Embed Size (px)
Citation preview
03 December 2003
Digital Certificate Operation in a Complex Environment
Consultation/Stakeholders Meeting
3 December 2003
03 December 2003
DCOCE
dΛ’kŊtfi:
Der-kot-chee
03 December 2003
The DCOCE project
• DCOCE is about authentication with digital certificates
• Digital certificates use Public Key Infrastructure (PKI)– PKI is very secure
– but can be difficult to administer
03 December 2003
The DCOCE project
• Digital certificates and PKI rely upon trust
• Trust relies upon co-operation (or understanding) between organisations
• Oxford University is a Complex Environment– DCOCE
– If it can work here...
03 December 2003
What DCOCE is not about
• Authorisation– but…
• Single sign on– but…
• e-Science and the grid– but…
03 December 2003
Project team
EvaluatorsAlun Edwards (OUCS)
Johanneke Sytsema (SERS)
• Based within the RTS at OUCS in collaboration with SERS
Project Manager
Mark Norman
Systems DeveloperChristian Fernau
03 December 2003
Project partners
• Research Technologies Service at Oxford University Computing Services in collaboration with:
– the Systems and Electronic Resources Service at Oxford University Library Services (SERS)
– Manchester Information and Associated Services (ZETOC)
– the Athens Devolved Authentication Service (at EduServ)
– the Oxford e-Science Centre (OeSC)
03 December 2003
What is DCOCE?
• 2-year project funded by the (Joint Information Systems Committee) – feasibility of using digital certificates for authentication
and simplified access to remote services
– researching and running a pilot of a PKI (public key infrastructure)
– evaluating and documenting all of the major stages and of the user experience
03 December 2003
Why at Oxford?
• The complex environment is here…– the Departments and Colleges of the University of Oxford
• everyone may have a different requirement
• desires secure access to central IT support applications
• desires to optimise access to licensed content
• Oxford hosts regional e-Science Centre
– OUCS • secure access to web-based email; LDAP services; VPN service
• developing account management packages for RDN Subject Portals Project
• Information flow is very important to a PKI
03 December 2003
Admin & LegalServices
Research Technologies Service
IT Support Staff servicesUser registration
Project Team
Stakeholder group
Oxford UniversityComputing Services
E-Science Centre
Library Services
03 December 2003
Stakeholder group
• We need to know what you think:– are the ideas difficult?
– what do you think you need?
• Early 2004 we need people to trial the use of our digital certificates– to discover the advantages and difficulties as they
appear to you
03 December 2003
Modelling
• Admin. architecture– select and review 4 PKI
implementations
– build an administration architecture model for Oxford
– Athens, MIMAS and OeSC to advise and review initial proposals for models
• System architecture– review the 4 PKI
implementations
– build a system architecture model for Oxford
– Athens, MIMAS and OeSC to advise and and review initial proposals for models
03 December 2003
Development and implementation
• Implement, and develop, the systems and administrative processes to support a certificate life-cycle within a PKI– architectures
• very small-scale rollout
– a certification authority • initial testing
– OeSC to advise
03 December 2003
Athens Devolved Authentication
• Enable access to remote resources subscribed to by Oxford compliant with Athens single sign-on (SSO) via digital certificate authentication– examine Athens requirements and standards
– ensure certificates and ‘presentment’ mechanisms comply and PKI can be trusted
03 December 2003
MIMAS
• Enable access to remote Zetoc/British Library resources via digital certificate authentication mechanism– examine MIMAS/Zetoc requirements and standards
– ensure certificates and ‘presentment’ mechanisms comply and PKI can be trusted
03 December 2003
Real-world rollout
• Distribute the certificates much more widely– test – examine revocation and recovery issues – document the issues arising
• Extensive set of users will receive certificates– IT support staff in devolved roles throughout the
University – selected end users of many types and roles
• Trial revocation and recovery/re-issuing mechanisms
• OeSC, Athens and MIMAS to advise
03 December 2003
Certificate Policy Statement
• Develop and publish a detailed Certificate Policy Statement (CP) – in accordance with the Internet Engineering Task Force
PKI X.509 Certificate Policy and Certification Practice Statement (CPS) Framework
– produce an early draft of the CP• consult about trust issues
– final version of the CP will be produced after rollout
03 December 2003
Legal and administrative issues
• Input from Oxford University Legal Services– issuing and revoking certificates – running the PKI– the final Certificate Policy Statement (CP)– the administration issues of managing:
• a registration authority • and certificate authority • and revocation list
– research legal and administration issues
• OeSC to advise
03 December 2003
Evaluation and dissemination
• Technical and user-oriented evaluations– the implementation of PKI at UK HE establishments – final report
• Project progress report– successes and failures and points of difficulty
• Via web pages, email lists and at real 'events' – http://www.dcoce.ox.ac.uk/ Web site – [email protected] mailing list – Useful to others considering PKI within UK FE and HE
• formative evaluation of decisions made • summative evaluations
– decision-making processes and the experiences of end users etc.
03 December 2003
Summary of deliverables
• Evaluation reports – for different stages of the process
• Policies – overall Certification Practice Statement (CPS)
• Systems architecture details – any open source adaptations
• Project Web site– http://www.dcoce.ox.ac.uk/
• Summative report – practical manual
03 December 2003
Ideas for discussion at the moment
• Sending server certificates on a CD-ROM • Ideas for a Local Institution Certificate Store • Ideas for issuing certificates (enrolling)
