Versions Compared

Old Version 45

changes.mady.by.user Jim Jokl (virginia.edu)

Saved on

compared with

New Version 46

changes.mady.by.user Jim Jokl (virginia.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Please direct comments/feedback to Steve Olshansky <steveo AT internet2.edu>

Introduction

The ability to mint digital certificates for your users is really just one small component of the overall work involved in a successful campus-wide PKI deployment.  Many campus PKI projects have been less than successful by not focusing enough on the whole product and the usability of the applications they support with certificates.  If deployed properly, digital certificates can build a more secure environment while also being more convenient for users than traditional password-based systems.  Some examples of campus-based certificate-enabled applications, listed below in a reasonable campus deployment order, include:

...

  1. Certificate Availibility
    Work within InCommon and with Comodo to make certificates available.  This process involves (a) depeloping the appropriate CPS and having it approved by InCommon and Comodo, (b)  creating a certificate profile that works well with known campus PKI-enabled applications, and (c) working with Comodo to make these certificates available via their web site.
  2. Certificate Enabled Applications
    Document typical campus PKI-enabled applications and services including information on how these applications are typically enabled, configurations, and a summary of items to consider before deploying the application.  This work will also highlight the issues associated with encryption and especially encrypted email.
  3. Mobile Devices (e.g., iPhone and Android)
    Provide information and guidance on the use of certificates on mobile devices such as iPhones and Android devices.  This includes advice on how to enable security profiles that enforce device PINs to protect the certificate and its use.  Mobile devices are lost more frequently than workstations and laptops.
  4. Comodo Client Certificates API
    Evaluate the suitability of the Comodo API (as opposed to web interface) for the rapid issuance of certificates to large numbers of users.  Recommend changes if/as needed.  Evaluarion and testing revealed the need for two Comodo enhancements: (a) a sub-5-second response for client certs  in order to provide real-time response for end-user certificate provisioning and (b) overall capacity enhancements to enable the Comodo CA to better deal with a large number of certificates issued on a single day, such as on a first-year move-in day.  Comodo is working to add both of these enhancements,
  5. Certificate Installation Automation
    Evaluate tools that automate the installation of certificates on user workstations and manage the setup of certificate enabled applications (e.g., wireless profiles, firewall for VPN, etc). These tools should also facilitate certificate management and renewal.  Developing Certificate Installation Automation Tools is the path the the working group has chosen to follow to help facilitate the practical use of Client Certiticates on campus.
  6. SCEP
    A useful tool might be the Simple Certificate Enrollment Protocol (SCEP), an X.509 certificate enrollment protocol that simplifies the distribution of certificates. Determine what it can be used for.
  7. Shibboleth-enabled Access
    Work with Comodo to facilitate the creation of a Shibboleth-based interface for the issuance of end user certificates.

Some References

Reference Page

Attachments