CREN Certificate Authority Project:
Update from Georgia Tech
28 March 2000
• Application for Certificate is done
• CREN certificate has been created and is installed
in the Georgia Tech Certificate Authority offline
• Security Policy Committee for the campus has met
two times to begin discussions.
• Applications utilizing the certificates are under
• Document, document, document
• Current apps have no common authentication and
• Need for a common layer of AAA to reduce
complexity for growth.
• Certificates in conjunction with SSL, IPSEC, and
Kerberos provide a model for a significant number
of applications both current and future
• Create GT Certificate Authority - done
• Interface with Kerberos to create initial instance of
a Registration Authority - done
• Create practices for managing the CA - in progress
• Create classes of certificates and define use and
appropriate lifetimes - soon
• Define apps and appropriate cert model - coming
• Create and document local policy - in parallel
• Educate our constituency - forever
• Remote Access - from any ISP into campus
• Authenticated wireless and walk-up access
• SSL encryption and logging via 2-way certs on
web enabled apps (WebObjects, etc)
• Secure E-mail? Via SSL or Kerberos? Or certs
• Interfacing with Kerberos as Registration
Authority for class 3 cert issuing application via
web - Jeff Schiller model - current but needs some
hardening… Create our Registration Authority for
other cert classes?
• LDAP interfacing for CRL and Public Key
• FreeSWAN mods to accept certs for VPNs on
Linux? Other platforms?
• Work with State governmental agencies in
Georgia and beyond
• Work with University System Board of Regents
for Education model of security
• Work with JSTOR for certificate based
authentication for faculty access to databases
To Be Done...
• Designate classes of certs for campus use:
– Class 1 - business office and finance class?
– Class 2 - general GT server certificates?
– Class 3 - remote access and student general purpose
only (if we issued a cert it’s good for something)
• Designate lifetimes for these cert classes
• Create CRLs and LDAP interfaces to complete the model
• Create apps that really check expiration and CRLs
• Policy stuff… and documentation