CMU Certificate Authority (DRAFT)
ATI 2003-0003

Document revision: 0.5 - 06/12/2003
Primary Authors: Russell Yount (rjy+@andrew.cmu.edu), Walter C. Wong (wcw+@cmu.edu)
http://asg.web.cmu.edu/arch/ati/2003-0003-CMU-CA.html

1.0 Introduction

Computing Services has been providing a Certificate Authority (CA) service for campus since 08/01/1999 years. To describe a CA in the simpliest sense, one would say that a CA allows digital certificates to be issued. These certificates are most often used by web servers to enable SSL connections. The benefit of having a central CA is that by trusting the CA, you trust all the certificates that it has issued.

The current public guidance provided to users for this service is available at http://www.cmu.edu/CA. A current copy of this document has been archived with this document at http://asg.web.cmu.edu/arch/ati/archive/2003/0003/cmu-ca-overview.html.

2.0 Issues with Running a CA

Web browsers come pre-populated with a list of CAs so most users do not have to take any action. If a browser connects to a site and the CA is not in this list, a dialog box appears, warning the user that the browser does not trust the certificate and lets the user decide whether to proceed regardless or perform a corrective action.

If the user proceeds without addressing the issue, this creates a security risk by allowing an attacker to impersonate the site the user is trying to reach and thereby providing false information to the user or by intercepting the information the user is providing to the web site. After ignoring this warning, the user session usually appears to be a secure SSL session ('the key is present') and no further notice may be given.

The key problem is that the CMU CA is not recognized by the majority of the browsers is the key problem. There have been attempts for Higher Education CAs to be included in the browser distributions. However, none of these attempts have been successful.

The implications of this problem are as follows:

1. Users need to take a specific action in order to securely access a site whose certificate was issued by the CMU CA. Our current instructions for doing this are at http://asg.web.cmu.edu/arch/ati/archive/2003/0003/ca-user.html.
2. Because the dialog box is only a warning, users may "click through" the dialog box rather than go through the effort of installing the CA certificate thereby leaving themselves vulnerable to future attack.
3. Users may be in a situation where they can not install the CA certificate because they do not have administrative access to the machine, such as when using a kiosk at an internet cafe or perhaps it is difficult to install in the browser (such as with early versions of Safari and PocketPC).
4. Some browsers behaved poorly when accessing a CA outside of its trusted list. For example, IE under the Macintosh required a user to enter in the password to their keychain in order for the CA to be accessed. Thus the user perception was that they were being constantly prompted for their password for some unknown reason.

3.0 Current Status

The good news is that the installation of a CA is a relatively straightforward procedure and as far as we can tell a large portion of the user community has downloaded the certificate (and presumably installed it). What is not clear is how many installed it just because we told them to and how many installed it because they saw the warning box. We also do not know how many people click through the warning box.

The primary reason for running your a CA is cost and control. The cost has been as high as $150 per machine per year. The threat of a significant jump in renewal cost was one of the motivators to start this project.

While web servers currently are the biggest consumer of certificates, it is likely that we will want to issue a certificate for every machine on campus -- and so with that pricing, we would end up paying over $750,000/yr. When you rely on an external organization to issue certificates, you are losing a degree of control.

We have been issuing certificates to various departments on campus on a regular basis. These departments include ACIS, Library, ME, CMU West, student affairs/goverment, HEINZ, housing, and MISM. We also issued signing certificates to PSC, SCS, and ECE. They have issued a limited number of certificates. Appendix A has a complete list of certificates issued by Computing Services.

Computer Science is extensively using the signing cert that is signed by the CMU CA for many services in CS and distributing web software with generated certificates for people. More details to follow.

The root is also being installed as part of the default clusters install.

4.0 CMU Issues with Running a CA

We have had a number of issues with running the CA that are likely specific to the decisions made and actions performed (or not made and not performed).

1. The initial CA only implemented DSA and not RSA. While there were a number of good reasons to do this which will not be discussed, this led to a number of compatibility problems. The current CA is using RSA as the barriers for using RSA are no longer present.
2. The documentation for the CA did not properly describe why someone would want to use the CMU CA versus a CA which was already in the browser.
3. All groups within Computing Services did not buy in to this service. Namely, DSP did not install the certficiate on their machine installations. There are reports that the Help Center did not provide instructions on how to install the certificate.
4. There was some discussion to hand over the service to User Services. This never materialized for a variety of reasons that will not be discussed iat this point.
5. There was significant concern that users would be in a position where they could not install the root CA. The classic example is the internet cafe or a conference kiosk machine. As such, a user would be forced to click through thereby training the user to click through.

