--- begin forwarded text
Delivered-To: [EMAIL PROTECTED] Date: Thu, 11 Aug 2005 15:10:52 -0400 To: Philodox Clips List <[EMAIL PROTECTED]> From: "R.A. Hettinga" <[EMAIL PROTECTED]> Subject: [Clips] The summer of PKI love Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] <http://www.infoworld.com/article/05/08/10/33OPstrategic_1.html> InfoWorld The summer of PKI love Dartmouth College's PKI Deployment Summit showed public key infrastructure moving forward Strategic Developer, By Jon Udell ? August 10, 2005 The annual PKI Deployment Summit at Dartmouth College is becoming a summer tradition. Universities differ from other large enterprises in ways that make them bellwethers for IT's future. University user populations are transient, platform monocultures cannot be imposed, and collaboration across institutional borders is mission-critical. These are excellent circumstances in which to evolve methods of identity management that will also meet the requirements of corporations as they increasingly outsource, connect with customers through the Web, and engage with partners in federations of Web services. One reason for PKI's slow uptake has been the lack of two kinds of portability. It hasn't been easy to move cryptographic keys from one machine to another, or to use credentials issued by one institution at another. But as we learned at the summit, there's been progress on both fronts. Growing adoption of hardware tokens is making cryptographic identities independent of machines. And emerging trust bridges are enabling those identities to be federated among universities, the federal government, and industry. On the token front, we're still unfortunately waiting for the ideal key storage device. USB tokens, smart cards, and cell phones are all candidates, and the pros and cons of these options form a complex matrix. Universities tend to prefer the USB approach because the tokens work with PCs and Macs that can't easily be outfitted with card readers. No matter what flavor of device, however, the deployment procedure is critical. This year, several summit attendees talked about moving away from a model in which the token caches keys that are also stored elsewhere, to a model in which keys are generated directly on the token and are stored only there. If you lose your token, you have to reregister for a new one and get freshly minted keys. Work-arounds are painful experiences that people won't lightly inflict on themselves a second time. It sounds draconian, and indeed is, but the benefits are twofold. It virtually eliminates password sharing, which, as I mentioned last year, is otherwise rampant. And the required in-person registration is a ceremony that helps users understand what the token means and how to use it. On the trust front, a number of initiatives are under way. A handful of universities and resource providers have been using the Internet2 consortium's Shibboleth to enable users at one institution to access online resources at another. In March, that trust network was formalized as the InCommon Federation. Shibboleth isn't PKI-based, but it can be bridged to PKI systems, and trust bridges were a hot topic this year. Dartmouth's Scott Rea gave a status report on the Higher Education Bridge Certification Authority. Peter Alterman, from the National Institutes of Health, described the Federal Bridge Certification Authority. Cybertrust's Russ Weiser presented Secure Access for Everyone, which focuses on the biopharmaceutical industry. And Jim Jokl, from the University of Virginia, showed how to leverage grid networks as a trust fabric by exploiting the Globus Toolkit's intrinsic PKI. Once these and other bridges can cross-certify, token-borne credentials issued by one will be recognized -- subject to appropriate policy mapping -- by the others. A year ago that seemed far-fetched, but the picture is coming into focus. Jon Udell is lead analyst and blogger in chief at the InfoWorld Test Center. -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]