The summer of PKI love

The annual PKI Deployment Summit at Dartmouth College is becoming a summer tradition. Universities differ from other large enterprises in ways that make them bellwethers for IT's future. University user populations are transient, platform monocultures cannot be imposed, and collaboration across institutional borders is mission-critical. These are excellent circumstances in which to evolve methods of identity management that will also meet the requirements of corporations as they increasingly outsource, connect with customers through the Web, and engage with partners in federations of Web services.

One reason for PKI's slow uptake has been the lack of two kinds of portability. It hasn't been easy to move cryptographic keys from one machine to another, or to use credentials issued by one institution at another. But as we learned at the summit, there's been progress on both fronts. Growing adoption of hardware tokens is making cryptographic identities independent of machines. And emerging trust bridges are enabling those identities to be federated among universities, the federal government, and industry.

On the token front, we're still unfortunately waiting for the ideal key storage device. USB tokens, smart cards, and cell phones are all candidates, and the pros and cons of these options form a complex matrix. Universities tend to prefer the USB approach because the tokens work with PCs and Macs that can't easily be outfitted with card readers.

No matter what flavor of device, however, the deployment procedure is critical. This year, several summit attendees talked about moving away from a model in which the token caches keys that are also stored elsewhere, to a model in which keys are generated directly on the token and are stored only there. If you lose your token, you have to reregister for a new one and get freshly minted keys. Work-arounds are painful experiences that people won't lightly inflict on themselves a second time.

It sounds draconian, and indeed is, but the benefits are twofold. It virtually eliminates password sharing, which, as I mentioned last year, is otherwise rampant. And the required in-person registration is a ceremony that helps users understand what the token means and how to use it.

On the trust front, a number of initiatives are under way. A handful of universities and resource providers have been using the Internet2 consortium's Shibboleth to enable users at one institution to access online resources at another. In March, that trust network was formalized as the InCommon Federation.

Shibboleth isn't PKI-based, but it can be bridged to PKI systems, and trust bridges were a hot topic this year. Dartmouth's Scott Rea gave a status report on the Higher Education Bridge Certification Authority. Peter Alterman, from the National Institutes of Health, described the Federal Bridge Certification Authority. Cybertrust's Russ Weiser presented Secure Access for Everyone, which focuses on the biopharmaceutical industry. And Jim Jokl, from the University of Virginia, showed how to leverage grid networks as a trust fabric by exploiting the Globus Toolkit's intrinsic PKI.

Once these and other bridges can cross-certify, token-borne credentials issued by one will be recognized -- subject to appropriate policy mapping -- by the others. A year ago that seemed far-fetched, but the picture is coming into focus.