For E2001 Evolving Technology Committee site: Mark Luker __________________________________________________ What is a Public Key Infrastructure, or PKI?

A PKI is a collection of technical services, policies, and business practices that can be used together to provide for networked communications many of the legal and business capabilities that have long been assumed in the paper world. These are often summarized in five concepts---Authentication assures that the persons or resources involved in a networked communication have been identified correctly. Authorization assures that persons and systems have the proper permissions to perform the requested activities. Data integrity assures that the content has not been altered, either on purpose or by accident. Confidentiality assures that the content is available only to the intended audience. Non-repudiation assures that the signer of a message cannot later deny signing it. Together, these capabilities establish for networked communications the social and legal fabric provided by signatures, witnesses, the notary public, sealing wax, and other technologies in traditional communications. Such assurances are absolutely required in order to use the network for the full range of business and academic communications. Applications in higher education There are many potential applications of PKI in higher education. These include most situations that now require "wet" or ink signatures, including promissory notes, financial authorizations, grades, personnel evaluations, license agreements, and contracts. A PKI can also be used to replace passwords in present networked applications that control access to networked resources. The complete suite of services will be required for full implementation of distributed learning applications, in which students, institutions, content, questions and responses, tests and evaluations all must be correctly matched and identified without recourse to face-to-face recognition. More mundane, but equally important, applications arise as institutions shift much of their normal business administration to the network. Of particular importance will be a large set communications that involve education institutions and the federal government, such as student financial aid and research administration, since the federal government is moving rapidly to adopt PKI as one way to reduce paper transactions. PKI will also play an important role is protecting the security of the network itself from attack or accident through a much more rigorous regimen of identification and authorization between system components and network administrators. The present state of PKI in higher education PKI technology is now available on the market in the form of products that can be purchased and operated on campus as well as services that are operated by offsite providers. Prices are falling rapidly even while capabilities expand in a growing competitive marketplace. Several campuses and even entire systems have embarked on

their first implementation of a PKI. These initial efforts might best be characterized as prototypes or pilot projects, however, since they often do not yet include the business process re-engineering required for full-scale implementation. One significant barrier to implementation is the complexity of the technology and policy foundation required for PKI. Campuses face a steep learning curve and a complex array of alternative implementations. Staff members with expertise in the technical and policy issues of PKI are few and far between, even at out largest institutions. Standards for PKI exist at a technical level, but have not yet been established for content and policies. Most institutions will use LDAP directories, for example, to store an authoritative view of the members of their community and X.509v3 certificates to communicate technical information required for authentication and digital signatures. There is no technical standard, however, for exactly how such information is to be represented in the directories or certificates. This presents a significant barrier to PKI-enabled communications between institutions. Implementing PKI across the community of higher education Several organizations are currently working in collaboration on the development of standardized, simplified approaches to PKI that will make it easier for an institution to adopt these technologies and will result in systems that can communicate between campuses themselves and partners in the federal government and industry. One key group is an informal collaboration called the Higher Education PKI group (http://www.educause.edu/hepki/) involving the EDUCAUSE Net@EDU PKI Working Group, the Internet2 Middleware Project, and CREN, as well as representatives of the Federal PKI Steering Committee and several corporate partners. Campus members of HEPKI organizations are working on common approaches to both technology and policy for PKI. They are also developing an initial standard called eduPerson (http://www.educause.edu/eduperson/) for the content of campus directories. Initial contacts have been made with related stakeholder organizations such as the National Association of College and University Attorneys, the National Council of University Research Administrators, the National Association of College and University Business Officers, the American Association of Collegiate Registrars and Admissions Officers, and the American Council on Education. The goal is to cooperate in a common definition of policies and technology standards for PKI to facilitate communications across the entire community later. Another community project of considerable interest is the definition of a Higher Education Bridge Certification Authority, modeled on a similar Federal Bridge Certification Authority. This project, under the policy umbrella of EDUCAUSE, should greatly reduce the complexity of PKI for individual institutions by providing a framework for translating authentication information from one implementation of PKI to another. Although these projects are in the early stages of definition and testing, they point to a common understanding and approach to the issues involved. The timing of PKI

The technical components of a campus PKI now can be purchased or outsource in a matter of months. A working implementation usually takes much longer, however, because it depends on the creation of an authoritative institutional directory of persons and services, a new set of policies and business practices to govern its use, and a set of PKI-enabled applications that can take advantage of such capabilities. These parts of the problem are typically much more difficult than the technical platform because they require significant institutional change. The implementation of a new ERP has many similar features. Boundaries of authority for standardization make it relatively easier to introduce PKI applications within a campus and more difficult between campuses. It will be more than a few years before higher education has established PKI as a common foundation for all of its critical communications and transactions. There is pressure today to get started, however, in the form of emerging federal systems that may require PKI, state laws that require digital signatures, privacy regulations that increase campus liability for security lapses, and the simple savings to be enjoyed by the transition to e-commerce. It can be expected, then, that many intuitions will adopt PKI for parts of their operations in the next few years and gradually expand their capabilities as PKIenabled applications become more commonly available in the market. Fortunately for higher education, the same technologies and services are under rapid development in the commercial marketplace to serve the general needs of e-commerce.