Presentation is loading. Please wait.

Presentation is loading. Please wait.

IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen 26-28 May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani

Published byIsabel Franklin Modified over 7 years ago

Similar presentations

Presentation on theme: "IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen 26-28 May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani"— Presentation transcript:

1 IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen 26-28 May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani arabgol@ipm.ir arfaei@ipm.ir rouhani@ipm.ir Institute for Studies in Theoretical Physics and Mathematics (IPM), Niavaran square., Niavaran Bldg. Tehran, Iran, P. O. Box 19395-5746. Tel: +98 - 21 22288680 Fax: + 98 -21 22280415 E-mail: ca-manager@ipm.ir Webpage: http://cagrid.ipm.ac.ir

2 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 2 IRAN-GRID CA Current Status Historical status of IRAN-GRID CA Comments form reviewers(Asli, Arsen) CP/CPS and repository changes Summary

3 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 3 CP/CPS and online repository update history CP/CPS-1.0(draft) 6 Jan 2008 Update repository CP/CPS-1.0(draft) 6 Jan 2008 Update repository Reviewers :Asli, Arsen Arsen 18 Feb 2008 1st Asli 20 Feb2008 1st Reviewers :Asli, Arsen Arsen 18 Feb 2008 1st Asli 20 Feb2008 1st Presented in 12th EUgridPMA 16 Jan. 2008 CP/CPS-1.1 14 April 2008 Update repository CP/CPS-1.1 14 April 2008 Update repository Reviewer: Arsen 2nd 29 April 2008 Reviewer: Arsen 2nd 29 April 2008 CP/CPS-1.2 17 May 2008 Update repository CP/CPS-1.2 17 May 2008 Update repository Presenting in 13th EUgridPMA 28 May 2008 May 2007 Request for membership CP/CPS-0.0(old) May 2007 Request for membership CP/CPS-0.0(old) Confirmed by Arsen: 23 May 2008 Asli: 26 May 2008 Confirmed by Arsen: 23 May 2008 Asli: 26 May 2008

4 ReviewerMajor MinorCP/CPS (total) OperationalTotal Asli set 11635511667 Asli set 200 Arsen set 113049 Arsen set 2306 Mike( short comment) 22 94 24118 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 4 Comments form reviewers

5 comments categorized by : Technical Incompleteness, discrepancy, vagueness Operational Grammatical, fonts, … Comments form reviewers 5 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008

6 CP/CPS changes CP/CPS and repository changed based on : Comments by Asli and Arsen RFC 2527 RFC 3280 Grid-Cert-Profile-v-19.pdf (from OGF) IGTF-AP-Classic-4-1.pdf Complete historical changes can be found here: http://cagrid.ipm.ac.ir/IRAN-GRID-CA-CP-CPS.1.0--to--1.2.pdf 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 6

7 CP/CPS changes POLICY IDENTIFICATION(1.2) Document OID: 1.2.840.113612.5.4.2.7.1.1.2 http://www.eugridpma.org/objectid/?oid=1.2.840.113612.5.4.2 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 7 IGTF1.2.840.113612.5.4.2 IRAN-GRID CA Institute for Studies in Theoretical Physics and Mathematics cal (IPM).7 CP/CPS.1 Major Version.1 Minor Version.2

8 CP/CPS changes Frequency of Entity Compliance Audit (2.7.1) No Stipulation IRAN-GRID CA performs operational audits of the CA and RA staff at least once per year. A list of CA and RA personnel maintained and verified at least once per year. 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 8

9 9 Physical Access : Physical access to the IRAN-GRID CA’s repository and CA/RA computers are restricted to authorized personnel Fire Prevention and Protection The on-line computers are in a room equipped by fire protection systems. And the off-line computer is in fire-safe box. Media Storage The IRAN-GRID CA key and Back-up copies of IRAN-GRID CA related information is kept in several removable storage media. CP/CPS changes PHYSICAL SECURITY – ACCESS CONTROLS (5.1)

