Project Plan for an Institution Implementing PKI
By Mark Franklin, Dartmouth PKI Lab, last modified 4/19/2004
Anyone with responsibility for secure network computing for
their institution should understand what PKI can offer and how to deploy it. This document describes a series of steps,
starting with the big picture and linking to documents with the details, to
learn about, implement, and deploy PKI on your campus. It presents your options and helps you decide
which to take, explains the benefits and costs of PKI, and provides extensive
“how to” material. Not all this
information is in this document; it has many links to more detailed materials
in
You may want to also read the “PKI Lite Recipe” document at http://stc.cis.brown.edu/~stc/Projects/Security/PKI/PKI-how.html.
PKI is a fairly complex topic, and getting an early overview
of some of the theory and technologies behind it will serve you well. On the other hand, most people learn best
while doing, so don’t study PKI too long before you jump in and start using it.
This EDUCAUSE
Review article presents a very high level view of the need for PKI in
Higher Education and why the time is ripe for widespread adoption of PKI.
There are a number of good books on
PKI theory. Be sure to sample several before you choose one. Then read the introductory section and skim
other sections of interest. You can
refer back to this book as needed when you really need the details.
There is a wealth of information
available here, including introduction to the
elements of PKI and their purposes.
The PKI Lab is conducting a campaign to encourage the deployment of PKI in Higher Education. This campaign includes presentations at a number of events.
As with any IT technology, PKI should provide real value to
real users. As you evaluate and deploy
PKI, you should always focus on the applications it can support and
enable. Learning about applications of
PKI is another on-going process, but getting an early overview of possibilities
is a good idea. You should also start to
think about which of the applications will provide strong value and return on
investment at your campus.
We have compiled a list of potential PKI applications for higher education with descriptions of each.
There is no substitute for actually running the applications
so you can accurately evaluate their value, usability, cost to deploy,
robustness, etc. You or others on your
team will need to spend some time configuring and running applications with
PKI, conducting proofs of concept and pilot projects, comparing alternatives,
and otherwise exercising possible PKI applications on your campus. These evaluations may be very quick (one can
try AOL AIM secured with PKI in a matter of minutes) or may be more involved (setting
up for network service authentication requires server configuration).
In many cases, an application you already have can use PKI. Many email readers have S/MIME built in. Many browsers support client-side PKI authentication for SSL/TLS. Advanced versions of Adobe Acrobat and Microsoft’s Office applications can sign documents. Recent AOL AIM instant messenger client releases for Windows are PKI enabled. Newer versions of windows allow PKI (smartcard or token) logon. You may only need to activate the PKI capabilities of an existing application.
In other cases, you will need to acquire additional client software or features for server software, configure network appliances (such as VPN concentrators or firewalls), acquire PKI-specific hardware (such as smartcards or tokens), add modules to servers (such as mod_ssl for Apache), etc.
The list of applications referenced above
has links to information about what software they require and how to install
and configure them.
You may already have certificates suitable for your evaluation. More likely, you will need to generate some. These may include both server identity and end user certificates. In the past, the “chicken and egg” scenario of needing certificates before being able to evaluate PKI has been an inhibitor of PKI deployment - setting up one’s own Certificate Authority is an expensive and time consuming operation to undertake before ever evaluating possible PKI applications.
Fortunately, you now have several options where you can easily get free certificates that are suitable for most application evaluations:
· Georgia Tech’s excellent demo CA (http://democa.ns.gatech.edu/) by John Douglass makes generating end user certificates extremely quick and easy. You can also apply for server identity certificates free of charge.
· Thawte offers free commercial certificate services (www.thawte.com). For free personal email certificates, visit https://www.thawte.com/html/COMMUNITY/personal/index.html. For free SSL server identity certificates, visit https://www.thawte.com/ucgi/gothawte.cgi?a=w35250040567014000.
·
Ascertia (www.ascertia.com)
offers another commercial trial service (http://www.ascertia.com/onlineCA/issuer/default.aspx)
.
Bear in mind that PKI is relatively new to many applications, and there are still rough edges. Usability and interoperability aren’t always what they should be, but generally configuring the applications isn’t rocket science. It is important for the user community to put these features through their paces, report problems to applications suppliers, and demand improvements. While many commercial products provide strong PKI support, don’t assume that open source software won’t. In fact, Mozilla (and by extension, Thunderbird and Firebird) and Apache provide some of the best PKI application support available.
PKI is best approached by an institution as a long-term
investment in IT middleware. Short term
ROI is not a strength of PKI; it is in the long run as the benefits snowball
that PKI really shines. Of course, you
still want to start where the need is greatest and where you will make the most
rapid progress for the least effort.
Choose your first steps carefully.
PKI is not something IT staff can implement in a vacuum. Management support is critical to ensure that PKI receives support long enough to reach the point of greater return than investment. Establishing an institution-wide PKI is like making an institution-wide directory. It takes careful planning, coordination of multiple constituencies and service organizations, good design, significant resources, and persistence.
