[unisog] University Certificate CA

Gary Flynn flynngn at jmu.edu
Wed May 21 14:25:18 GMT 2003


John Stauffacher wrote:
> 
> Get a group of universities together to form a sort of University
> CA.

John,

I share your thoughts and was disappointed when I saw that
CREN seemed to be dropping this project.

A lot of the usability problems could be eliminated if
participating universities included the CA being discussed
in their distributions of browsers. I know we roll our
own configurations for our population and I suspect many
others do too.

 > The push from this campus comes from people wanting to
 > do secure document exchange and secure signing of documents

The biggest need I see for these would be for S/MIME
encryption of messages for privacy. Training would be
important to prevent loss of key(s) and subsequent
unreadability of email messages.

Another possible use would be for code signing of utilities
and scripts written by universities and subsequently
made public.

I am very leery of electronic signatures for the general
public. As laws increasingly make them legally binding,
the ramifications of mistakes or misuse increase greatly.
Too many desktops are compromised today which enables
outside parties to access the private key(s). Just
yesterday I saw a news report that said 200,000 compromised
computers were used as spam proxies. Even if the real
number is 10% of that, that could mean 20,000 people signing
legally binding documents. What recourse do these people
have?

The Verisign Relying Party agreement has this to
say:
http://www.verisign.com/repository/rpa.html

"8. Effect of a Certificate. You acknowledge and
  agree, to the extent permitted by applicable law,
  that where a transaction is required to be in
  writing, a message or other record bearing a
  digital signature verifiable with reference to
  a Certificate is valid, effective, and enforceable
  to an extent no less than had the same message or
  record been written and signed on paper. Subject
  to applicable law, a digital signature or transaction
  entered into with reference to a Certificate shall be
  effective regardless of the geographic location where
  the Certificate is issued or the digital signature
  created or used, and regardless of the geographic
  location of the place of business of the CA or
  Subscriber."

Also, under Digital ID Subscriber Agreement
http://www.verisign.com/repository/subscriber/index.html

6.2 "Your Warranty" includes:
  "(d) you have been (since the time of its creation)
   and will remain the only person possessing your private
   key and no unauthorized person has had or will have
   access to your private key; (e) you have been (since the
   time of its creation) and will remain the only person
   possessing any challenge phrase), PIN, software, or
   hardware mechanism protecting your private key and no
   unauthorized person has had or will have access to the
   same;"

I don't believe that the administrative costs would
be trivial. You would have to authenticate that the
individual requesting a certificate for an educational
institution is who they say they are and are authorized
to do so. Perhaps multiple call backs to multiple people
high in the organization and/or two or more security
officers at other universities vouching for the
identity of a security person at a requesting organization...
sort of PGP like. Versign's authentication procedures are
described in their Certificate Practice Statement section
3.1.8.
http://www.verisign.com/repository/CPS2.1/cps2-1.pdf

Then there is that little matter of the issuing organization
being responsible for the integrity of every university
electronic identity, every university affiliate's identity,
every university server's identity (if we expand this to
SSL certs), every university e-mail message, every university's
encryption, and every university's code. :)

Speaking of responsibilities, a quick read of the Versign
terms and conditions is interesting. The main page is
at:

http://www.verisign.com/repository/

Excerpts of particular interest:

 From Relying Party Agreement:
http://www.verisign.com/repository/rpa.html

Read section 5 "Your obligations" in the
context of a typical end user.

Under Digital ID Subscriber Agreement
http://www.verisign.com/repository/subscriber/index.html

5. Modifications to Agreement
    30 days notice after posting revised agreement on web site.
    Customer agrees to periodically check web site.
6. Warranties.
7. Disclaimers of Warranties.
8. Indemnity
9. Limitations of Liability

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University




More information about the unisog mailing list