Got Directory?

January 28, 2004

TIP2004

23年 4月 18日 2

metadirectory

enterprisedirectory

directorydatabase

departmentaldirectories

OS directories(MS, Novell, etc)

borderdirectory

registries sourcesystems

Enterpriseapplications dir

A Campus Directory Architecture

23年 4月 18日 3

eduPerson

Schema for US Higher EducationLow hanging fruit, interoperable data

• Easy stuff that we can all agree is true

LocalEduPerson -- local stuff local probInternational efforts under wayUS Person? Will the Feds listen to us?eduOrg continues to be developedhttp://middleware.internet2.edu

23年 4月 18日 4

LDAP-Recipe

A hitchhiker’s guide to LDAP in H.E.• A user’s perspective (a discussion, not a manual) of how to deploy directories. Covering:

• Directory Tree, Access Control, Attribute Firewalls, Group Management, How all the name attributes work, Authentication, Schema Management and Design, RDN issues that most don’t know about, Considerations for directory enabled E-mail routing, Software reference, Replication

• eduPerson discussion (read recipe as well as eduPerson specification)

23年 4月 18日 5

Video Middleware (VID-MID)

Post 9/11/2001• Video on the Internet is how people will communicate due to US Airline Industry impact

Video and middleware folks get together• Video is largely a human managed process• How to integrate video into enterprise?• Directory enabling versus directory slurping

CommObject is born and H.350 results

23年 4月 18日 6

Traditional X.500 naming:

dn: cn=Michael R Gettes, ou=Server Group, ou=OIT, o=Duke University, c=US

domainComponent (DC) naming:

dn: uid=gettes,ou=People,dc=duke,dc=edu

Problems with Cisco and others in the past, fixed (mostly)

HEPKI has issued guidance and advice on DC= naming

domainComponent (DC=) Naming

23年 4月 18日 7

Group Toolset Architecture

23年 4月 18日 8

RADIUS serverNAS(terminal server)

DialupUsers

User calls202-555-1110

CalledId from NAS is mapped to guRadProf

DirectoryServer

Netid = gettesguRadProf = 2025550001guRadProf = 2025551110guRadProf = OracleFin

LDAP Filter is:guRadProf = 2025551110+ NetID = gettes

RADIUS + LDAP

23年 4月 18日 9

LDAP Analyzer

Todd Piket, Michigan TechWeb based tool to empirically analyze a directory

eduPerson compliance Indexing and namingLDAP-Recipe guidance (good practice)H.350 complianceeduOrg compliance

http://middleware.internet2.edu/dir/

23年 4月 18日 10

What’s up in Directory Land?

Directory Architecture +eduPerson +eduOrgLocal Schema (localEduPerson)Non-eduPerson Persons (international efforts)usPerson? Working the FedsLDAP-Recipe +Group Management +Video Middleware +

• H.350 for Video Infrastructure

23年 4月 18日 11

Directory Land (continued)

DC naming +

RADIUS Integration +

LDAP Analyzer +

Medical Middleware

MACE-CourseID

Authorization work (the holy grail)

23年 4月 18日 12

LDAP: Buyer Beware!!!

LDAP is LDAP is LDAP – yeah, right! “Sure! We support LDAP!” What does that mean?

Contract for functionality and performance Include your Directory/Security Champion!!! Verify with other schools – so easy, rarely done.

Beware of products that specify Dir Servers Get vendor to document product requirements and behavior. You paid for it!

23年 4月 18日 13

Higher Education Bridge Certification Authority

and USHERStatus Update

Michael R Gettes

Duke University

January 2004, TIP2004

23年 4月 18日 14

Technical Policy

PKI is1/3 Technical

and 2/3 Policy?