Be sure your management understands not only the costs and requirements of PKI but also the benefits in the form of extra capabilities for users, avoidance of costly security incidents, and long-term efficiency gains for both IT staff and the entire user population.
See a <presentation outlining the business case for PKI link (NACUBO presentation not done yet)>.
See <case studies for other
higher education institutions that have deployed PKI link (to net@EDU materials not published
just yet)>.
PKI is not just technology. Equally important to a PKI deployment are the
policies and procedures you establish for issuing certificates (e.g. How do you
identify that certificate recipients really are who they seem to be?), revoking
certificates (e.g. How often do you post revocations to CRLs? Under what
circumstances do certificates get revoked, and what mechanisms ensure they
do?), escrowing certificates, educating users, PKI enabling applications,
etc. Depending on the situation, some of
your decisions may have legal ramifications, so consulting your legal
department may be in order. Before you
object that one would be crazy to implement PKI if it involves lawyers,
consider the fact that lawyers will definitely be involved if you have a HIPAA
violation due to stray email or if you have a security incident where a
password database was stolen and some unknown number of social security numbers
may have been leaked.
As with any non-trivial IT project, planning and organization will go a long way, but remember to balance this with being agile enough to adapt as you learn more about requirements and as new opportunities arise.
There are many options for deploying Certificate Authorities (CAs). Schools have succeeded with all of these.
Commercial companies offer out-sourced CA services. For a price, they will handle all of the logistics of issuing and managing certificates plus a portion of the Registration Authority (RA: validating identities before issuing certificates) responsibilities. Outsourcing has the benefit that most commercial vendors have their root certificates installed in the common browser trusted root stores. This eliminates the need to distribute self-signed trusted root certificates for validation by user applications of in-house CA issued certificates. Commercial CA services tend to have pre-established CA and RA processes and policies which can save a school from having to establish their own. On the other hand, this can be a problem and/or incur extra expense if the pre-established processes and policies don’t match the school’s needs.
Institutions wishing to operate their own CA service
in-house have multiple possible paths.
One dimension of choice is where they get the CA software. Both commercial packages and open source
implementations are available. Or they
can start with an open source crypto library and implement their own CA
(OpenSSL is usually the choice in this case).
Another dimension of choice is whether the CA root certificate is
self-signed or signed by a commercial or other inter-institutional CA (such as
the former
This task will vary widely depending on your CA strategy. If you choose to outsource CA services or to license commercial CA software, then you should get extensive assistance from your vendor. Some open source CAs come with documentation about how to set up a CA, but you’re more on your own with these.
You will need to define your certificate profile(s) and your certificate practices. See RFC 2459 for the gory details about certificate profiles. An excellent starting point for your own certificate profiles and practices is the PKI Lite information produced by the Higher Education PKI Technical Advisory Group (HEPKI-TAG) group:
This will be a series of deployments and upgrades to applications like the ones any IT shop is constantly undertaking and should be managed accordingly. See helpful “how to” information specific to the PKI aspects of particular applications.
Education is an important part of any PKI deployment. Depending on the audience, the amount of time
an attention you can get may be limited (for some reason, people don’t seen to
want to spend a lot of time on security), so pick your message wisely. Here are some thoughts on various
constituencies.
Get management on board
beforehand. As with any security
technology, you are likely to get backlash from users who don’t appreciate the
finer points of the tradeoffs between security and convenience. Also, the costs and prioritization issues of
deploying PKI may generate pushback from system administrators and others in
your IT staff. Having management
understanding what you are doing and its value should help ensure your projects
don’t get derailed by these issues.
These are the folks who will
actually implement and maintain PKI, and they clearly need a detailed working
knowledge of the technical side of PKI.
They too should learn about PKI per section 1. They do not need in-depth knowledge of the
cryptography behind PKI.
Your support staff needs an
introduction to PKI and hands-on experience using it the way your end users
will use it. They should also meet the
developers and administrators and know who to contact when users get
stuck.
Some sites find it useful to conduct user training sessions. Others rely on web documentation alone. Don’t try to educate your users about the technical details of PKI. Instead focus only on the essentials they need to know in order to get going and on a few safe computing practices so they will manage their credentials responsibly. Remember that for most users this topic is about as interesting as how to use the combination lock on their locker – they want to know only as much as they need in order to accomplish their goal (getting into the application or opening their locker). See Dartmouth’s PKI user web for an example of user education materials. Dartmouth chose not to provide training sessions for end users, and to date have self-service enrolled over 300 students and two hundred staff for PKI credentials with almost no support calls.
Many different strategies are possible here.
As you know, maintaining applications is an on-going
process, and there is always room for refinement. PKI is the same. Don’t try to solve all problems at once with
your initial deployment. Instead pick an
achievable starting point and add to it incrementally, building on what works
well and fixing what doesn’t.