The MIT CA Experience Jeffrey I. Schiller Massachusetts Institute - - PowerPoint PPT Presentation

the mit ca experience
SMART_READER_LITE
LIVE PREVIEW

The MIT CA Experience Jeffrey I. Schiller Massachusetts Institute - - PowerPoint PPT Presentation

Mar 03, 2023 425 likes •579 views

The MIT CA Experience Jeffrey I. Schiller Massachusetts Institute of Technology Jeffrey I. Schiller Page 1 EasyCert BOF 11/11/04 Introduction MIT Built its PKI in 1996 In the belief PKI would take over the world I'm still

slide-1
SLIDE 1

Jeffrey I. Schiller Page 1 EasyCert BOF 11/11/04

The MIT CA Experience

Jeffrey I. Schiller Massachusetts Institute of Technology

slide-2
SLIDE 2

Jeffrey I. Schiller Page 2 EasyCert BOF 11/11/04

Introduction

  • MIT Built its PKI in 1996

– In the belief PKI would “take over the world”

  • I'm still waiting...

– We have about 40,000 “live” certificates – Over 1.6 Million issued since 1996 – Originally were v1 certs, now v3 certs

  • Major Application: Web Authentication
slide-3
SLIDE 3

Jeffrey I. Schiller Page 3 EasyCert BOF 11/11/04

Buy vs. Build

  • Vendor solutions were (are) complex and expensive
  • Notion of charge per certificate

– Non trivial charge per certificate

  • Build: Fixed cost of software development

– Not a function of number of certificates – Flexibility to have many certificates per user

slide-4
SLIDE 4

Jeffrey I. Schiller Page 4 EasyCert BOF 11/11/04

Technology Requirements

  • Easy to Use
  • Cost Effective
  • Incrementally Deployable
slide-5
SLIDE 5

Jeffrey I. Schiller Page 5 EasyCert BOF 11/11/04

Easy to Use

  • We are slaves to the Browser Vendors

– We support Netscape, Mozilla, IE and Safari – We work around the largest problems

  • Biggest Problem: Exporting Certificate and associated

keys to import into another system – Work Around: Obtain multiple certificates – Works because we only do Web authentication

slide-6
SLIDE 6

Jeffrey I. Schiller Page 6 EasyCert BOF 11/11/04

Cost Effective

  • Home grown software doesn't have a cost per

certificate

  • “Standard” Support costs that you expect from any

software product – Actually, not that bad, we issue ~ 1,000 new certificates (freshman) each summer with ~ 10-20 problems

slide-7
SLIDE 7

Jeffrey I. Schiller Page 7 EasyCert BOF 11/11/04

Incremental Deployment

  • Not all applications at MIT use Certificates yet

– But we encourage their use

  • 99.9% of Students have certificates
  • 66% of Faculty and Staff have certificates

– This number will go up as applications they must use are converted (from paper!)

slide-8
SLIDE 8

Jeffrey I. Schiller Page 8 EasyCert BOF 11/11/04

MIT CA Implementation

  • Up to version 3
  • First two versions based on Java and Cryptix toolkit

– Version 1: servlet – Version 2: jsp

  • Version 3 about to be deployed

– Based on Python front end to openssl

  • Does not “fork” scalable implementation
slide-9
SLIDE 9

Jeffrey I. Schiller Page 9 EasyCert BOF 11/11/04

Registration Procedure

  • Certificates obtained by authenticating to CA website

with Kerberos name, password and MIT ID Number

  • Kerberos name is issued via a “Coupon” with six word

secret – Only valid for initial account creation and can only be used once – Coupon mailed to students during the Summer – Website permits authorized staff to create duplicate PDF file for students who lose it

slide-10
SLIDE 10

Jeffrey I. Schiller Page 10 EasyCert BOF 11/11/04

Tips

  • Revocation is rarely if ever asked for

– We do not encode authorization into certificates

  • Most people don't know when they are compromised,

so they don't request revocation

  • May have to deal with this soon
slide-11
SLIDE 11

Jeffrey I. Schiller Page 11 EasyCert BOF 11/11/04

Certificate Lifetimes

  • All certificates issued prior to June expire July 31st
  • In mid June we advance the “dead date” further 1

year

  • Certificates issued to freshman from off-campus

computers expire on September 1st – So they don't leave them on their parent's computer

slide-12
SLIDE 12

Jeffrey I. Schiller Page 12 EasyCert BOF 11/11/04

Services Offered

  • Web Authentication

– Student Registration – Employee HR “Self Service”

  • Health care enrollment etc.

– On-line purchasing

  • Partners accept our certificates

– Many others

slide-13
SLIDE 13

Jeffrey I. Schiller Page 13 EasyCert BOF 11/11/04

What we do not have

  • A Certificate Practice Statement
  • A Certificate Policy Statement
  • In “practice” no one in the “real world” (read: not the

government) cares

  • Biggest issue with outside vendors is helping them get

infrastructure setup

  • It is always more secure then issuing names and

passwords

slide-14
SLIDE 14

Jeffrey I. Schiller Page 14 EasyCert BOF 11/11/04

Future

  • S/MIME Support

– Challenge due to multiple certificates and key escrow issues – Most S/MIME implementations store encrypted messages in the original encryption key

  • This is probably a bad idea

– Encrypted mail is more important to us then signed mail