5.0 State Summary

1. Most of our production servers are currently using commercial certificates for the reasons (or beliefs) listed above.
2. There are departments on campus that may have different constraints and so are using certificates issued by the CMU CA in production is not a problem.
3. The cost of certificates have significantly dropped -- if you don't use the brand name CAs (e.g. Thawte/Verisign). For example, via InstantSSL, the cost of a 3 year certificate is $100 and the cost of a 1 year is $40.
4. If we aren't using the CA for production services, but others are, are we doing a disservice to them? The belief is
   • unless we use CMU CA signed certificates on production systems, we will not be able to run this service properly.
   • if the CMU CA doesn't generate certificates that meet our requirements, how can they meet other departmental requirements (i.e. if it isn't good enough for us, how is it good enough for others).
5. If we do not use the CMU CA for our production services, there will be insufficient 'critical mass'. The chain of events then are: (a) people will not install the root (b) people will click through the warnings and so (c) the security of any system using the CMU CA will be unacceptably degraded.

6.0 Outstanding Issues

1. What is the current cost of operating the system as it is?
   1. cost to users to install: 5 minutes per machine?
   2. cost of Computing Services to run: 1/2 hour of rjy time [rjy] per certificate.
   3. cost of Computing Services to support: ?
   4. cost of Computing Services to document: ?
2. Cost of redeployment - If we stop pushing users to install then what is the cost of reintroducing it?
3. Why do we make users install something they don't need now?

