----- Original Message -----
From: Kroll, Greg
Sent: Friday, June 18, 2010 2:54 PM
To: 'Support for Support Discussion List'
Subject: Soft Personal Digital Certificates
Information Technology has begun a project to issue personal digital certificates similar to those that are issued on eTokens, but the new certificates will be stored in software, on computers and mobile devices, rather than on hardware tokens. These soft PDCs should be useful for authentication, digital signatures, and encryption. If you have an application or function that you think might take advantage of a soft PDC, or would like to participate in an analysis of needs, we would like to include you in one or more focus group meetings. Please respond to Greg Kroll (usdgk@vt.edu) by July 1, 2010, if you would like to attend an initial meeting (time and place to be determined based on response to this e-mail.)
VTVTVTVTVTVTVTVTVTVTVTVTVTVT
--Greg Kroll, PMP
Assoc Dir for IT Project Management & Planning
Virginia Tech
1700 Pratt Drive (0214)
Blacksburg, VA. 24061
office: 540.231.9654
fax: 540.231.7413
Draft Agenda for Introductory meeting to discuss Soft Personal Digital Certificates
Wednesday, July 7, 2010, 2:00 p.m., RB14-115.
Agenda
- Welcome & meeting format
- A very brief overview of the agenda and explanation that this first meeting is for us to gather information on possible uses and answer questions about personal digital certificates. We are planning smaller focus group meetings to discuss use cases.
- Overview of Soft Personal Digital Certificates
- Frank will give a brief overview
- Questions/Answers and Discussion
- Do those attending understand the technology?
- Do you have an application waiting for this technology?
- What do you want to use these certificates for? or What are these certificates useful for?
- Is in-person identity proofing a problem?
- What are your feelings on your users being able to handle management of certificate keys? Escrow?
- Would you benefit from external/extended trust, i.e., root key signing solution (their is an RFP in progress)?
- Where can this certificate replace a signature? See Standard for Personal Digital Identity Levels of Assurance
- Who is not familiar with the Thawte free E-mail Certificates?
- What are the barriers or problems with using these certificates for specific applications like e-mail encryption?
- Any concerns with key escrow and recovery?
Meeting Notes
Attendee |
Department |
|
---|---|---|
Phil Benchoff |
CNS |
benchoff@vt.edu |
Dan Cook |
CNS |
wdciii@vt.edu |
Marc DeBonis |
MIG |
marcd@vt.edu |
Mary Dunker |
SETI |
dunker@vt.edu |
Daniel Fisher |
Mw |
dfisher@vt.edu |
Frank Galligan |
eProv |
frankg@vt.edu |
Clark Gaylord |
VTTI |
cgaylord@vt.edu |
Kimberly Homer |
SETI |
homerk@vt.edu |
Greg Kroll |
VPIT |
gkroll@vt.edu |
Kayla Lamar |
SETI |
klamar07@vt.edu |
Joyce Landreth |
UCS |
jlandret@vt.edu |
Dave Martin |
SS |
darkmoon@vt.edu |
David Mattox |
VBS |
damattox@vt.edu |
Rebecca Simon |
IT4AS |
simonr@vt.edu |
Jeremy Sippel |
GS |
jsippel@vt.edu |
Brad Sumpter |
OBFP |
bsumpter@vt.edu |
Flex Vaughn |
UCS |
flex.vaughn@vt.edu |
Ken Wieringo |
VPIT |
kwiering@exchange.vt.edu |
- Went around the room with introductions, what department you are with, and if desired why you are here today.
- Frank Galligan gave a brief introduction to the project, the technology, and progress to date. Probable completion date of Spring/Summer 2011.
- Eligibility for a soft cert is everyone that is eligible for an eToken plus all students.
- The Graduate School asked specifically about non-VT-affiliated graduate student committee members. The answer is if they are eligible for an eToken (which committee members are) then they can get a soft cert.
