Presentation is loading. Please wait.

Presentation is loading. Please wait.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.

Published byEugene Foster Modified over 8 years ago

Similar presentations

Presentation on theme: "OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012."— Presentation transcript:

1 OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch maltunay@fnal.govmaltunay@fnal.gov, vwelch@indiana.eduvwelch@indiana.edu October 16, 2012

2 WLCG Management Board Background The Open Science Grid (OSG) relies on a public key infrastructure (PKI) built around an OSG Certificate Authority (CA) to support its operations. The OSG PKI is operated by two parties:  The OSG itself operates a network of trusted agents (registration authorities and grid admins) who vet certificate requests and a web front-end OSG Information Management (OIM) System that provides interfaces for users for PKI functions  The DigiCert, a private company, operates the CA that, at direction of OSG and within the bounds of policy, performs the issuance of certificates. 2

3 October 16, 2012WLCG Management Board Goals and Scope Create a Recovery Plans document that present a recovery plan for PKI failure scenarios. Not a risk analysis, does not attempt to analyze whether or not a PKI failure is something that the OSG should prepare for. Analyzes the options for a recovery plan and recommends a broad course of action. Describes all the steps necessary to bring the OSG PKI back to its normal functional state. Focuses on the new OSG PKI, not the DOEGrids CA although most of the discussion is valid for DOEGrids CA as well. 3

4 October 16, 2012WLCG Management Board OSG PKI Failure Cases 2 Failure Types: compromise and loss of service  Back-End CA Compromise  OSG Information Management (OIM) Front-End Compromise  Back-End CA Loss of Availability  OSG OIM Front-End Loss of Availability 4

5 October 16, 2012WLCG Management Board Recovery Plans A recovery plan for each failure type is presented in the document available at http://osg- docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1121. The plan: http://osg- docdb.opensciencegrid.org/cgi-bin/ShowDocument?docid=1121  Is a workflow of specific steps that should be taken in the aftermath of a failure to restore PKI back to normal. E.g., forming the incident response team, revoking compromised certs, issuing replacement certs, community communications, and so on.  Considers slight variations in a failure type depending on the different levels of severity (e.g. all RA Agents compromised vs. only some are compromised), incorporates conditional branches into the workflow. 5

6 October 16, 2012WLCG Management Board Recovery Plans  Each step is accompanied with specific timelines, estimating how long the plan execution would take.  Each step has a clear owner responsible for performing the activities in the event of a failure. Due to time limitation and the complexity of each plan, I will not present them here. Please contact me and Von Welch should you have any questions or feedback. 6

Download ppt "OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012."

Similar presentations

GT4 Architectural Security Review December 17th, 2004.

GT4 Architectural Security Review December 17th, 2004.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.

Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Similar presentations

Ads by Google