Following review of the Authentication Working Group Report, the UC Common Authentication Steering Committee recommended that

Kerberos-based systems are of importance to production applications on a number of UC campuses but no specific application areas have been identified that would require that these systems interoperate among campuses. The primary application areas requiring UC-wide common authentication – library systems access and Payroll/Personnel systems – can make use of a robust PKI. In particular, systems employing web-based front ends seem ideally suited to the use of PKC and the increasing importance of "electronic commerce" should drive refinement of that mechanism.

While a great deal of planning and analysis remains to be done, the UCOP Common Authentication Project (CAP) team proposes deployment of a limited production PKI system at OP as quickly as possible and use of that system to support controlled access to library system resources and to one or more "employee self service" systems such as BENCOM. Only through actual deployment will some issues such as scaleability, performance, and robustness become evident. Furthermore, the overall cost to the University needs to be assessed before large scale commitment to a long term system can be made.

Berkeley has agreed to assign Vance Vaughan, UCB Information Technology Architect and long time system manager, to work half time at OP on the Common Authentication Project. Vance will focus on overall coordination of the various development tasks, coordination with campus system staff, development of vendor contacts, and analysis and documentation.

Current work at OP is divided among a number of overlapping areas. Each will be described briefly below.

Investigation of commercial systems to provide the basic building blocks is underway. The near term goal is to implement a PKC issuing and validation system along with associated directory services at OP. Similar systems should be located at several campuses as well in support of hierarchical transitive authentication.

IS&C is well along in design of a database system that will store and make available basic biographical data about individuals associated with the University. This database is intended to ensure consistent data is available for each person and will complement PKC authentication by providing or linking to additional information that might be used for authorization.

The MELWEB interface to MELVYL has been adapted to use PKC for authentication but this is not in production yet. UC-issued certificates with DDB support are needed for complete authorization. Additional library applications are anticipated as the basic infrastructure becomes available.

We want to support PKC as a way to access the BENCOM system as soon as possible. Many additional "employee self service" applications should be supported over time, including end-user update of personal data such as home address, etc.

In addition, investigation is underway to determine how best to implement PKC access control to "mainframe based" systems. In particular, we may need access to systems now protected by RACF or ACF4 (acronyms?).

There are many difficult problems yet to be solve before PKI/PKC can be used widely across the University. These include:

In addition, there are policy and strategy issues that need to be addressed such as:

Clearly our campuses will have a critical and long term role in supporting the UC Common Authentication System that the CAP will create. We need campus participation in the planning and development of the PKI strategy and expect that campuses will have on-going responsibilities for its support. A few of the areas in which near term planning is critical include:

Campuses can contribute to the Next Phase of the UC Common Authentication Project by: