more secure means). Want to find easy way to encrypt data.

Policies and Procedures

Subscriber agreements – plans for protecting private key? Strong part of plans. Don’t want to soft-pedal it, but it will be manual signing paper. (Jay, is it possible for you to get a copy of the draft and send it to us? Right now, IT staff is reviewing the draft subscriber agreements. They will then send it to the legal folks later on.

Infrastructure:

Directory service Innosoft IDDS v. for LDAP. Netscape/SUN/IPLANET – what’s going to happen?

Open VMS System 7.1 (Hardware: Dual Alpha server cluster service). Going to transition to Compaq Tru64 Unix system (Hardware: DS20 cluster).

Software for implementing digital cert structure: Innosoft TLS w/ IDDS and then their mail product. Open SSL 2.09.04. Will upgrade.

Box –

Setting up box from which will sign certs will not be connected to network. Not connect to Compaq notebook Linux Redhat 6.22. Generating request on another system, putting it on portable medium, signing it with institution’s key, then removing CD or whatever

Institution’s private key: currently it resides on a Compaq laptop, which Jay Leafey has access to. The laptop goes home with Jay every night. He is trying to get space inside controlled space so he doesn’t need to physically carry it home with him.

The validity period of individual certs (for students?) will be one year. Certs issued to faculty and staff will have a longer validity period, probably two years.

Problems/Outstanding Issues/Experimentation:

Pieces of infrastructure not quiet in place. Transition of IDDS over to Unix-based system.

Jay wants various parts of the infrastructure stabilize a bit before implementing a full pilot. .

One of UT-Health Sciences Center’s main concerns is the scalability issue, whether the system will work for the entire Univ of Tennessee system.

Jay is trying not to paint himself into a corner. Therefore, he is taking thing slowly. The sharing of information with other campuses and organizations, through CREN, has proven useful.

Lots of little niggling technical matters are still a problem.

Storing in the LDAP – Jay is playing to put his public key into LDAP.

Web-based

As far as the state government’s activities, Jay says that the state of Tennessee is somewhat behind, still working on a task force. Jay hopes that the state will ask the Univ of Tennessee for input.

Issues to be addressed soon…

Key escrow…