[unisog] PKI survey
davidr at portnoy.uchicago.edu
Mon Nov 1 18:32:00 GMT 2004
We're preparing for an (eventual) overhaul of our PKI setup, and I'd
like to hear from people about what they're doing. You can respond to
me personally, and I'll summarize the responses and send them back to
the list. I'll answer the questions for the University of Chicago so
you can have a little background if you wanted to offer some (much
appreciated) advice. If you have any favorite informational resources,
I'd appreciate it if you would share those as well.
1. Are you using PKI campus-wide in any capacity now?
We sign certificates generated by local web servers. We've had some
(very limited) success getting people to import our root certificate
into their web browsers.
We also use another CA that's been signed by our "main" CA to
generate and distribute certificates (via SCEP) to use with our VPN
concentrator for IKE SA negotiation so we can avoid things like
pre-shared key Xauth and the like.
2. Are you planning a new campus-wide PKI project, or expanding your
existing PKI in a new capacity? Are you planning on integrating your
campus-wide PKI with a Windows CA for use in Active Directory?
We're not sure what we're going to do! A few years ago we tried to
introduce Kerberos to the campus, but it was never widely adopted,
and it finally died a slow, lingering death last year. We're very
hesitant to promote the use of PKI for something that won't take off.
3. What PKI (CA/RA/etc.) software are you using? What software aren't
you using and why not?
Right now, we're just using openssl as a CA and OpenSCEP (orphaned
by its developer) to do our SCEP generation and distribution.
Needless to say, that leaves a lot to be desired, and that's what's
driving our desire to overhaul our setup. I don't know too much
about the alternatives. I was going to take a look at OpenCA and
RSA Keon, because SCEP support is a requirement. I'd be delighted
to hear about any of your experiences with any software.
4. How do you authenticate the certificate chain to the clients?
This is the biggie for us. Our CA's certificate has been signed by
the CREN CA. Even though I2 is going to continue the CA service,
there's just no hope of having their CA key imported into all of the
client software our users need to use. As a result people are
abandoning our CA service and just buying their certificates from
someone like Verisign or GeoTrust. We tend to proxy those
purchases, so it's a big time drain for us with no benefit.
Ideally, we want to have someone like RSA or GeoTrust sign our CA
outright, or use some kind of online validation service. It's not
exactly clear to me which types of online verification mechanisms are
ready for prime-time, and which are not. I realize that this could
potentially be very expensive, but we think it'll be worth it in the
David Ressman Network Security Officer
(773) 702-4789 The University of Chicago Network Security Center
More information about the unisog