Appendex A: Current list of certificates issued

CMU-CA-User-Services-web-1-06             01/07/01  06/07/01
CMU-CA-identity-1-07                safe  02/06/01  07/06/01
CMU-CA-mail-1-06                    safe  01/07/01  06/07/01
CMU-CA-network-1-07                 safe  02/06/01  07/06/01
CMU-CA-server-1-06                  safe  01/07/01  06/07/01
CMU-CA-system-1-07                  safe  02/08/05  07/06/01
CMU-CA-web-1-06                     safe  01/07/01  06/07/01
CS-CA-web-1-06                            02/02/07  06/07/01
ECE-CA-web-1-06                           02/09/12  06/07/01
PSC-CA-web-1-06                           02/05/08  06/07/01
TANDEM.AS.CMU.EDU-02                      01/11/01  02/11/01  [expired]
access.web.cmu.edu-02               safe  01/11/05  02/11/05  [expired]
agamemnon.net.cmu.edu-03            safe  02/03/02  03/03/02  [expired]
agamemnon.net.cmu.edu-04            safe  03/05/19  04/05/19
alumni-2k.gsia.cmu.edu-03                 02/12/13  03/12/13
archibus.web.cmu.edu-04                   03/03/06  04/03/16
asg2.web.cmu.edu-03                       02/12/11  03/12/11
authbridge.net.cmu.edu-02           safe  01/12/07  02/12/07  [expired]
authbridge.net.cmu.edu-03           safe  02/05/29  03/05/29
authbridge.net.cmu.edu-04           safe  03/05/19  04/05/19
bayo.net.cmu.edu-03                 safe  02/10/16  03/10/16
bb-beta.andrew.cmu.edu-04                 03/03/03  04/03/03
bblogin.andrew.cmu.edu-03           safe  02/06/11  03/05/11  [expired]
bboard.andrew.cmu.edu-04                  03/01/06  04/01/06
bigbrother.as.cmu.edu-03                  02/08/12  03/08/12
bizservweb.pc.cc.cmu.edu-03               02/06/05  03/06/05
blackboard-dev.andrew.cmu.edu-03          02/06/11  03/06/11
brie.library.cmu.edu-03                   02/09/25  03/09/25
ca.net.cmu.edu-03                   safe  02/09/27  03/09/27
ca.net.cmu.edu-04                   safe  03/05/19  04/05/19
cabi.net.cmu.edu-03                 safe  02/10/16  03/10/16
calendar-test.andrew.cmu.edu-03     safe  02/03/04  03/03/04  [expired]
callmanager.voip.cmu.edu-03               02/06/27  03/06/27
cave.net.cmu.edu-03                 safe  02/07/21  03/07/21
cgi.andrew.cmu.edu-03                     02/01/15  03/01/15  [expired]
cgi3.andrew.cmu.edu-03              safe  02/12/02  03/12/02
clari.web.cmu.edu-02                safe  01/11/05  02/11/05  [expired]
clusters.andrew.cmu.edu-03                02/07/09  03/07/09
confserv.housing.cmu.edu-03               02/01/22  03/01/22  [expired]
csis2.as.cmu.edu-02                       01/10/01  02/10/01  [expired]
csis2.as.cmu.edu-03                       02/10/03  03/10/03
cyrus-test.andrew.cmu.edu-02        safe  01/07/01  02/07/01  [expired]
cyrus-test.andrew.cmu.edu-03              02/06/26  03/06/26
cyrus.andrew.cmu.edu-02                   01/10/15  02/10/15  [expired]
cyrus.andrew.cmu.edu-03                   02/06/26  03/06/26
dahntahn.andrew.cmu.edu-03                02/04/23  03/04/23  [expired]
data-gsia.gsia.cmu.edu-03                 02/10/08  03/10/08
dialup.net.cmu.edu-02               safe  01/10/01  02/10/01  [expired]
dialup.net.cmu.edu-03               safe  02/05/29  03/05/29
dialup.net.cmu.edu-04               safe  03/05/19  04/05/19
doi.library.cmu.edu-03                    02/02/07  03/02/07  [expired]
doi.library.cmu.edu-04                    03/03/04  04/03/04
dream.andrew.cmu.edu-04                   03/01/06  04/01/06
dsa-fmu.andrew.cmu.edu-04                 03/04/14  04/04/14
elections.andrew.cmu.edu-02               01/10/29  02/10/29  [expired]
elections.mac.cc.cmu.edu-04               03/03/10  04/03/10
esp.andrew.cmu.edu-03               safe  02/02/28  03/02/28  [expired]
esp.andrew.cmu.edu-04                     03/03/19  04/03/19
esprit.as.cmu.edu-03                      02/08/19  03/08/19
fluid.west.cmu.edu-04                     03/01/17  04/01/17
garyn3.me.cmu.edu-04                      03/02/24  04/02/24
garyn9.me.cmu.edu-04                      03/05/07  04/05/07
halcyon.andrew.cmu.edu-04           safe  03/02/27  04/02/27
illiad.library.cmu.edu-02                 01/11/26  02/11/26  [expired]
illiad.library.cmu.edu-04                 03/01/22  04/01/22
infocenter.pc.cc.cmu.edu-03               02/03/08  03/03/08  [expired]
kludge.psc.edu-03                         02/05/05  03/05/05  [expired]
ldap1.andrew.cmu.edu-03                   02/09/30  03/09/30
lists-mgmt.andrew.cmu.edu-02        safe  01/06/01  02/06/01  [expired]
lists-mgmt.andrew.cmu.edu-03        safe  02/02/26  03/02/26  [expired]
lists-mgmt.andrew.cmu.edu-04              03/03/21  04/03/21
mail1.andrew.cmu.edu-03                   02/06/26  03/06/26
mail2.andrew.cmu.edu-03                   02/06/26  03/06/26
mail3.andrew.cmu.edu-03                   02/06/26  03/06/26
mail4.andrew.cmu.edu-03                   02/08/15  03/08/15
media1.web.cmu.edu-02               safe  01/11/05  02/11/05  [expired]
metadir.andrew.cmu.edu-02           safe  01/11/05  02/11/05  [expired]
metadir.andrew.cmu.edu-03           safe  02/11/12  03/11/02
monitor.andrew.cmu.edu-03           safe  02/07/25  03/07/25
mrtg.net.cmu.edu-02                 safe  01/09/10  02/09/10  [expired]
mrtg.net.cmu.edu-03                 safe  02/05/29  03/05/29
