Jeremy Smith's blog

Entry Is Labelled

Emerging PKI

We have a lot of projects on our plates. One of them that sits in the background as a type of gee-whiz-that-would-be-cool is deploying a campus-scale Public Key Infrastructure. We talk about it from time-to-time.

In this entry, Emerging PKI, talks about how other Universities have deployed PKI and where PKI might be heading:

Many institutions are avoiding [the cost of signing certificates with certificate authorities] by signing their own certificates. Of course this then prompts users about unknown signing authority which might cause calls to the help desk with confused users. This is the solution MIT, USC, and others have adopted.

There is another solution nearing availability, USHER, the US Higher Education Root. According to Neal McBurnett of Internet2, USHER will:

provide a basis for campuses to deploy signed documents, secure email, and other applications. Serving as both an infrastructure and an initiative, it will include a root (AKA trust anchor or certification authority) to identify campus roots [CA’s], and recommended applications, tools and metadata. It will coordinate with the InCommon federation.

Assuming the USHER CA finds its way into the major browsers as an accepted signing authority, it will provide higher education with an affordable solution for digital certificates. USHER is a key player in multiple Internet2 initiatives including the InCommon Federation and Shibboleth. USHER does not yet seem to have its own web site, but is being coordinated by HEPKI-TAG. I believe USHER is the lynch pin for general deployment of PKI in higher education.


  1. gravatar

    That's cool. I hate getting those "unsigned certificate" warnings... especially for campus resources. It just seems unprofessional (although I did not know that getting signed certificates involved paying someone!)

    Hey, how come maintaining Blog@Case is not listed here? How much of your work time is taken up with other responsibilities?