UC Authentication Workgroup

March 20, 1998

Monday, March 20, 1998
9:30 a.m. - 3:30 p.m.
Room 412 Office of the President

Attendees:

Marina Arseniev (UCI), Peter Brantley (UCSF), Mike Friedman (UCB), Bob Grant (UCR), Sal Gurnani (UCOP), Russ Harvey (UCR), Ron Klatchko (UCSF), John Kunze (UCSF), Joan Gargano (UCD), Jim Madden (UCSD), Pete Nielsen (UCLS), Tom Marazita (UCSB), Al Smith (UCLA), Vance N Vaughan (UCOP), Davis Wasley (UCOP), Ken Weiss (UCD), Frank Whittemore (UCSD), Don Worth (UCLA.

I. Updates from campuses (and UCOP) on current plans for authentication services.

UCB Kerberos - Currently investigating the product offerings of Cybersafe, basic K5 KDC and client support, not yet their Public-key components. Investigating how easy the conversion will be to K5 for the major existing K4 application.
Public Key Infrastructure - UCB also plans to set up a campus certificate authority server in the near future, in alignment with the UCCAP strategy.
SSH and APOP - used on an ad hoc basis.

UCD Kerberos - Using the Cybersafe KDC to provide V4 and V5 tickets in conjunction with hard token passwords.
Public Key Infrastructure - the campus certificate server has been configured to work with Kerberos to issue certificates. The server is currently down but should be operational by 3/30/98.
SSH and APOP - used on an ad hoc basis.

UCI Kerberos - V4 used for modem service.

UCLA Kerberos - none yet. Will consider Kerberos/DCE at a later date.
Public Key Infrastructure - under development for the "Instructional Enhancement Initiative."
IP address restrictions used by the Library.
Bruin Online uses a proprietary userid system which is being adapted to other applications.
Information on the UCLA Campus-Wide Authentication Project can be found at, http://www.ais.ucla.edu/auth/.

UCOP Public Key Infrastructure - Negotiating with Verisign to establish a UC Root Authority (rootca.ucal.edu).

UCR Public Key Infrastructure - a campus certificate server is available for testing.

UCSB Authentication is decentralized.

UCSF Public Key Infrastructure - directory services and other infrastructure components are being put in place for use by certificate servers.

UCSD Kerberos - V5 used for modem service and some Unix servers.
Public Key Infrastructure - Directory services and certificate servers are planned for deployment in April to support a Web based application for faculty and staff.
SSH - in use by approximately 2000 users.
APOP - planning to deploy in the near future.

II. A review of the next phase of work recommended by the previous Authentication Workgroup and open issues. See the final report available from, http://titanic.ucdavis.edu/authentication/.

The campus tasks to support the authentication infrastructure were briefly reviewed but not discussed in detail.

Each campus must establish a directory service to support the authentication infrastructure, as well as other campus distributed computing applications.
Each campus must identify a certificate server configuration that will support the existence of the expected number of locally issued certificate (at least 60,000 for the larger sites) and plan for the deployment of a production quality system.
Each campus must choose a method for supporting Kerberos based authentication services and plan for the deployment of a production quality system.

Current plans for administrative application development do not require Universitywide Kerberos or DCE Security Services. Kerberos deployment will not be a focal point of the next phase of work by the Authentication Workgroup.

The technical and policy recommendations of the report were reviewed and the priorities of each task was determined.

Technical Workgroup Tasks Workplan Status

Define the relationship between Office of the President demographic database unique identifier and campus-assigned identifier. High priority for completion by the current workgroup.

Specify a mechanism to support the portability of certificates and private keys. Recommend a process for study and long term planning.

Specify a system to manage Certificate Revocation List. High priority for completion by the current workgroup.

Specify a system to manage digital signatures and key escrow systems. Recommend a process for study and long term planning.

Identify export law restrictions on encryption and forward recommendations for meeting the requirements. High priority for completion by the current workgroup. Modify task to identification of the issues only. Recommendations for meeting the requirements will require input from legal counsel.

Technical Workgroup Tasks	Workplan Status
Define the relationship between Office of the President demographic database unique identifier and campus-assigned identifier.	High priority for completion by the current workgroup.
Specify a mechanism to support the portability of certificates and private keys.	Recommend a process for study and long term planning.
Specify a system to manage Certificate Revocation List.	High priority for completion by the current workgroup.
Specify a system to manage digital signatures and key escrow systems.	Recommend a process for study and long term planning.
Identify export law restrictions on encryption and forward recommendations for meeting the requirements.	High priority for completion by the current workgroup. Modify task to identification of the issues only. Recommendations for meeting the requirements will require input from legal counsel.

