The PKI Working Group End User Deployment Matrix

This effort is being fostered and developed out of the Educause Net@edu PKI working group to provide information to assist campuses in PKI deployment.  The work is a result of feedback from higher education institutions who's input has helped enlighten vendors, government and IT managers of the complexity of deploying PKI and define the need for information dissemination from those institutions in higher education who have chosen to deploy PKI in production with end entity certificates for authentication, S/MIME, document signing and security.

NMI EDIT


Goals:


The Matrix:
   
The matrix is a quick lookup summary of the information provided from PKI deployments in higher education institutions.  The criteria for participation in the survey is as follows.
The Matrix itself is divided into Rows of institutions by columns of interest. The columns summarize information about the institutions.  The demographic column defines the way PKI was instantiated on campus, the driver(s) for PKI, the cost and the CA mechanism.  The depolyment column summarizes information about the deployment in terms of  certs issued, how the deployment was started (ground up or top down) and how certificate use is defined on campus.  The management column shows information on how the campus issues, revokes and manages cert deployments and defines the media and LOA.  The support column states the mechanism the institutions uses for end user support of certificate and PKI issues.  The last column defines the applications on campus that are currently supported for use with PKI.

Institution
Demographics
Deployment
Information
Certificate
Management
Support
Applications
UT HSC
Houston
Contact
# Users 10K
Cost ~$50K / yr
Driving Application Document Signing
CA is outsourced
2K issued
Top Down
Issued to staff & Students
5th year of production
Uses defined in Policy
for S/MIME
In Person Vetting
FBCA Medium LOA
Web Issued
Web Revoked
Web Renewed
1 & 2 factor
USB Tokens
Help Desk
Email & callback
support for home users
VPN
AuthN for 3 tier web apps
S/MIME dual key
SSL
Dartmouth
Contact
# Users 8K
Cost ~$30K 1st yr
Driving Application VPN
Self Signed
1K issued
Top Down
Issued to staff & students
1st year of production
Uses required by application
Local login vetting
(pictured id soon)
2 LOAs supported
Wed Issued
Web Revoked
2 factor ONLY with
USB Tokens
Help Desk

2nd Tier support from
PKI Lab
VPN
Web Apps
AuthN
S/MIME
SSL
UT MB
Galveston

Contact
# Users 13K
Cost ~ $60K / yr
Driving Application S/MIME
Outsourced
500 issued
Top Down
Issued to Staff
3 year pilot 6 months in production
S/MIME dual Key escrow
In Person Vetting
FBCA Medium LOA
Web Issued
Web Revoked
2 Factor ONLY with
Smart Cards


Desktop support
Web Apps
AuthN
Dual Key
S/MIME
SSL
U of Alabama
Birmingham

# Users 30K
Cost Not Stated
Driving Applications Enterprise AuthN
Outsourced
# issued not stated
Top Down
3+ years
S/MIME dual Key
Vetting not stated
1 LOA
Web Issued
Web Revoked
Software only
Not Stated Document Signing
Dual Key
S/MIME
SSL
Grid
Texas Wesleyan University
Contact
# Users 4500
Cost Not Stated
Driving Application Security ID Management
Self Signed
# issued not stated
Bottom UP
Pilot 1st Year
AuthN single key
Vetting not stated
LOA not stated
Manual issue
Manual revoke
Software and pilot for smart card/token
Help Desk
24x7
Desktop Client authN
Transmittal of Documents (but not stated how)
University of Virginia
Contact
# Users 30K
Cost 1 FTE + hardware
Driving Applications Security
Self Signed
5K Issued
Top Down
2 Years
AuthN
S/MIME
Single Key with recommendations to not use
for encryption
Dual Vetting
2 LOAs supported
Web Issued
Web Revoked
Software
Hardware required for High Assurance Certs
Standard Support
Web Apps
AuthN for EAP/TLS
SSH
Dual Key
S/MIME
SSL
GRID (IN TEST
MIT
Contact
# Users 30K
.5 FTE +  ~1.5K hardware
Driving Applications Web AuthN
Self Signed

100% students Issued
75% Faculty Issued
8 Years
Web AuthN ONLY
Single Key


Must have Kerberose credential to Vet
1 LOA - Rudimentary
Web Issued
No Revocation
Software

Standard Support Mechanism
Web Apps
SSL


The Surveys:  For a more detailed review of the deployments, you can download the surveys in MS Word Format.


How to Participate: If your institution meets the 3 criteria listed above then you are invited to download the survey <provide survey link>, complete it and return the completed document via email Barry.R.Ribbeck@uth.tmc.edu.  Please note that information in the survey is meant to be shared with other institutions.  If you do not wish to or can not provide information such as costs, please do not include that information in the survey.  Questions and comments regarding the survey or this document can be routed to the same address.  Your information will be summarized and added to the list of participating institutions.

Created  6/18/04
Last Edited 7/28/04 BR