Egypt Certification Authority Dr. Ayman Bahaa-Eldin EUN Director 8 May th EuGridPMA meeting, Germany
Content (1/2) About Egyptian Universities Network Introduction CP/CPS CA System Operational Controls Online Repository Certificate Types 8 May th EuGridPMA meeting, Germany
Content (2/2) Name Forms Who can submit a certificate application How to get a certificate Re-key Requests Revocation Requests Other important issues 8 May th EuGridPMA meeting, Germany
About EUN Established 1987 First Data Network (WAN) in Africa and Middle East First Internet point and ISP in Africa and Middle East Continuously Evolving ever since 8 May th EuGridPMA meeting, Germany
Higher Education Government Organizations 19 Universities (23 by end of 2012) 8 Technical Colleges 1,400,000+ Students 80,000+ Staff Member During the period from 2005 to 2008, the Ministry of Higher Education has funded the Higher Education Enhancement project (HEEP) which consists of six major projects including Information and Communication technology project (ICTP), during this period ICTP has funded a number of projects within the Supreme Council of Universities and the Universities to mainly enhance the Higher Education Network About EUN
Quality of learning through providing access to new (non traditional) resources and improved teaching approaches, Quality of research through increased access to different national and international knowledge and computational resources, ICT led Management Information Systems, and Collaboration opportunities between universities. The main objectives of enhancing the Higher Education Network may be grouped into four major directions, namely: Higher Education Network Information and Communication Technology Project (ICTP) HEEP ICTP HEIC UICs Higher education components Funding projects and monitoring performance Strategic Plans, Regulation and Consultation Execution and dissemination National ICT Strategy ICT Framework for Education and Research e- Government Strategy Connecting Communities Strategy About EUN
What is Higher Education Network IT infrastructure supporting educational and research processes across higher education organizations. Data centres in premier universities in addition to EUN. Access to a wide variety of national and international knowledge channels and computational resources. e-Learning and Distance-Learning resources to be integrated within higher education curriculums. Continuous guided e-training on different IT components. Streamlined organizational processes through intelligent Management Information Systems. Single knowledge and services gate via higher education portal. Wide variety of computational resources and electronic services About EUN
Introduction (1/2) The EG Grid infrastructure is working since 2006 through the EUMEDGrid project. EUN was nominated as Registration Authority using the INFN CA services since 2006 till now. Through the EUMEDGrid Support project EUN managed to establish EG-Grid CA. 8 May th EuGridPMA meeting, Germany
Introduction (2/2) CP/CPS is prepared by EUN and revised by TUBITAK, Turkey. New hardware for CA is delivered. Open CA software has been set up and tested. On-line repository is ready ( EG-GRID CA constituency will cover the national academic and research community including national and international Grid activities. Wider constituency covering a commercial activities will activated very soon. 8 May th EuGridPMA meeting, Germany
CP/CPS The document is organized by EUN as defined in the RFC Document OID : All versions (current and past) of the document will be available at the online repository. 8 May th EuGridPMA meeting, Germany
CA System The EG-GRID CA is stand-alone self- signed CA and does not issue certificates to subordinate CA. The CA system is consists of 2 dedicated machines, o One offline CA signing server (CA server) o One online web server (online repository) 8 May th EuGridPMA meeting, Germany
Operational Controls The EG-GRID CA operates in controlled Data Center at EUN premises. Physical access to hardware is restricted to authorized personnel. Fire alarm and fire fighting systems are in place. The CA/RA operations are maintained at high level of security EUN is monitored by the EG-CSERT Dedicated Network Security and Management team of 6 Engineers 8 May th EuGridPMA meeting, Germany
EUN Data Center Logical View 8 May th EuGridPMA meeting, Germany
PKI in Egypt Legalized by Law:15/2004 Root CA of Egypt in ITIDA, MCIT – Licenses Sub-CAs – Cross Certifies between CAs GOV-CA, MSAD for G2G 4 Commercial CAs – EgyptTrust, VeriSign technology, focusing on Governmental and public projects – MCSD, Thales technology focusing on Stock and banking – SNS, Microsoft Technology, private sector market, – ACT, Entrust technology, did not go to business yet EUN is the RA for GOV-CA for the ministry of higher education and public universities 8 May th EuGridPMA meeting, Germany
