Soft Personal Digital Certificates project meeting

Thursday, October 13, 2011; 3:30 p.m.; AISB-212

Invited

Ismael Alaoui, Phil Benchoff, Brian Daniels, Mike Emero, Mary Dunker, Frank Galligan, Greg Kroll, Sharon Kurek, Randy Marchany

Agenda

  1. Discuss the Soft PDC certificate profile

Attended

Ismael Alaoui, Phil Benchoff, Brian Daniels, Mike Emero, Mary Dunker, Frank Galligan, Greg Kroll, Randy Marchany (by phone)

Meeting Notes

  1. Refer to the Soft PDC certificate profile
  2. This profile will be proposed to the Policy Management Authority (PMA)
  3. Version: X509 version 3
  4. Signature algorithm: sha1RSA is a mainstream algorithm and is used for the VT eTokens
  5. Signature hash algorithm: sha1 is a mainstream algorithm and is used for the VT eTokens
  6. Issuer DN: There was some discussion about the name used "Virginia Tech Global SoftPDC CA". This name has already been approved by the PMA. If we want to change the name a new name will need PMA approval and a key signing ceremony. This name needs to be distinguishable from any other Certificate Authority (CA).
  7. Valid From: A 5 year certificate was decided in project team meetings.
  8. Public Key: This group recommends changing the value/comment to say "RSA 2048 bits or longer". A 2048 bit key is recommended for security. Current eToken key is 1024 bits. Because the FIPS flag is turned on for the current eToken it can only handle a 1024 bit key. To change our eToken to use a 2048 bit key they would have to be reformatted and reissued. We currently have about 6000 eTokens. The next reissuing of eTokens will be September-December 2012. So our options are:
    • Keep a 1024 bit key and educate users that a soft pdc will not work on the eToken.
    • Begin issuing new eTokens with the FIPS flag turned off and a 2048 bit key and wait until next reissue before all eTokens are converted.
    • Give the user the option of getting a new eToken with a 2048 bit key before their current eToken is expired.
    • Allow users to have multiple eTokens, i.e., a separate one for the soft pdc.
  9. Authority Information Access: an alternate way of getting a certificate and is used during the authentication process.
  10. Certificate Policies: There are 5 LOA levels test, rudimentary, basic, medium, and high. eToken is a medium LOA. Recommend Soft PDC be a basic LOA. What this means in practice is that our soft pdc will work with an application that requires an LOA of test, rudimentary, or basic, and would not work with applications requiring a medium or high LOA.
  11. Key Usage: new values for encryption "Data Encipherment" and "Key Encipherment". The eToken does not have these attributes. Keys will be escrowed.
  12. Enhanced Key Usage: "Client Authentication" is used with client SSL. "Secure Email" is for SMIME and signing and security of email.
  13. Subject Alt Name: Recommend using the preferred email address (as opposed to PID@vt.edu) that is published in LDAP. Recommend soft certs be published in LDAP for email encryption.
  14. The ITSO (Randy Marchany) commented that they are OK with this profile as proposed.
  15. Just a reminder that we should refer to "Pilot Groups" as "Early Adopters".
    • Phil Benchoff mentioned that Carl or Morgan may be interested in a soft PDC to replace the current NetCert.
  • No labels