UC AUTHENTICATION WORKGROUP

1998 - 1999 Workplan

Updated June 17, 1999

 

Authentication Architecture Statement

The workgroup will create the authentication architecture statement and implementation specifications. The specifications will inform campuses on the requirements and processes required to participate in the authentication infrastructure and service.

Collect Campus Architectures Statements

October 30, 1998

Status
  • Description of the hardware, software and management of the campus certificate authority.
  

Missing submissions from UCSB and UCSC.
  • Description of current practice for issuing and revoking certificates.
  

Missing submissions from UCSB and UCSC.
  • Description of the hardware, software and management of the attribute server.
  

Missing submissions from UCSB and UCSC.
  • List of immediate projects.
  

Missing submissions from UCSB and UCSC.

Integrate statements into the draft UC Authentication Architecture statement. Redistribute the draft statement.

November 13, 1998

Submitted statements integrated. Missing UCSB, UCSC

Meet virtually to create second draft architecture draft.

November 20, 1998

Complete

Complete Architecture Statement.

January 5, 1999

Complete. Need to officially move it out of draft status.
     

Expand the architecture to include definitions of certificate types and the technical issues related to each class. Classes of Certificates include personal, functional and server certificates.

January 11, 1999

Complete.

Final draft architecture statement.

April 1, 1999

Complete

Final version of the architecture statement.

May 1 1999

Complete

 

 

Technical Issues Analysis - 1998/99

 

User Support

    

The workgroup will place examples of campus documentation on its web site and create a "Frequently Asked Questions" document that explains certificate technology and the UC authentication architecture. (Workgroup)

TBD

UC Davis Library materials are available.

Public workstation support and certificate portability

    

Report to UC Authentication Steering Group on the problems with certificate portability and the continuing need for password based authentication at the campuses.

January 5, 1999

Complete

Define a mechanism for the use of public terminal certificates that can be used to reduce the dependence upon IP authentication. (Sal Gurnani)

  

Incorporated into February 26, 1999 Architecture statement.

UCLA will be evaluating smartcards. The UC Authentication Workgroup will stay abreast of this evaluation and report on the applicability of the UCLA solution as a Universitywide solution. Portability using software based solutions and floppy disks will also be tracked.(Workgroup)

October 1, 1999

Continuing.

Digital Signatures

    

Frank Whittemore will investigate the issues related to the use of certificates for signing and encrypting email. Frank will report on his findings in the year end report.

October 1, 1999

Continuing

Certificate Payload and Privacy

  

Complete

Provide for both pseudononymous and anonymous certificates.

    

 

Interoperability and Service Implementation Projects

 

Public Key Infrastructure

X.509 Certificates

Completion Date

Status

Dennis DeLaRoca will work with Sal to develop a UCLA application which will accept a UCLA issued certificate and query the UCOP Attribute Service to determine the affiliation of the user. This will test the use of an Application Role Certificate on the server. The business rules associated with this service need to be documented in the CPS.

May 1, 1999

Sal is working on a Netscape plug-in to parse the client certificates and to securely access the directory server.  This should be finished in the next month. Once complete, Sall will create an Apache module.  An IIS module may be written in the futre.  We also need to work with Jim Dolgonas and Benny Min to determine which student fields can be passed in the daily extract files from the UDir.

UC Davis will expand the testbed for MelWeb.

TBD

The UC Davis CA has been unavailable to the Library for testing. The testbed has been postponed until the Fall.

UCLA will add user documentation to the workgroup website.

May 1, 1999

Only UC Davis Library materials are available.

Schedule a videoconference technology briefing with Netscape.

February 26, 1999

Complete.

Notify the Authentication Steering Group of the ongoing issue of root level chain of authority for the UC certificate hierarchy and its affect on user support.

  

CREN is preparing a CPS for their service. No rollout date announced

 

 

 

 

 

Attribute Service

    

Define the UC Attribute Service and the Universitywide API (http) to the service.

December 19, 1998

Complete

Create a prototype attribute service. Demonstrate the use of certificates with the UDIR attribute server through MelWeb. (Sal Gurnani)

  

Complete

Implement a working version of the attribute service for authorization using secure LDAP and HTTPS.

  

Complete

Create a prototype attribute service. Demonstrate the use of certificates with the UDIR attribute server through MelWeb. (Sal Gurnani)

December 19, 1998

Complete

Create a web site that accepts a certificate, queries an attribute server and presents a web page targeted to the individual classification. (Sal Gurnani)

January 5, 1999

Complete

Put an LDAP server on the UDIR server to improve performance.

May 1, 1999

There are no plans to run an LDAP server on the UDir production server at this time. Sal is maintaining a Netscape LDAP directory with the daily UDir extract files through an automated process which turns the extract files into LDIF updates which are then used to update the LDAP server across the network.  Right now this is done in the clear, but Sal plans to secure this update mechanism with SSL.  The data are traveling from one machine in the UCOP machine room to another, so the security risk is minimal.

Campus DNS entry for the attribute server.

April 1, 1999

Missing DNS entries for UCLA and UCSC.