----- Original Message -----
From: Kroll, Greg
Sent: Friday, June 18, 2010 2:54 PM
To: 'Support for Support Discussion List'
Subject: Soft Personal Digital Certificates
Information Technology has begun a project to issue personal digital certificates similar to those that are issued on eTokens, but the new certificates will be stored in software, on computers and mobile devices, rather than on hardware tokens. These soft PDCs should be useful for authentication, digital signatures, and encryption. If you have an application or function that you think might take advantage of a soft PDC, or would like to participate in an analysis of needs, we would like to include you in one or more focus group meetings. Please respond to Greg Kroll (usdgk@vt.edu) by July 1, 2010, if you would like to attend an initial meeting (time and place to be determined based on response to this e-mail.)
VTVTVTVTVTVTVTVTVTVTVTVTVTVT
--Greg Kroll, PMP
Assoc Dir for IT Project Management & Planning
Virginia Tech
1700 Pratt Drive (0214)
Blacksburg, VA. 24061
office: 540.231.9654
fax: 540.231.7413
Draft Agenda for Introductory meeting to discuss Soft Personal Digital Certificates
Wednesday, July 7, 2010, 2:00 p.m., RB14-115.
Agenda
- Welcome & meeting format
- A very brief overview of the agenda and explanation that this first meeting is for us to gather information on possible uses and answer questions about personal digital certificates. We are planning smaller focus group meetings to discuss use cases.
- Overview of Soft Personal Digital Certificates
- Frank will give a brief overview
- Questions/Answers and Discussion
- Do those attending understand the technology?
- Do you have an application waiting for this technology?
- What do you want to use these certificates for? or What are these certificates useful for?
- Is in-person identity proofing a problem?
- What are your feelings on your users being able to handle management of certificate keys? Escrow?
- Would you benefit from external/extended trust, i.e., root key signing solution (their is an RFP in progress)?
- Where can this certificate replace a signature? See Standard for Personal Digital Identity Levels of Assurance
- Who is not familiar with the Thawte free E-mail Certificates?
- What are the barriers or problems with using these certificates for specific applications like e-mail encryption?
- Any concerns with key escrow and recovery?
Meeting Notes
Attendee |
Department |
E-mail |
Phil Benchoff |
CNS |
benchoff@vt.edu |
Dan Cook |
CNS |
wdciii@vt.edu |
Marc DeBonis |
MIG |
marcd@vt.edu |
Mary Dunker |
SETI |
dunker@vt.edu |
Daniel Fisher |
Mw |
dfisher@vt.edu |
Frank Galligan |
eProv |
frankg@vt.edu |
Clark Gaylord |
VTTI |
cgaylord@vt.edu |
Kimberly Homer |
SETI |
homerk@vt.edu |
Greg Kroll |
VPIT |
gkroll@vt.edu |
Kayla Lamar |
SETI |
klamar07@vt.edu |
Joyce Landreth |
UCS |
jlandret@vt.edu |
Dave Martin |
SS |
darkmoon@vt.edu |
David Mattox |
VBS |
damattox@vt.edu |
Rebecca Simon |
IT4AS |
simonr@vt.edu |
Jeremy Sippel |
GS |
jsippel@vt.edu |
Brad Sumpter |
OBFP |
bsumpter@vt.edu |
Flex Vaughn |
UCS |
flex.vaughn@vt.edu |
Ken Wieringo |
VPIT |
kwiering@exchange.vt.edu |
- Went around the room with introductions, what department you are with, and if desired why you are here today.
- Frank Galligan gave a brief introduction to the project, the technology, and progress to date. Probable completion date of Spring/Summer 2011.
- Eligibility for a soft cert is everyone that is eligible for an eToken plus all students.
- The Graduate School asked specifically about non-VT-affiliated graduate student committee members. The answer is if they are eligible for an eToken (which committee members are) then they can get a soft cert.
- A 5-year validity period is good for students. Someone commented that it seems strange that the validity of a soft cert would be longer than for an eToken that has a higher LOA.
- It is envisioned that enrollment would have 3 stages:
- user logs into a customized, public, web interface to request a soft PDC.
- user then goes to a convenient registration authority (RA) station for face-to-face identity proofing.
- user is notified by e-mail where to download their certificate and are provided instructions.