- A 5-year validity period is good for students. Someone commented that it seems strange that the validity of a soft cert would be longer than for an eToken that has a higher LOA.
- It is envisioned that enrollment would have 3 stages:
- user logs into a customized, public, web interface to request a soft PDC.
- user then goes to a convenient registration authority (RA) station for face-to-face identity proofing.
- user is notified by e-mail where to download their certificate and are provided instructions.
- In order to use encryption the public keys would need to be publicly available, probably by publishing them to the AD or ED.
- We are looking for "early adopters" to help us work out the processes. Those interested should contact Greg Kroll.
- Discussed at 7/8/2010 project team meeting.
Dave Martin expressed interest as an early adopter.
- Discussed at 7/8/2010 project team meeting.
- Users only have one active key pair but could have multiple certificates.
- Discussed at 7/8/2010 project team meeting.
An active key pair means the user does not have a revoked cert, only "valid" or "expired" certs.
A user can have multiple active certs associated with their one active key pair.
A user can download their key pair anytime by providing the appropriate password.
The PKCS12 file could be stored anywhere (PKCS12 defines a file format commonly used to store X.509 private keys with accompanying public key certificate).
As for passwords:
We intend to use the same rules (strength) as for eTokens.
We do not want to advertise the fact that users can change their password, assuming they know how. Because of the fact that user can change their password means a lower LOA.
- Discussed at 7/8/2010 project team meeting.
- Remember, public key encrypts, private key decrypts. For digital signatures, you sign with your private key.
- Internal Audit has mandated that if encryption is enabled there must be a key escrow.
- By having a key escrow we lose non-repudiation because someone could always say that our key store was compromised and the encrypted document or signature did not come from them.
- Someone asked if webmail (the newest one) is PKI enabled. Dave Martin is going to look into it but was pretty certain that it supported encryption.
- One suggested use for a soft PDC is for signing IMS forms.
- Another possible use is for Hokie SPA and access to information/changes to W2 forms, direct deposit, etc.
- Possible use for student financial aid, especially scholarships.
- Remote issuance:
- A suggested alternative for face-to-face identity proofing is to look into using notaries to verify someone's credentials.
- IDDL should be able to use these for verifying distance learners taking tests.
- A question was asked about when someone changes their name. The answer is to revoke the old certificate and get a new one.
- Discussed at 7/8/2010 project team meeting.
Do not revoke the old cert because that would give the user a new key pair. Instead request a new cert which would use the old key pair and give the user a new cert. However, the user would still have to go through face-to-face identity proofing.
- Discussed at 7/8/2010 project team meeting.
- Another possible use is for human subjects used in research. A soft cert could be used by the human subjects to release their records.
- Someone asked about putting the soft PDC on an eToken for portability. The answer is yes it can be imported to the eToken, however, if that eToken has to be revoked or returned then the soft PDC is wiped from the eToken.
- Is in-person identity proofing a problem?
- Definitely a pain but understandably required. Perhaps sometime in the future we could offer soft PDC's with different LOA.
- Discussed at 7/8/2010 project team meeting.
For example, for someone that does not have access to a VT approver they might use a non-VT approver.
- What are your feelings on your users being able to handle management of certificate keys? Escrow?
- Would be difficult for most users to manage more than one key pair.
- Users need education on the importance of private key security.
- Discussed at 7/8/2010 project team meeting.
The escrow should be considered a service of last resort. Departments should have a process in place to protect and retrieve data.
- Would you benefit from external/extended trust, i.e., root key signing solution (there is an RFP in progress)?
- Preferred but not a show stopper.
- The Research Division would benefit by being able to move encrypted data around.
- Discussed at 7/8/2010 project team meeting.
Most likely only for VT employees.
- What are the barriers or problems with using these certificates for specific applications like e-mail encryption?
- Only a problem if using multiple key pairs.
- Discussed at 7/8/2010 project team meeting.
Multiple key pairs meaning one from VT and another from somewhere/someone else. In this case the user would be get a pop-up and allowed to select.