Policy and Procedure Workplan Status

The University must create a policy that defines the degree of due diligence required of each campus when verifying the identity of certificate requesters. High priority for completion by the current workgroup.

The technical feasibility of inter-realm authentication has been established. The policy and procedures for using inter-realm authentication need to be formalized. Authorization controls need to be tested using Access Control Lists. Low priority.

Policy and Procedure	Workplan Status
The University must create a policy that defines the degree of due diligence required of each campus when verifying the identity of certificate requesters.	High priority for completion by the current workgroup.
The technical feasibility of inter-realm authentication has been established. The policy and procedures for using inter-realm authentication need to be formalized. Authorization controls need to be tested using Access Control Lists.	Low priority.

III. The workgroup agreed to create a report for the University of California Authentication Project Steering Committee by June 1, 1998 which will provide a description of the University-wide certificate service architecture and include policy recommendations for ongoing operations and change management. A workplan and assignments were developed for the tasks recommended by the previous workgroup and a few additional tasks that were added as a result of discussions about the relationship between authentication and authorization.

Key Decision: The payload of the certificate will be kept to a minimum. Information related to authorization will not be included, except for a pointer to an authorization service.

Impact: A system for managing authorization information, external to the certificate system, will be required.

Key Decision: The workgroup will recommend a certificate infrastructure which relies on strong encryption technology.

Impact: Some University affiliates, especially foreign students and faculty, may be inconvenienced by export restriction laws which govern the use of the strong encryption technology. The University must create policies and procedures to guide the use of this technology.

Key Decision: Departmental issuance of certificates based upon unique characteristics of their clients, such as Libraries and University Extensions will be handled by departmental certificate authorities.

Impact: Departments will be responsible for their own certificate management, including Certificate Revocation Lists.

Input Requested: Peter Brantley will contact his colleagues in the Library community to determine the affect of this decision on their system development plans.

Technical Workgroup Tasks Workplan

Define the relationship between Office of the President demographic database unique identifier and campus-assigned identifier. FIRST PRIORITY
Frank Whitmore will lead the discussion about the relationship between the University-wide NetID and campus identifiers. The certificate payload will be modified to reflect the decisions of the workgroup. Other working group members include Don Worth (UCLA), Vance Vaughan (UCOP) and Sal Gurnani (UCOP).

Specify a mechanism to support the portability of certificates and private keys. Sal Gurnani will provide a status update of commercial solutions for certificate portability and a description of how certificates can be issued to classroom workstations to provide access to MelWeb

Specify a systems to manage Certificate Revocation List. SECOND PRIORITY
UCOP has been reviewing commercial solutions for Certificate Revocation List management. Sal Gurnani (UCOP) will provide an overview of the technical, policy and procedure issues for certificate revocation lists.

Specify a system to manage digital signatures and key escrow systems. Joan Gargano and Tom Arons will provide an overview of the issue related to digital signatures and key escrow systems and recommend a process for study and long term planning.

NEW TASK
Define the interface to the University Directory and related authorization systems.
Don Worth will lead the discussion which will define the need for a uniform approach to providing demographic data which interfaces to a standard authorization protocol. The workgroup will identify the issues and recommend a process for providing a solution. Ken Weiss will summarize the discussion from the meeting into a working document.

NEW TASK
Define high, medium and low security applications.
Joan Gargano will facilitate this discussion on the workgroup email list and summarize the discussion.

Technical Workgroup Tasks	Workplan
Define the relationship between Office of the President demographic database unique identifier and campus-assigned identifier.	FIRST PRIORITY Frank Whitmore will lead the discussion about the relationship between the University-wide NetID and campus identifiers. The certificate payload will be modified to reflect the decisions of the workgroup. Other working group members include Don Worth (UCLA), Vance Vaughan (UCOP) and Sal Gurnani (UCOP).
Specify a mechanism to support the portability of certificates and private keys.	Sal Gurnani will provide a status update of commercial solutions for certificate portability and a description of how certificates can be issued to classroom workstations to provide access to MelWeb
Specify a systems to manage Certificate Revocation List.	SECOND PRIORITY UCOP has been reviewing commercial solutions for Certificate Revocation List management. Sal Gurnani (UCOP) will provide an overview of the technical, policy and procedure issues for certificate revocation lists.
Specify a system to manage digital signatures and key escrow systems.	Joan Gargano and Tom Arons will provide an overview of the issue related to digital signatures and key escrow systems and recommend a process for study and long term planning.
NEW TASK Define the interface to the University Directory and related authorization systems.	Don Worth will lead the discussion which will define the need for a uniform approach to providing demographic data which interfaces to a standard authorization protocol. The workgroup will identify the issues and recommend a process for providing a solution. Ken Weiss will summarize the discussion from the meeting into a working document.
NEW TASK Define high, medium and low security applications.	Joan Gargano will facilitate this discussion on the workgroup email list and summarize the discussion.