A community-based CA:The (slow) rise of the house of Usher(The CA former known as CREN)

1723年 4月 18日

Usher-Level 1

Modeled after Federal Citizen and Commerce CP/CPS (www.cio.gov/fpkipa/documents/citizen_commerce_cpv1.pdf)

Issues only institutional certs Those certs can be used for any purposes CP will place few constraints on campus operations

• User identification and key management• Campus CA/RA activities

Will be operated itself at high levels of confidence Will recommend a profile for campus use Good for building local expertise, insuring some consistency in approaches

among campuses, and may be suitable for many campus needs and some inter-campus uses

Will not work for signing federal grants, etc… Operational soon

23年 4月 18日 18

Usher - Level 2

Modeled after FBCA Basic level CP

Issues only institutional certs

Those certs can be used for most purposes

CP will place more constraints on campus operations

• User identification and key management

• Campus CA/RA activities Will be operated itself at high levels of confidence

Will recommend a profile for campus use

Good for many campus needs, many inter-campus uses, and many workings with the federal government

Will peer at the HEBCA

Detailed planning now starting; stand up sometime mid-next year

23年 4月 18日 21

+/- of Usher

Pluses• Pricing and lack of usage constraints on campus roots• Strong institutional I/A – external and for subdomains• Community-consistent• ???

Negatives• Not easily in browsers• Uncharted peering with feds, commercials, etc• Places more emphasis on running your own campus CA.• ??

23年 4月 18日 22

What’s a Bridge anyway?

Traditional PKIWith Root CAPre-Existing?

23年 4月 18日 23

Board of Instantiation and Development (BID) Clair Goldsmith, Chair, UT System

– Augustson (PSU), Klingenstein (Internet2), Levine (Dartmouth), Wasley (UCOP), Hazelton (Wisconsin-Madison), Brentrup (Dartmouth), Gettes (Duke), Jokl (Virginia)

– EDUCAUSE: Luker, Worona Staff: Faut Purpose is to instantiate a HE Bridge, organization and

policy structures by November, 2003 (or sometime around that point -- okay, so we are running a tad behind schedule, sosu-us)

Foster Deployment and Development of Bridged PKI Supported by EDUCAUSE

23年 4月 18日 24

HEPKI Council Jack McCredie, Chair

– Michael Baer, Sr VP ACE– Rich Guida, Johnson & Johnson– Mark Luker, EDUCAUSE– Mark Olson, EVP of NACUBO– Dave Smallen, CIO @ Hamilton College– Nancy Tribbensee, Counsel @ ASU

Not operational, policy and oversight Will approve the creation of the HEBCA Policy Authority Charged with Higher Education direction and strategy for

PKI initiatives, not just Bridge Supported by EDUCAUSE

23年 4月 18日 25

HEPKI National PKI

23年 4月 18日 26

Current Status: January, 2004 Charter HEBCA Certificate Policy (brother Wasley)

– Will develop CPS from this policy Dartmouth College

– Contracted to implement HEBCA in 12/03– EDUCAUSE funded– Received AEG from Sun Microsystems ($50K)

• Equipment ordered and received• Signing Hardware -- not yet.• Working software agreement with RSA as first CA in bridge

– Maybe even further deal with Higher Ed for CA services & s/w

Begin process of cross-certification with US Gov Recommending to PKI Council to create the HEBCA Policy

Authority

23年 4月 18日 27

EDUCAUSE/NIH Interoperability Project December 2003, NIH demonstrated the

latest ability to submit doubly digitally signed documents to a web site that is validated using Bridge PKI. UCOP, Wisconsin, Dartmouth, UT Health Science Center (Barry Ribbeck)

Directory Infrastructure at Duke :-) General doc submission facility -- freely

available -- cool stuff.

23年 4月 18日 28

National PKI

Levels of Assurance / HE CP– Get mapped all the way down, the key to

interop

Business/Marketing: Separate Prob Policy Authorities likely to merge HEPKI umbrella should be org

structure for all PKI activities in HE

23年 4月 18日 29

Global? Trust Diagram (TWD)

23年 4月 18日 30

Sample InterFederation

23年 4月 18日 31

Shib/PKI Inter-Federations

This model demonstrates the similarities of the PKI communities and Shib Federations. This does not mean that Shib == PKI, just that we can leverage the trust infra of a global PKI to maybe solve some larger inter-federation issues of other techno / policy spaces in a common fashion.

23年 4月 18日 32