PKI Matrix Questionnaire

We are surveying Higher Education Institutions that have deployed PKI for end users in order to develop a matrix of information to share among schools deploying PKI and those considering deploying PKI. We will publish the results of our survey in the PKI section of the Net@EDU web site. If you have a production PKI that is issuing end user certificates for production use in S/MIME and/or authentication, then please answer these questions and return your answers to so we can share your experience and knowledge with others.

Your Institution

  1. Name of your institution: Massachusetts Institute of Technology
  1. Name and contact information for person filling out the survey (we won’t publish this on the web): Jeffrey I. Schiller <>
  1. What is the size of your institution (total head count)? ~ 30,000

The Decision to Deploy PKI

  1. What specific use case(s) drove your institution’s decision to deploy PKI?

Web Authentication.

  1. What was the business case to deploy PKI on your campus?

Ability to offer single sign on, avoiding people having to remember or write down many passwords. At the time (1996) believed it was going to be the way to authenticate on the Web and wanted to get a head start.

  1. What other factors influenced your institution’s decision to deploy PKI?

We wanted to do it (I have been involved in various PKI efforts since 1990.

  1. Who were your institution’s PKI champions, and why were they the champions?

I was the primary champion. My original motivation was for Electronic mail. I wanted an infrastructure that would provide privacy that was non-compromisable by the people running the infrastructure. PKI fit the bill.

  1. Was the decision to get started with PKI top-down or bottom-up?

Bottom up.

  1. How is your institution's management involved and to what degree?

Management signed off once we had a test system. We piloted successfully with the Registrar as first customer.

Implementation Information

  1. Is your Certificate Authority internal our outsourced?

Internal.

  1. How is PKI being used within the institution, how is it planned to be used? Please list the applications.

Web authentication. Including Student Registration, Employee “self service” HR system (health care enrollment etc.). Access to our ERP system via the Web. Student voting, many others. One of the features of the PKI is that central admin (us) do not have to be involved in the setup of PKI authenticated websites. So there are plenty that we do not even know about!

  1. How long has your PKI been operational and what is its growth rate?

Since 1996. 100% of students have certificates and roughly 75% of Faculty and Staff.

  1. What policies did you put in place to support the use of PKI by end users?

None, same policies as our password management.

  1. What policies have you been able to put in place because of your PKI capabilities?

None needed.

Cost Information

  1. What was the cost of initial deployment? Please list FTE/PTE.

.5 FTE for about a month.

  1. What are ongoing operational costs? Please separately list equipment, FTE the ongoing costs to license or outsource each certificate per year?

.1 FTE to operate. Roughly 1,000-2,000 per year for hardware (mid-range system with a three year average life).

Certificate Management

  1. What is your vetting process for end user certificates?

Leveraged off of Kerberos authentication. Person uses their Kerberos name and password to obtain certificate. Initial Kerberos credentials are provided by proving knowledge of a six word one-time-use passphrase that is sent in postal mail.

  1. What are the Levels of Assurance (LOAs) that your PKI supports?

Rudimentary, which turns out to be just fine.

  1. What is your process for issuing end user certificates?

Automated via website.

  1. What is your process for revoking end user certificates?

Doesn't happen.

  1. What is your process for renewing end user certificates and how often?

Al l certificates expire on or before July 31st of any given year. The proceeding June, we change the limit for another year. At the moment this limit is July 31st 2005. We run a publicity campaign starting in July (we are in the middle of one now) to remind people to obtain new certificates.

  1. Do you use two factor PKI (tokens, smartcards, biometrics)?

If so, why did you implement two factor authentication, and why did you pick the type you did?

No. However we have successfully obtained MIT certificates where the private key was stored on a PKCS11 token. However this is not required.

Support

  1. How do you provide support for end user PKI use?

Through our normal computing help desk.

  1. How do you support multiple end user computers (e.g. work, home, parents, friends, public)?

We have people obtain a different certificate for each (but all certificates will have the same DN in them).

Applications

  1. Have you deployed S/MIME email? No.

If so, what users can use S/MIME? N/A

Do you require S/MIME use for any users? N/A

If so, which users and under what conditions? N/A

What S/MIME clients do you support?

How do you manage private keys for S/MIME encryption? Do you support dual keys (one for signing, another for encryption?)

  1. Do you use PKI authentication for any web applications?

If so, which ones?

We provide help and sample code for Apache. We know that people have also been able to verify our client certificates with IIS.

  1. Do you use PKI authentication for any network appliances? No.
  1. Do you have any applications or appliances for which you require PKI authentication? Yes. See list above (Student registration etc.)
  2. Do you have any PKI deployment projects underway?

If so, what are they?

Comments

  1. Do you have any words of wisdom for others deploying PKI for end users?

Don't obsess on the policy stuff. Most real organizations have no idea what a CP or CPS is (our certificates are accepted by several outside organizations and none have asked to see our CP or CPS, frankly they probably do not know what one is).

It is helpful to have someone on staff with PKI knowledge. Many people take a while to get their heads around it. Part of the job of the PKI knowledgeable person should be to help others get up to speed.

  1. Do you have any other comments to share?