Presentation is loading. Please wait.

Presentation is loading. Please wait.

TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs.

Similar presentations


Presentation on theme: "TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs."— Presentation transcript:

1 TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs Licia Florio, John Dyer TERENA & members of the community

2 TNC 2006, Catania Motivation for the TERENA SCS Project description Service Characteristics Why join ? AGENDA

3 TNC 2006, Catania The background European NREN PKIs around for many years - But still not widely deployed Anticipated growth in need: -AAI middleware services -Grids - Web-based ‘stuff’ (mail, e-learning, webservices etc.) - VPN, -eduroam Only major use outside Grids is for Servers

4 TNC 2006, Catania Why have Server Certificates Pop-ups Self Issued Certificate not-recognized by browsers User sees a pop-up Doesn’t check the certificate Clicks YES Could be connected to anything In reality subverting the Certificate concept

5 TNC 2006, Catania Problem #2 Authorized CAs are known to the browsers Accreditation of a CA is very expensive Certificates are relatively expensive when bought in large numbers on a per certificate cost Our Community needs a cost effective way to obtain large numbers of server certificates

6 TNC 2006, Catania Finding a community solution TF-EMC2 discussions started in 2004 First (draft) proposal in October 2004: Interest expressed by a number of NRENs Call for Proposals issued by TERENA in August 2005; Offers from commercial CAs received in September 2005, preferred supplier (GlobalSign) announced on 19 December 2005, contract signed on 9 January 2006

7 TNC 2006, Catania Participating NRENs ACOnet (Austria), CARNet (Croatia), CESNET (Czech Republic), CRU (France), RedIRIS (Spain), SURFnet (Netherlands), SWITCH (Switzerland), UNIC (Denmark) TERENA is the contracting party

8 TNC 2006, Catania What did we get ?

9 TNC 2006, Catania The Basics Each participating NREN has nominated RA Administrators These people have been trained at GlobalSign on how to administer the process They are the contact point between the Server SysAdmins and GlobalSign They are responsible for maintaining the integrity of the identification process They can requested unlimited number of certificates during the 1 year pilot

10 TNC 2006, Catania The Process 1)Sysadmin generates key pair and creates CSR 2)Sysadmin submits CSR through GlobalSign’s enrollment pages 3)Admin contact of organization receives a challenge e- mail to be replied to (with postal mail, fax, with scan of signed document, later possibly with a digitally signed ) 4)RA administrator verifies request (identity of the applicant, organization, DNS domain in subject) 5)RA administrator approves (or rejects) the request 6)If approved: sysadmin receives certificate by mail

11 TNC 2006, Catania The SCS pre-installed root. SCS server certificates chain up to the ubiquitous GTE CyberTrust Global Root, which comes preinstalled with all major operating systems (Windows, Mac OS 9 ff., …) most Web browsers/applications (Mozilla, Opera, …) many software suites (Sun JRE/JDK, IBM Websphere, Lotus Notes, Oracle Wallet Manager, KDE, OpenSSL, …) many mobile devices (Palm, Blackberry; phones from Nokia, Sony Ericsson, Motorola, …) For issuing SCS certificates, the Cybertrust Educational CA intermediate cert is used (2006–2013)

12 TNC 2006, Catania Certificates Available No User Certificates Server Certificates only Available with 1, 2, 3 years validity Three specific Types

13 TNC 2006, Catania SureServerEDU TLS recommended default type for general-purpose servers (Web, , directory service, …) mandatory attributes: countryName (C), organizationName (O), commonName (CN) optional attributes: stateOrProvinceName (S), localityName (L), organizationalUnitName (OU), domainComponent (DC)

14 TNC 2006, Catania SureServerEDU TLS server special-purpose type for servers creating messages on their own (alerting service or similar) – not needed for standard SMTP/IMAP/POP servers mandatory attributes: countryName (C), organizationName (O), commonName (CN), Address (E) optional attributes: stateOrProvinceName (S), localityName (L), organizationalUnitName (OU), domainComponent (DC)

15 TNC 2006, Catania SureServerEDU standard type used by GlobalSign (includes legacy netscape-cert-type extension)

16 TNC 2006, Catania Not yet available Expected June 2006 subjectAltName extension with one or more dNSNames (support for DNS aliases)

17 TNC 2006, Catania Service Operational First Certificate Issued: 16 March 2006

18 TNC 2006, Catania Acknowledgements So many people in the community Some around the table, others not Licia, Karel These slides were based on material from Licia Florio of TERENA and Kasper Brand of SWITCH – Sorry for any liberties I have taken with their material

19 TNC 2006, Catania In Licia’s words:

20 TNC 2006, Catania “We got a cool service”

21 TNC 2006, Catania Joining the TERENA SCS Initial Pilot runs for one year After June 06 we can open to service to new NRENs Some NRENs are already waiting There is fee to pay to join If the pilot is successful, we will expand again


Download ppt "TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs."

Similar presentations


Ads by Google