- In order to use encryption the public keys would need to be publicly available, probably by publishing them to the AD or ED.
- We are looking for "early adopters" to help us work out the processes. Those interested should contact Greg Kroll.
- Discussed at 7/8/2010 project team meeting.
Dave Martin expressed interest as an early adopter.
- Users only have one active key pair but could have multiple certificates.
- Discussed at 7/8/2010 project team meeting.
An active key pair means the user does not have a revoked cert, only "valid" or "expired" certs.
A user can have multiple active certs associated with their one active key pair.
A user can download their key pair anytime by providing the appropriate password.
The PKCS12 file could be stored anywhere (PKCS12 defines a file format commonly used to store X.509 private keys with accompanying public key certificate).
As for passwords:
We intend to use the same rules (strength) as for eTokens.
We do not want to advertise the fact that users can change their password, assuming they know how. Because of the fact that user can change their password means a lower LOA.
- Remember, public key encrypts, private key decrypts. For digital signatures, you sign with your private key.
- Internal Audit has mandated that if encryption is enabled there must be a key escrow.
- By having a key escrow we lose non-repudiation because someone could always say that our key store was compromised and the encrypted document or signature did not come from them.
- Someone asked if webmail (the newest one) is PKI enabled. Dave Martin is going to look into it but was pretty certain that it supported encryption.
- One suggested use for a soft PDC is for signing IMS forms.
- Another possible use is for Hokie SPA and access to information/changes to W2 forms, direct deposit, etc.
- Possible use for student financial aid, especially scholarships.
- Remote issuance:
- A suggested alternative for face-to-face identity proofing is to look into using notaries to verify someone's credentials.
- IDDL should be able to use these for verifying distance learners taking tests.
- A question was asked about when someone changes their name. The answer is to revoke the old certificate and get a new one.
- Discussed at 7/8/2010 project team meeting.
Do not revoke the old cert because that would give the user a new key pair. Instead request a new cert which would use the old key pair and give the user a new cert. However, the user would still have to go through face-to-face identity proofing.
- Another possible use is for human subjects used in research. A soft cert could be used by the human subjects to release their records.
- Someone asked about putting the soft PDC on an eToken for portability. The answer is yes it can be imported to the eToken, however, if that eToken has to be revoked or returned then the soft PDC is wiped from the eToken.
- Is in-person identity proofing a problem?
- Definitely a pain but understandably required. Perhaps sometime in the future we could offer soft PDC's with different LOA.
- Discussed at 7/8/2010 project team meeting.
For example, for someone that does not have access to a VT approver they might use a non-VT approver.
- What are your feelings on your users being able to handle management of certificate keys? Escrow?
- Would be difficult for most users to manage more than one key pair.
- Users need education on the importance of private key security.
- Discussed at 7/8/2010 project team meeting.
The escrow should be considered a service of last resort. Departments should have a process in place to protect and retrieve data.
- Would you benefit from external/extended trust, i.e., root key signing solution (there is an RFP in progress)?
- Preferred but not a show stopper.
- The Research Division would benefit by being able to move encrypted data around.
- Discussed at 7/8/2010 project team meeting.
Most likely only for VT employees.
- What are the barriers or problems with using these certificates for specific applications like e-mail encryption?
- Only a problem if using multiple key pairs.
- Discussed at 7/8/2010 project team meeting.
Multiple key pairs meaning one from VT and another from somewhere/someone else. In this case the user would be get a pop-up and allowed to select.
- Clark Gaylord mentioned he uses PGP for e-mail.
- Marc DeBonis mentioned he uses Windows Rights Management Services (RMS).
- Any concerns with key escrow and recovery?
- Who can officially do this?
- Dave Martin mentioned that there is a procedure already in place to retrieve ex-employee's e-mail.
- Cert owner should be able to retrieve the keys any time they want, e.g., because of a forgotten password.
- Discussed at 7/8/2010 project team meeting.
Needs publicity and explanations. Put in the project communication plan.
Some research needs to go into the technical aspects of un-revoking a cert (if even possible). This is related to the fact that someone can call 4Help and revoke a cert for someone else, this is how it works for eTokens. Define a use case for this scenario.
Our procedures should allow as much as possible even if it involves a process "out of band", meaning, for instance, the user coming in person and a manual process.