PKI Certificates for UCSB faculty, staff and students

Project Sponsor:

IS&C in conjunction with the UC Common Authentication Project (UCCAP)

Project Summary:

Funding to cover the cost of participating in UCCAP for all people at UCSB is required. PKI Certificates are small data files that are encrypted with the private key from a private-key/public-key pair and installed in a network browser. When the browser is pointed to a certificate-enable site, that site uses the associated public key to decrypt the certificate and authenticate the browser and, thus, its user. This technique will work with any site that respects the UC PKI hierarchy. It may be used to access a variety of services including self-service features of the UC benefits system and access to library content licensed for UC or UCSB personnel. Browser users avoid logging on and avoid having to remember and maintain passwords for each service they access. Service providers avoid maintaining id/password files for all their users.

How this Project Supports the Academic Mission:

Providing easy access to library materials, research information and a variety of campus and university provided services will be crucial to operating in the networked world of the very near future. The PKI infrastructure is a leading technique for uniquely identifying users on the World Wide Web and the University of California is an early academic adopter of PKI technology.

Funding Source:

Unknown – however, the members of the UCCAP Steering Committee recently agreed to approach their respective campus decision makers with the notion that each campus should participate in a UC-wide contract with one of the commercial certificate providers.

Costs:

UCOP has completed an RFP process and has selected Verisign as the vendor of choice for providing certificates and required components of the supporting PKI architecture. UCOP anticipates that the combination of the licenses and the costs of the infrastructure will generate a total cost of $5 per year for each person associated with UC (each person may have more than one certificate). Estimating that UCSB has 25,000 faculty, staff and students produces an estimated yearly cost of $125,000. Recognizing that the RFP specified a total UC participation of 300,000 people and recognizing that UCSB usually absorbs about one tenth of such costs indicates the cost to the campus could approach $150,000 per year.

Matching Opportunities:

None at present although UCOP staff members are exploring all possibilities.

Staff Support Required:

Help desk support will be needed to show people how to download and install certificates in the various browsers that they use in their daily activities.

If certificates of greater than minimal strength are implemented, additional staff support would be required to conduct the process of qualifying people for those certificates. For example, if certificates of a certain strength imply that one has presented a picture ID, someone will have to be in place to conduct the process of checking the ID and issuing the certificate.

Existing Resources to be Used:

One item in the certificate "payload" would be the UCNetID. Therefore, certificate users must be included in the UC directory.

Project Timeline:

All UC campuses will be experimenting with certificates beginning in February 2000. A "go/no-go" decision on the contract with Verisign for 300,000 certificates is expected to be made in October 2000.

Life Cycle of Result:

Use of certificates as a means of authenticating users is expected to grow over the next several years. One might expect the result to be in place until displaced by a newer technology.