Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA."— Presentation transcript:

1 1 REUNA Certificate Authority Juan Carlos Martínez jcmartin@reuna.cl REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA

2 2 REUNA Certificate Authority CP/CPS reviewers: Bob Cowles : rdc@slac.stanford.edu Scott Rea : Scott.Rea@Dartmouth.EDU

3 3 REUNA Certificate Authority REUNA Red Universitaria Nacional REUNA, Red Universitaria Nacional is a non-profit private corporation initially formed by 14 Chilean universities and the National Commission for Scientific and Technological Research (CONICYT). It is an initiative of the university collaboration that counts on the only technological infrastructure of advanced networks of academic nature, dedicated to research and development in Chile. PROVIDE PKI SERVICES TO ALL CHILEAN RESEARCH AND EDUCATION COMMUNITY (members and not members, conditions: Network req., agreements.)

4 4 REUNA Certificate Authority CA structure 1.CA: manager, Operators 2.RAs RAs will be setup to as needed. Deploy in the institutions. Chief department or the host administrator CA RA Inst. 1Inst. 2Inst. 3Inst. 4

5 5 REUNA Certificate Authority Certificate Authority REUNA CA provides PKI services for the users of the Chilean Research and Education community Issued certificates to all the correctly authenticated EE. Audit the RA and CA personnel Revoke certificate properly authenticated (CRL) Archive all the information: request and certs Issued, revocations requests, CRL issued, Logs signing machine

6 6 REUNA Certificate Authority Register authority The RA must be the chief department or the Host Administrator with a declaration signed by the Dean of the faculty that he can do the job of the RA and he has his support. The RA is in charge to authenticate and to collect all the information about the EE and the organization. (Photo-id, address, phone numbers, email, etc.) Archive all the data of the EE and also the CSR, confirmation and revocation request. Must use signed email or other secure way to communicate with CA and EE.

7 7 REUNA Certificate Authority Publication and repository Repository (pending) The REUNA CA’s certificate, All publicly accessible certificates issued by this CA, The CRL (Certificate Revocation L ist), All past and current officials versions of the CP/CPS. Information about the existents RAs, Other relevant information about the REUNA CA service. A link to the TAGPMA trust anchor repository where the CA root of trust has been previously published. The CRL shall have a lifetime of 30 days at most, the REUNA CA must issue a new CRL at least 7 days before the expiration date or immediately after having a revocation. A new CRL must be published immediately after its issuance. The repository will be available in a month from now (testing)

8 8 REUNA Certificate Authority Naming Distinguished Name: For a person: C=CL, O=REUNACA, O = Organization, OU = Department-Unit, CN = Full username For a server: C=CL, O=REUNACA, O = Organization, OU = Department-Unit, CN = host/FQDN For a service: C=CL, O=REUNACA, O=Organization, OU=Department-Unit, CN=service/FQDN

9 9 REUNA Certificate Authority Certificate operational requirements Certificate application prcessing: Users must present an application form to the appropriate RA (in the repository). The RA must meet the user in person and authenticate the EE identity by checking Chilean national identity card or passport. If the application is approved, then the RA will inform the REUNA CA that the request has been approved using signed email or another secure way, also the csr must be transmitted by a secure way. In case of a server or service the request can only be submitted by the administrator responsible for the particular host. RA Institution 1 CA REUNA Dept. Chief 1 Generate Key Pair 2 Send CSR 3 Issue Certificate 4 Get Certificate

10 10 REUNA Certificate Authority Certificate operational requirements Subscribers: Read and adhere to the procedures described in this document; Provide true and accurate information to REUNA CA and RA Generate a key pair (at least 1024bits) using a trustworthy method; Selecting a strong pass phrase of a minimum recommended 12 characters; Protecting the pass phrase from others; Never sharing the private key with other users; Notify the REUNA CA “immediately” in case of private key loss or compromise; Use the certificates for the permitted uses only.

11 11 REUNA Certificate Authority Certificate operational requirements Certificate issuance: An offline computer who holds the private key of the CA is used to sign the certificates. The notification is made by email with the URL (repository) to download the issued certificate, and also an acknowledgement of the issuance is sent to the appropriate RA. The subscriber must notify the REUNA CA and the appropriate RA of the acceptance of the issued certificate.

12 12 REUNA Certificate Authority Certificate operational requirements Certificate Renewal: Use the same key pair. The renewal process must be done before the certificate expires, so the new certificate and the old certificate will have an overlap time. The information contained in the certificate must be without change or modification. The process to get a renewal is just like when a new certificate is issued, but a face to face meeting is not necessary. Certificate ReKey: Use a new key pair.

13 13 REUNA Certificate Authority Certificate operational requirements Certificate Revocation: A certificate revocation can be requested by : The subscriber who owns the certificate. The REUNA CA or any RA that has proof of a private key compromise. The RA which authenticates the subscriber who owns the certificate. Any person presenting proof of knowledge that the subscriber’s private key has been compromise or the subscriber’s data have changed. After authenticate the revocation request, the certificate must be revoked as soon is possible (new CRL)

14 14 REUNA Certificate Authority Certificate operational requirements Certificate lifetime Root certificate: 10 years (2048bits) EE certificate: 1 year & 1 month (1024bits) CRL: 30 days The CRL shall have a lifetime of 30 days at most, the REUNA CA must issue a new CRL at least 7 days before the expiration date or immediately after having a revocation. A new CRL must be published immediately after its issuance.

15 15 REUNA Certificate Authority Security 2 different safe to backup the private key and the pass phrase. The Private Key and the pass phrase shall never be in a online media. The machines are kept in the computer center of REUNA managed by the network operator where the access is controled

16 16 REUNA Certificate Authority Incomplete topics Time issues, “as soon as possible”, 10 minutes, next working day? Minimal extensions for the CA To specify better the duties of the RA OID, IANA or IGTF

Download ppt "1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
+1 (801) 877-2100 Standards for Registration Practices Statements IGTF Considerations.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

Similar presentations

Ads by Google