THIRD PRIORITY - Policy Issues

Policy and Procedure Workplan Status

The University must create a policy that defines the degree of due diligence required of each campus when verifying the identity of certificate requesters. Vance Vaughan will provide an overview of recommended policy and procedure provided by external sources.
Don Worth will provide information based upon the UCLA Campus-wide Authentication Workgroup activities.

Identify export law restrictions on encryption and forward recommendations for meeting the requirements. The workgroup will move forward with plans to create a PKI using certificates requiring the use of strong encryption technology which is restricted in use by export law. The workgroup will identify the issues for the Authentication Project Steering Committee and recommend the development of policies and procedures to govern the use of the technology.

Policy and Procedure	Workplan Status
The University must create a policy that defines the degree of due diligence required of each campus when verifying the identity of certificate requesters.	Vance Vaughan will provide an overview of recommended policy and procedure provided by external sources. Don Worth will provide information based upon the UCLA Campus-wide Authentication Workgroup activities.
Identify export law restrictions on encryption and forward recommendations for meeting the requirements.	The workgroup will move forward with plans to create a PKI using certificates requiring the use of strong encryption technology which is restricted in use by export law. The workgroup will identify the issues for the Authentication Project Steering Committee and recommend the development of policies and procedures to govern the use of the technology.

IV. The workgroup will conduct its business using the auth-tf@ucdavis.edu mailing list. Working documents will be posted to the workgroup archive, http://dcas.ucdavis.edu/authentication. The workgroup will meet in mid-May and late June.

UCB	Kerberos - Currently investigating the product offerings of Cybersafe, basic K5 KDC and client support, not yet their Public-key components. Investigating how easy the conversion will be to K5 for the major existing K4 application. Public Key Infrastructure - UCB also plans to set up a campus certificate authority server in the near future, in alignment with the UCCAP strategy. SSH and APOP - used on an ad hoc basis.
UCD	Kerberos - Using the Cybersafe KDC to provide V4 and V5 tickets in conjunction with hard token passwords. Public Key Infrastructure - the campus certificate server has been configured to work with Kerberos to issue certificates. The server is currently down but should be operational by 3/30/98. SSH and APOP - used on an ad hoc basis.
UCI	Kerberos - V4 used for modem service.
UCLA	Kerberos - none yet. Will consider Kerberos/DCE at a later date. Public Key Infrastructure - under development for the "Instructional Enhancement Initiative." IP address restrictions used by the Library. Bruin Online uses a proprietary userid system which is being adapted to other applications. Information on the UCLA Campus-Wide Authentication Project can be found at, http://www.ais.ucla.edu/auth/.
UCOP	Public Key Infrastructure - Negotiating with Verisign to establish a UC Root Authority (rootca.ucal.edu).
UCR	Public Key Infrastructure - a campus certificate server is available for testing.
UCSB	Authentication is decentralized.
UCSF	Public Key Infrastructure - directory services and other infrastructure components are being put in place for use by certificate servers.
UCSD	Kerberos - V5 used for modem service and some Unix servers. Public Key Infrastructure - Directory services and certificate servers are planned for deployment in April to support a Web based application for faculty and staff. SSH - in use by approximately 2000 users. APOP - planning to deploy in the near future.

Key Decision:	The payload of the certificate will be kept to a minimum. Information related to authorization will not be included, except for a pointer to an authorization service.
Impact:	A system for managing authorization information, external to the certificate system, will be required.
Key Decision:	The workgroup will recommend a certificate infrastructure which relies on strong encryption technology.
Impact:	Some University affiliates, especially foreign students and faculty, may be inconvenienced by export restriction laws which govern the use of the strong encryption technology. The University must create policies and procedures to guide the use of this technology.
Key Decision:	Departmental issuance of certificates based upon unique characteristics of their clients, such as Libraries and University Extensions will be handled by departmental certificate authorities.
Impact:	Departments will be responsible for their own certificate management, including Certificate Revocation Lists.
Input Requested:	Peter Brantley will contact his colleagues in the Library community to determine the affect of this decision on their system development plans.