netboot-dev.cc.cmu.edu-04                 03/03/03  04/03/03
netboot2.cc.cmu.edu-04                    03/04/16  04/04/16
netdev1.net.cmu.edu-04              safe  03/05/07  04/05/07
netflow.net.cmu.edu-02              safe  01/09/10  02/09/10  [expired]
netflow.net.cmu.edu-03              safe  02/05/29  03/05/29
netmon.net.cmu.edu-02               safe  01/09/10  02/09/10  [expired]
netmon.net.cmu.edu-03               safe  02/05/29  03/05/29
netmon.net.cmu.edu-04               safe  03/05/19  04/05/19
netmon2.net.cmu.edu-03              safe  02/06/15  03/06/15
netreg-telerama.net.cmu.edu-03      safe  02/08/04  03/08/04
netreg.net.cmu.edu-02               safe  01/09/10  02/09/10  [expired]
netreg.net.cmu.edu-03               safe  02/05/29  03/05/29
netreg.net.cmu.edu-04               safe  03/05/19  04/05/19
netsage.andrew.cmu.edu-03           safe  02/07/25  03/07/25
netsage.net.cmu.edu-03              safe  02/07/22  03/07/22
netsage2.andrew.cmu.edu-04                03/05/05  04/05/05
pawn.hss.cmu.edu-04                       03/02/27  04/02/27
penguin.andrew.cmu.edu-03                 02/07/11  03/07/11
ponte.net.cmu.edu-03                safe  02/04/10  03/04/10  [expired]
publishing.andrew.cmu.edu-03              02/05/30  03/05/30
radius1.net.cmu.edu-04              safe  03/05/07  04/05/07
remedy.andrew.cmu.edu-04                  03/01/09  04/01/09
rjy-identity-03                     safe  02/06/05  03/06/05
senate.web.cmu.edu-03                     02/08/10  03/08/10
sentry.net.cmu.edu-03               safe  02/09/23  03/09/23
sevenofnine.net.cmu.edu-03          safe  02/01/10  03/01/10  [expired]
sevenofnine.net.cmu.edu-04          safe  03/04/15  04/04/15
sevis1.studentaffairs.cmu.edu-04          03/01/27  04/01/27
shib-test.andrew.cmu.edu-03               02/12/13  03/12/13
shib-test1.andrew.cmu.edu-04              03/01/07  04/01/07
sigmanu.web.cmu.edu-03                    02/09/20  03/09/30
smtp-test.andrew.cmu.edu-02         safe  01/07/01  02/07/01  [expired]
smtp-test.andrew.cmu.edu-03               02/06/26  03/06/26
smtp.andrew.cmu.edu-02                    01/12/04  02/12/04  [expired]
smtp.andrew.cmu.edu-03                    02/06/26  03/06/26
snort.net.cmu.edu-03                safe  02/10/27  03/10/27
soccerball2.andrew.ad.cmu.edu-02          01/12/13  02/12/13  [expired]
softdist2-test.andrew.cmu.edu-03          02/05/22  03/05/22
stats.net.cmu.edu-02                safe  01/09/10  02/09/10  [expired]
stats.net.cmu.edu-03                safe  02/05/29  03/05/29
stats.net.cmu.edu-04                safe  03/05/19  04/05/19
students.heinz.cmu.edu-03                 02/07/22  03/07/22
survey-dev.andrew.cmu.edu-04              03/01/29  04/01/29
survey.andrew.cmu.edu-03                  02/09/18  03/09/18
synergy.as.cmu.edu-03                     02/06/03  03/06/03
tandem.as.cmu.edu-02                      01/11/05  02/11/05  [expired]
testunicorn.library.cmu.edu-03            02/02/19  03/02/19  [expired]
testunicorn.library.cmu.edu-04            03/03/04  04/03/04
unicorn.library.cmu.edu-03                02/08/19  03/08/19
uportal-test.andrew.cmu.edu-03            02/02/21  03/02/21  [expired]
userv.web.cmu.edu-03                      02/04/03  03/04/03  [expired]
userv.web.cmu.edu-04                      03/03/13  04/03/13
vpn.net.cmu.edu-02                  safe  01/09/10  02/09/10  [expired]
vpn.net.cmu.edu-03                  safe  02/05/29  03/05/29
vpn.net.cmu.edu-04                  safe  03/05/19  04/05/19
web0.andrew.cmu.edu-03                    02/09/30  03/09/30
web0.andrew.cmu.edu-04                    03/03/28  04/03/28
webiso-test.andrew.cmu.edu-03             02/07/10  03/07/10
webiso.andrew.cmu.edu-03            safe  02/02/12  03/02/12  [expired]
webiso2.andrew.cmu.edu-02           safe  01/10/24  02/10/24  [expired]
webmail.andrew.cmu.edu-03                 02/06/26  03/06/26
webmail3.andrew.cmu.edu-03                02/07/23  03/07/23
www.andrew.cmu.edu-03                     02/09/03  03/09/03
www.as.cmu.edu-03                         02/06/24  03/06/24
www.heinz.cmu.edu-03                      02/05/13  03/05/13  [expired]
www.housing.cmu.edu-03                    02/05/06  03/05/06  [expired]
www.housing.cmu.edu-04                    03/01/08  04/01/08
www.mism.cmu.edu-03                       02/05/28  03/05/28
www.net.cmu.edu-02                  safe  01/09/10  02/09/10  [expired]
www.net.cmu.edu-03                  safe  02/05/29  03/05/29
www.net.cmu.edu-04                  safe  03/05/19  04/05/19
www.psc.edu-03                            02/05/08  03/05/08  [expired]
www.studentaffairs.cmu.edu-02             01/12/20  02/12/20  [expired]
www.studentaffairs.cmu.edu-04             03/01/20  04/01/20
zarchive.andrew.cmu.edu-03          safe  02/02/28  03/02/28  [expired]
zarchive.andrew.cmu.edu-04                03/03/21  04/03/21

ChangeLog

0.5  - wcw   - 06/12/2003 - took care of some of the todos. removed
                            opinion.
0.4  - wcw   - 06/03/2003 - cleaned up some sections; added content to Appendix A; added todo
0.3  - wcw   - 06/01/2003 - reorganize as an ATI overview; add my opinions in; more background info
0.2  - wcw   - 06/01/2003 - spelling and syntax cleanup; no change to content
0.1  - rjy   - 05/30/2003 - Initial draft taken from email