10 CP/CPS changes Name Forms (7.1.4) Distinguished Names for : Issuer: C=IR, O=IPM,O=IRAN-GRID, OU=IPM-GRID, CN=IRAN- GRID CA, emailAddress=ca-manager@ipm.ir Subject (Persons): C=IR, O=IRAN- GRID,O=,OU=, CN=,EMAIL= Subject (Hosts):C=IR, O=IRAN-GRID,O= OU=, CN=, EMAIL= Subject (services):C=IR,O=IRAN-GRID, O=,OU=, CN= 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 10

11 CP/CPS changes Name Meanings (3.1.2) Each entity has a clear and unique Distinguished Name (DN) in the certificate subject field. Any name under this CP/CPS will have “C=IR, O=IRAN-GRID”. For a user certificate the common name (CN) must be the full name of the subscriber. In case the subscriber belongs to the host the CN must be the FQDN of the server: Illustration of a full subject distinguished name for a user: C=IR, O=IRAN-GRID, O=Sharif University of Technology,OU=Physics Dept., CN= Shahin Rouhani (Full Name) Illustration of a full subject distinguished name for a host: C=IR, O=IRAN-GRID, O= Sharif University of Technology, OU= Physics Dept., CN=grid02.sharif.ac.ir Illustration of a full subject distinguished name for a service: C=IR, O=IRAN-GRID,O=Sharif University of Technology, OU= Physics Dept, CN=ldap/grid02.sharif.ac.ir 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 11

12 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 12 Applicant Read CP/CPS Visiting the website http://cagrid.ipm.ac.ir Visiting the website http://cagrid.ipm.ac.ir Completing the application form and fax to the local RA Examining the application by RA operator Eligible? Examining the application by RA operator Eligible? An appointment will be made by RA operator for interview Interview with RA operator, providing all necessary documents Approved? Contact the applicant and explain Inform applicant and asking to submit CSR RA operator informs and sends the approved documents to IRAN-GRID CA Applicant already submitted CSR via website? Remind the applicant CA manager issues the approved certificate request Issue by: IRAN-GRID CA Issued to: user/host Issue by: IRAN-GRID CA Issued to: user/host Publish the certificate on the website and inform user by sending an email IRAN - GRID NO yes NO yes NO Applicant Imports the certificate and exports to a file

13 CP/CPS changes Life-cycle and certificates issuance(4.2) 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 13 One year Expiration warning for rekey and renew Expiation revoking auth(3.1.6 ) Rekey The maximum validity period for a certificate must be 1 year plus one month 30d ays IRAN-GRID CA don’t rekey after revocation or expiration

14 CP/CPS changes Procedure of Revocation Request (4.2) The revocation of a user, host or service certificate issued by IRAN-GRID CA is as follows: Subscriber of the user certificate can request certificate revocation either by: Sending to IRAN-GRID CA an e-mail signed by her/his private key corresponding to his valid personal certificate issued by IRAN-GRID CA upon successful verification of digital signature on e-mail, the certificate will be revoked immediately and the subscriber will be informed about revocation by signed email from IRAN-GRID CA staff. Contacting IRAN-GRID CA staff personally. The subscriber must be authenticated as described in section 3.1.6 of this policy, and if it is successful, the certificate will be revoked immediately. 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 14

15 CP/CPS changes Procedure of Revocation Request (4.2) Subscriber of the host or service certificate: can request the revocation of the host or service certificate by sending to IRAN-GRID CA an e-mail signed by her/his private key corresponding to his valid personal certificate issued by IRAN-GRID CA. If by the time of the revocation request she/he has no valid personal certificate issued by IRAN-GRID CA, she/he must follow the initial authentication procedure, described in section 3.1.6 of this policy. 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 15