- Clark Gaylord mentioned he uses PGP for e-mail.
- Marc DeBonis mentioned he uses Windows Rights Management Services (RMS).
- Any concerns with key escrow and recovery?
- Who can officially do this?
- Dave Martin mentioned that there is a procedure already in place to retrieve ex-employee's e-mail.
- Cert owner should be able to retrieve the keys any time they want, e.g., because of a forgotten password.
- Discussed at 7/8/2010 project team meeting.
Needs publicity and explanations. Put in the project communication plan.
Some research needs to go into the technical aspects of un-revoking a cert (if even possible). This is related to the fact that someone can call 4Help and revoke a cert for someone else, this is how it works for eTokens. Define a use case for this scenario.
Our procedures should allow as much as possible even if it involves a process "out of band", meaning, for instance, the user coming in person and a manual process.
6 Comments
Susan R. Brooker-Gross
Jun 18, 2010Editorial change only: the name of our organization is not "central."
Information Technology has begun a project to issue personal digital certificates similar to those that are issued on eTokens, but the new certificates will be stored in software, on computers and mobile devices, rather than on hardware tokens. These soft PDCs should be useful for authentication, digital signatures, and encryption. If you have an application or function that you think might take advantage of a soft PDC, or would like to participate in an analysis of needs, we would like to include you in one or more focus group meetings. Please respond to Greg Kroll (usdgk@vt.edu) by July 1, 2010, if you would like to attend an initial meeting (time and place to be determined based on response to this e-mail.)
Greg Kroll
Jun 24, 2010Original draft:
To: Techsupport@listserv.vt.edu
Subject: Soft Personal Digital Certificates
The central Information Technology organization has begun a project to issue personal digital certificates similar to those that are issued on eTokens, but the new certificates will be stored in software, on computers and mobile devices, rather than on hardware tokens. The soft PDCs should be useful for authentication, digital signatures, and encryption. If you have an application or function that you think might take advantage of a soft PDC, or would like to participate in an analysis of needs, we would like to include you in one or more focus group meetings. Please respond to Greg Kroll (usdgk@vt.edu) by July 1, 2010, if you would like to attend an initial meeting (time and place to be determined based on response to this e-mail.)
Greg Kroll
Jul 21, 2010I received responses to above TechSupport e-mail from the following people:
Name
Department
Denton Yoder
Biological Systems Engineering
Kim Homer
Secure Enterprise Technology Initiatives (SETI)
Rebecca Simon
IT for Administrative Services
David Mattox
Video Broadcast Services
Allen Campbell
University Budget & Financial Systems
Flex Vaughn
4Help
Ken Wieringo
IT
Jeremy Sippel
Graduate School
Bruce Kemp
Operations Center
Morgan Allen
CNS
Justin Davenport
Northern Virginia Center
Dan Cook
CNS
Denise Linkenhoker
Virginia Tech Police
Joyce Landreth
4Help
Lee Dickey
College of Engineering
Greg Kroll
Jun 24, 2010I had an informal conversation with John Homer on 6/23/2010 regarding soft personal digital certificates. John feels that we may be making a similar mistake with these certificates as we did with the eToken and that is that you have to have "something" on the computer you are using in order for them to work. John is of the opinion that we should log in to a service with appropriate credentials that retrieves whatever is needed from a database making the personal certificate ubiquitous.
Greg Kroll
Jun 24, 2010Here is the response I received from Jeremy Sippel:
Mary Dunker
Jun 28, 2010Relative to John Homer's comment, I believe the soft PDCs should be able to be installed on a portable device like a mobile phone. The user can then authenticate to an app that supports authentication using the mobile device. Debbie Fulton mentioned this use case during an IT Project Information meeting. We should be able to test this during the development phase using CAS.
Potential reference: https://support.quovadisglobal.com/KB/a64/how-do-i-install-a-digital-certificate-onto-an-iphone.aspx