Non-profit, member-based IT support for research & educational institutions

Scenario for Certificate Authority Infrastructure & Policy

Georgia Institute of Technology


May 24, 2000
By Ron Hutchins

Institution: Georgia Institute of Technology

Representative:

Ron Hutchins
Georgia Institute of Technology
Atlanta, Georgia
ron.hutchins@oit.gatech.edu
404-894-6730

Document History

  • Initial Interview: Jan/Feb 2000
  • Initial draft by Patty Gaul in Feb, 2000
  • Draft revisions during March 2000
  • Updates on 3/28/00
  • Update by Ron Hutchins on 4/30/00
  • Minor editing by JVB on May 24, 2000

First Uses of Campus Certificates

  • JSTOR
  • Pilot program for State of Georgia newly enacted law allowing digital certificates as acceptable form of signature and identification
  • Remote access from any ISP into campus
  • Authenticated wireless and walk-up access
  • SSL encryption and logging via 2way certificates on web-enabled apps
  • Secure Email, possibly

Policies & Procedures

Georgia Tech follows the MIT model of interfacing with Kerberos as the registration authority for the initial client certificates. A query for credentials is done via the Apache SSL; a Public and Private Key set is created and the Private Key is automatically sent to the Certificate Authority to issue a student, faculty, or staff digital certificate. This is operational.

To support consistency and awareness among the user community at Georgia Tech, an advanced development group has been set up consisting of legal representatives, members of the engineering community, student groups, information technology staff, and representatives from the Registrar's office. This advanced development group is working to develop policies on the use of digital certificates as well as lead an educational process.

In addition, a Security Policy Committee has been set up. Work is also in progress on creating classes of certificates and defining the use and appropriate lifetimes of these certificates.

Infrastructure:

Georgia Tech is using Sun and Solaris machines. We are using an Apache web server with Open SSL and mod SSL software. Georgia Tech attempts as much as possible to utilize existing infrastructure.

Georgia Tech has an internal look-up function with interface (Look Up) with Ph client software that comes with Eudora. We also recently began to use Open LDAP and a client LDAP that comes with both Eudora and Netscape. They are also using the Open CA software.

The CREN-signed Georgia Tech certificate is stored offline encrypted on a laptop and backed up on an off-line medium that is stored in a safe in the library. The Information Security Division is likely to have responsibility for the Certificate Authority.

The off-line certificate (Level B; server certificate) signs on-line certificates (Level C; client certificates), that in turn, signs user certificates.

Problems/Outstanding Issues/Experimentation:

Georgia Tech is not trying to solve all issues and problems right away. This is highly recommended.

One outstanding issue facing Georgia Tech is the fact that none of the applications currently running today handles chains of server certificates. There is a rumor that Netscape 5.0 will be able to handle this. Georgia Tech is currently trying to get a beta version of 5.0. For the time being, the credentials of the certificate are being placed on the browser.

Another issue is with the use of JSTOR. Currently, a student or faculty member has to be on campus in order to communicate with JSTOR so that JSTOR recognizes the Georgia Tech IP address. We are interested in developing a short-lived certificate (60 days, a semester, etc) which carries the email address of a person. It would be used for admittance to JSTOR. It would also allow for access to Georgia Tech network and resources from any location.

Since there are so many issues with which to find good policies and procedures, Georgia Tech is working to build a resource bank of people who are willing to take on pieces of the puzzle, i.e., specific applications or procedure questions.

Georgia Tech is also working to define a set of certificate classes for the use of certificates on campus. They are looking at issues such as the validity period for the various classes of certificates (i.e., business transactions, remote access certs, and general student usage).

Perhaps one of the hardest issues is that of educating the appropriate entities. This includes educating the state government, which has passed a law stating that digital signatures are as valid as regular signatures. The state group would like to be able to implement online transactions in three years for everything from taxes to social security paperwork to drivers' licenses. This also includes educating the technical people on campus, the business executives on campus, as well as faculty and students.