16 CP/CPS changes Procedure of Revocation Request (4.2) RA can request revocation of a certificate by sending email, signed by private key of RA staff member, corresponding to her/his valid personal certificate issued by IRAN-GRID CA. Upon successful verification of the digital signature and verification of the fact that the e-mail sender is indeed a member of the RA staff, the certificate will be revoked immediately and the certificate subject will be informed about revocation by signed e-mail from IRAN-GRID CA staff. IRAN-GRID CA staff can request revocation of any issued certificate if any condition of those listed in section 4.4.1 is satisfied. The certificate subject will be informed about revocation by signed e-mail from IRAN-GRID CA staff. 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 16

17 CP/CPS changes Procedure of Revocation Request (4.2) Any person other than subscriber, RA or CA staff, possessing proof of knowledge of private key compromise or modification of data in a certificate issued by IRAN-GRID CA, can request certificate revocation by contacting personally IRAN-GRID CA staff and presenting that knowledge. The procedure of the initial authentication described in section 3.1.6 of this document will apply. Upon checking the correctness of the knowledge presented and successful authentication of revocation requester, the certificate will be revoked and the subject of the certificate will be informed about revocation by signed email from IRAN-GRID CA staff IRAN-GRID CA will react as soon as possible, but within one day, to any revocation request received. 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 17

18 CP/CPS changes Types of Records Archived (4.6.1 ) Boots, re-boots and shutdowns of CA signing machine. Log-ins and log-outs to CA signing machine. Certificate signing requests. Certificate revocation requests. Issued certificates. Issued CRLs. E-mail messages sent and received by IRAN-GRID CA. 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 18

19 CP/CPS changes Certificate Extensions (7.1.2) For natural person certificates: Basic Constraints: critical, ca: false Subject Key Identifier: hash Authority Key Identifier: keyid, issuer:always Key Usage: critical, digitalSignature, keyEncipherment, dataEncipherment Extended Key Usage :clientAuth, emailProtection Netscape Comment: STRING CRL Distribution Points: URI Subject alternative name: Subscriber’s E-mail address Certificate policies :OID 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 19

20 CP/CPS changes Certificate Extensions (7.1.2) For host/services certificates: Basic Constraints: critical, ca: false Subject Key Identifier: hash Authority Key Identifier: keyid, issuer:always Key Usage: critical, digitalSignature, keyEncipherment,dataEncipherment Extended Key Usage :serverAuth, clientAuth Netscape Cert Type: server, objsign Netscape Comment: STRING Netscape CA Revocation Url: URL CRL Distribution Points: URI Subject alternative name: DNS :FQDN certificate policies :OID 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 20

21 CP/CPS changes Certificate Extensions (7.1.2) For CA certificate: Basic Constraints: critical, ca: true Subject Key Identifier: hash Authority Key Identifier: keyid Key Usage: critical, KeyCertSign, cRLSign Subject Alternative Name: ca-manager@ipm.ir 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 21

22 CP/CPS changes CRL and CRL entry Extensions (7.2.2) No Stipulation The following CRL extensions are used: –Authority Key Identifier –CRL Number 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 22

23 Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=IRAN-GRID CA,O=IRAN-GRID,O=IPM,C=IR Validity Not Before: May 15 18:23:59 2008 GMT Not After : May 14 18:23:59 2013 GMT Subject: CN=IRAN-GRID CA,O=IRAN-GRID,O=IPM,C=IR Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c0:f0:d1:da:72:e6:39:a5:94:59:52:35:89:56: aa:01:bf:3f:4a:5c:f1:3a:c7:b5:da:7d:b9:8f:fa:. 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 23 PKI structure changes CA certificate (1)

24 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: CC:C2:87:06:9D:19:EF:B5:B7:76:83:D6:DF:1D:16:68:B9:28:73:70 X509v3 Authority Key Identifier: keyid:CC:C2:87:06:9D:19:EF:B5:B7:76:83:D6:DF:1D:16:68:B9:28:73:70 X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Alternative Name: email:ca-manager@ipm.ir Signature Algorithm: sha1WithRSAEncryption 4a:fb:55:00:b3:95:8f:69:bc:fa:f2:c4:4b:78:15:eb:6c:8f: ba:1a:c5:a1:06:8b:a0:1e:0e:7f:5a:51:77:96:d2:75:6e:98: b2:d0:eb:9e:4c:af:db:ed:c8:00:4f:29:ae:17:8a:47:52:fa: 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 24 PKI structure changes CA certificate (2)