PKI in Egypt Softlock, PKI technology provider Egypt Smart Token fully developed as a granted research project – Funded by ITIDA, the root CA – PI, Dr. Ayman Bahaa – ENTRUST, VeriSign, CSP, PKCS#11, FIPS compliance 8 May th EuGridPMA meeting, Germany
Online Repository EG-GRID CA will maintain a secure online repository that includes : o The EG-GRID CA root certificate in CRT, PEM, DER, CER and text format o User and host certificates issued by the CA o A periodically updated DER, PEM and text Certificate Revocation List (CRL) o All versions (current and past) of its verified CP/CPS document o An official contact address o A physical contact address o Other information that can be regarded as relevant to EG-GRID CA The on-line repository runs on best-effort basis with an availability of 24x7, liable to reasonable scheduled maintenance. 8 May th EuGridPMA meeting, Germany
Certificate Types User Certificate (people) Host Certificate (computers) Service Certificate 8 May th EuGridPMA meeting, Germany
Who can submit a certificate application users affiliated to eligible organization for which they take full responsibility, hosts administered by the requesting eligible organization, and services provided on a host that is administered by an eligible organization. 8 May th EuGridPMA meeting, Germany
Name Forms The subject names for the certificate applicants shall follow the X.500 standard: o in case of user certificate the subject name must include the person’s name in the CN field; o in case of host certificate the subject name must include the FQDN (Fully Qualified Domain Name) as registered to DNS in the CN field; o in case of service certificate the subject name must include the FQDN separated by a “/” in the CN field. 8 May th EuGridPMA meeting, Germany
How to get a certificate (1/3) Requests are submitted via SSL protected HTTP transport, either in PKCS10 or SPKAC format. Procedures are different if the subject is a user or a host/service. In every case the subject has to generate his own key pair. Minimum key length is 2048 bits. 8 May th EuGridPMA meeting, Germany
How to get a certificate (2/3) User Certificate : The user has to get EG-GRID CA Certificate (from the online repository). The user has to request a certificate (from the online repository). The user has to go to the Registration Authority (RA) for face to face meeting, as the RA has to verify o your identity and check your organization. o check the PIN that you have entered during requesting the certificate. The RA will approve the user request based on the face to face meeting. The EG-GRID CA operator will review the RA approval and sign it. The user will receive an from contains the serial number and the instruction to get your certificate. 8 May th EuGridPMA meeting, Germany
How to get a certificate (3/3) Host Certificate: The host certificate can only be requested by the administrator who must already have a valid personal EG-GRID certificate and responsible for the particular host by one of two different methods: o sending a signed to the RA, then the RA verifies the right of the requestor to obtain the certificate and forwards the request to the EG-GRID CA by a signed . o authenticating to the EG-GRID CA secure website directly and request the host certificate 8 May th EuGridPMA meeting, Germany
Re-key Requests Expiration warnings will be sent to subscribers before it is re-key time. Re-key before expiration can be executed by sending a re-key request signed with the current personal certificate of the subscriber. Re-key after expiration uses completely the same authentication procedure as new certificate. 8 May th EuGridPMA meeting, Germany
Revocation Requests For user certificate: Revocation request should be authenticated in one of the following ways: o by issuing a revocation request from the public interface. o by personal authentication. For a host or service certificate: By sending an which must be signed by the certificate of the administrator responsible for the particular host or service. 8 May th EuGridPMA meeting, Germany
Other important issues All archived records are stored on off line medium. Archive maintained for 3 years. The operational audit will be performed once a year. Audit logs maintained for 3 years. The life time of the certificate is one year. 8 May th EuGridPMA meeting, Germany
Thank You 8 May th EuGridPMA meeting, Germany