What is a Public Key Infrastructure, or PKI by qza17959


									For E2001 Evolving Technology Committee site:
Mark Luker


What is a Public Key Infrastructure, or PKI?

A PKI is a collection of technical services, policies, and business practices that can be
used together to provide for networked communications many of the legal and business
capabilities that have long been assumed in the paper world. These are often summarized
in five concepts---Authentication assures that the persons or resources involved in a
networked communication have been identified correctly. Authorization assures that
persons and systems have the proper permissions to perform the requested activities.
Data integrity assures that the content has not been altered, either on purpose or by
accident. Confidentiality assures that the content is available only to the intended
audience. Non-repudiation assures that the signer of a message cannot later deny signing
it. Together, these capabilities establish for networked communications the social and
legal fabric provided by signatures, witnesses, the notary public, sealing wax, and other
technologies in traditional communications. Such assurances are absolutely required in
order to use the network for the full range of business and academic communications.

Applications in higher education

There are many potential applications of PKI in higher education. These include most
situations that now require "wet" or ink signatures, including promissory notes, financial
authorizations, grades, personnel evaluations, license agreements, and contracts. A PKI
can also be used to replace passwords in present networked applications that control
access to networked resources. The complete suite of services will be required for full
implementation of distributed learning applications, in which students, institutions,
content, questions and responses, tests and evaluations all must be correctly matched and
identified without recourse to face-to-face recognition. More mundane, but equally
important, applications arise as institutions shift much of their normal business
administration to the network. Of particular importance will be a large set
communications that involve education institutions and the federal government, such as
student financial aid and research administration, since the federal government is moving
rapidly to adopt PKI as one way to reduce paper transactions. PKI will also play an
important role is protecting the security of the network itself from attack or accident
through a much more rigorous regimen of identification and authorization between
system components and network administrators.

The present state of PKI in higher education

PKI technology is now available on the market in the form of products that can be
purchased and operated on campus as well as services that are operated by offsite
providers. Prices are falling rapidly even while capabilities expand in a growing
competitive marketplace. Several campuses and even entire systems have embarked on

their first implementation of a PKI. These initial efforts might best be characterized as
prototypes or pilot projects, however, since they often do not yet include the business
process re-engineering required for full-scale implementation.

One significant barrier to implementation is the complexity of the technology and policy
foundation required for PKI. Campuses face a steep learning curve and a complex array
of alternative implementations. Staff members with expertise in the technical and policy
issues of PKI are few and far between, even at out largest institutions. Standards for PKI
exist at a technical level, but have not yet been established for content and policies. Most
institutions will use LDAP directories, for example, to store an authoritative view of the
members of their community and X.509v3 certificates to communicate technical
information required for authentication and digital signatures. There is no technical
standard, however, for exactly how such information is to be represented in the
directories or certificates. This presents a significant barrier to PKI-enabled
communications between institutions.

Implementing PKI across the community of higher education

Several organizations are currently working in collaboration on the development of
standardized, simplified approaches to PKI that will make it easier for an institution to
adopt these technologies and will result in systems that can communicate between
campuses themselves and partners in the federal government and industry. One key group
is an informal collaboration called the Higher Education PKI group
(http://www.educause.edu/hepki/) involving the EDUCAUSE Net@EDU PKI Working
Group, the Internet2 Middleware Project, and CREN, as well as representatives of the
Federal PKI Steering Committee and several corporate partners. Campus members of
HEPKI organizations are working on common approaches to both technology and policy
for PKI. They are also developing an initial standard called eduPerson
(http://www.educause.edu/eduperson/) for the content of campus directories. Initial
contacts have been made with related stakeholder organizations such as the National
Association of College and University Attorneys, the National Council of University
Research Administrators, the National Association of College and University Business
Officers, the American Association of Collegiate Registrars and Admissions Officers,
and the American Council on Education. The goal is to cooperate in a common
definition of policies and technology standards for PKI to facilitate communications
across the entire community later.

Another community project of considerable interest is the definition of a Higher
Education Bridge Certification Authority, modeled on a similar Federal Bridge
Certification Authority. This project, under the policy umbrella of EDUCAUSE, should
greatly reduce the complexity of PKI for individual institutions by providing a framework
for translating authentication information from one implementation of PKI to another.
Although these projects are in the early stages of definition and testing, they point to a
common understanding and approach to the issues involved.

The timing of PKI

The technical components of a campus PKI now can be purchased or outsource in a
matter of months. A working implementation usually takes much longer, however,
because it depends on the creation of an authoritative institutional directory of persons
and services, a new set of policies and business practices to govern its use, and a set of
PKI-enabled applications that can take advantage of such capabilities. These parts of the
problem are typically much more difficult than the technical platform because they
require significant institutional change. The implementation of a new ERP has many
similar features. Boundaries of authority for standardization make it relatively easier to
introduce PKI applications within a campus and more difficult between campuses.

It will be more than a few years before higher education has established PKI as a
common foundation for all of its critical communications and transactions. There is
pressure today to get started, however, in the form of emerging federal systems that may
require PKI, state laws that require digital signatures, privacy regulations that increase
campus liability for security lapses, and the simple savings to be enjoyed by the transition
to e-commerce. It can be expected, then, that many intuitions will adopt PKI for parts of
their operations in the next few years and gradually expand their capabilities as PKI-
enabled applications become more commonly available in the market. Fortunately for
higher education, the same technologies and services are under rapid development in the
commercial marketplace to serve the general needs of e-commerce.


To top