25 Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=IRAN-GRID CA,O=IRAN-GRID,O=IPM,C=IR Validity Not Before: May 15 18:30:57 2008 GMT Not After : Jun 14 18:30:57 2009 GMT Subject: CN=cagrid.ipm.ac.ir,OU=GCG,O=IPM,O=IRAN-GRID,C=IR Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cb:58:b5:e9:99:f3:f6:e1:34:9e:d3:8e:16:62: 88:3f:70:bf:60:99:68:a7:57:40:92:b7:7a:1f:73: 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 25 PKI structure changes Host certificate (1)

26 X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: 37:11:39:2F:8E:18:7E:88:EC:79:38:57:A2:17:EE:FE:9C:5B:A3:53 X509v3 Authority Key Identifier: keyid:CC:C2:87:06:9D:19:EF:B5:B7:76:83:D6:DF:1D:16:68:B9:28:73:70 X509v3 Subject Alternative Name: DNS:cagrid.ipm.ac.ir X509v3 Certificate Policies: Policy: 1.2.840.113612.5.4.7.1.2 X509v3 CRL Distribution Points: URI:http://cagrid.ipm.ac.ir/pub/crl/cacrl.crl 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 26 PKI structure changes Host certificate (2)

27 Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x3) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=IRAN-GRID CA,O=IRAN-GRID,O=IPM,C=IR Validity Not Before: May 15 18:26:37 2008 GMT Not After : Jun 14 18:26:37 2009 GMT Subject: CN=Majid Arabgol,OU=GCG,O=IPM,O=IRAN-GRID,C=IR Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ec:07:5d:97:38:dc:e9:dd:0b:af:00:68:73:1a: 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 27 PKI structure changes User certificate (1)

28 X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection X509v3 Subject Key Identifier: 58:2B:22:71:71:A7:7C:10:6C:97:4B:57:A0:38:96:63:EA:36:DF:65 X509v3 Authority Key Identifier: keyid:CC:C2:87:06:9D:19:EF:B5:B7:76:83:D6:DF:1D:16:68:B9:28:73:70 X509v3 Subject Alternative Name: email:arabgol@ipm.ir X509v3 Certificate Policies: Policy: 1.2.840.113612.5.4.7.1.1.2 X509v3 CRL Distribution Points: URI:http://cagrid.ipm.ac.ir/pub/crl/cacrl.crl 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 28 PKI structure changes User certificate (2)

29 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 29 1.IRAN-GRID CA got an arc from IGTF (Thanks to David) 2.We followed up the comments of reviewers ( Asli and Arsen) many thanks for their sharp look and their comments. 3.IRAN-GRID CP/CPS is based on RFC 2527, we would upgrade to RFC 3647 asap. 4.All comments by reviewers successfully implemented and Asli and Arsen confirmed that the current status is compliant with requirements of EUgridPMA IRAN-GRID CA Status Summary

30 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 30 I should thank : 1)Ian Neilson CERN CA 2)David Groep Head of EUgridPMA 3)Asli Zengin TK-Grid CA 4)Arsen Hayrapetyan ArmeSFo CA 5)Usman Ahmad Malik PK-Grid-Ca 6)Sajjad Asghar PK-Grid-Ca 7)Nuno Dias LIPCA 8) Openca group IRAN-GRID CA Status Appreciation

31 Thanks for your attention Questions? 13th EUgridPMA Meeting Copenhagen 26- 28 May 2008 31

Download ppt "IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen 26-28 May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr. 2009 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar. 2010 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.
User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan

KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
Academia Sinica Grid Computing Certification Authority (ASGCCA)

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Similar presentations

Ads by Google