Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

Slides:

Advertisements

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Advertisements

Introduction of Grid Security

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

KFKI CA József Kadlecsik KFKI RMKI

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Grid Canada Certificate Authority Darcy Quesnel

Creating and Managing Digital Certificates Chapter Eleven.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

X509 Web Authentication From the perspective of security or An Introduction to Certificates.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

H I A S T HIAST GRID CA 21 th EUGridPMA meeting Utrecht, January, 2011 Ghassan SABA Houssam ABED

IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani

MD-Grid CA Valentin Pocotilenco RENAM Association

Key management issues in PGP

UGRID CA Sergii Stirenko, Oleg Alienin

جايگاه گواهی ديجيتالی در ايران

Resource Certificate Profile

NATIONAL CENTRE FOR PHYSICS PK-Grid-CA

PKI (Public Key Infrastructure)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

National Trust Platform

Presentation transcript:

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation; 1 Armenian e-Science Foundation; 2 Yerevan Physics Institute; 2 Yerevan Physics Institute; 3 Student at Department of Computer Science and Informatics, State 3 Student at Department of Computer Science and Informatics, State Engineering University of Armenia; Engineering University of Armenia; 4 Student at Department of Applied Mathematics, Yerevan State University 4 Student at Department of Applied Mathematics, Yerevan State University Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

Armenian e-Science Foundation Non-profit Institution, established in Goals - introduction and dissemination of the e-Science technologies in Armenian scientific, educational and other organizations. Sponsors: Swiss “Fonds Kidagan”; Caloust Gulbenkian Foundation; “Link Ltd” software developing company ( “Lans Ltd” computer hardware vending company ( “Web” Internet Service Provider ( Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

ArmeSFo Certification Authority One of the main objectives of ArmeSFo is the deployment of the Grid infrastructures in Armenia. ArmeSFo CA is an Armenian Certification Authority maintained by ArmeSFo as a courtesy service to the Armenian Grid community. ArmeSFo CA is managed by the ArmeSFo team of the Yerevan Physics Institute ( ). Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

CA CP/CPS The document is based on the following sources: [RFC 2527], [RFC3280], [DOE CP/CPS], [DutchGrid CP/CPS], [INFN CP/CPS], [Grid-Ireland CP/CPS], [LIP CP/CPS], [UK CP/CPS], [EuroPKI CP], [ASGCCA CP/CPS], [CERN CP/CPS]. Ara A. Grigoryan Object Identifier: December 2003, Version 0.1 (Draft-B) Grid CA meeting, Dublin, December 11 th 2003

CA Distinguished Names Scheme Common fixed component: C=AM, O=ArmeSFo Examples of the Distinguished Names: For issuer: C=AM, O=ArmeSFo, CN=ArmeSFo CA For persons: C=AM, O=ArmeSFo, O= YerPhI, OU=Experimental Department, CN=Artem Harutyunyan For servers: C=AM, O=ArmeSFo, O= YerPhI, OU=Experimental Department, CN=aligrid.yerphi.am For grid hosts: C=AM, O=ArmeSFo, O= YerPhI, OU=Experimental Department, CN=host/aligrid.yerphi.am For services: C=AM, O=ArmeSFo, O= YerPhI, OU=Experimental Department, CN=ldap/aligrid.yerphi.am Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

CA Certificates Extensions Eight X.509 extension entries/attributes: basicConstraints (critical), keyUsage (critical), subjectKeyIdentifier, authorityKeyIdentifier, subjectAltName, issuerAltName, certificatePolicies, crlDistributionPoints Five Netscape extension entries/attributes: nsCertType, nsBaseUrl, nsCaPolicyUrl, nsComment, nsCaRevocationUrl Three sets of extensions (three sets of attribute values): 1. ArmeSFo CA user certificate extensions; 2. ArmeSFo CA server/host and service certificate extensions; 3. ArmeSFo CA root certificate extensions; Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

CA Root Certificate Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 URL: Self-signed Certificate Subject DN=Issuer DN: C=AM, O=ArmeSFo, CN=ArmeSFo CA Date of issuance: Life time: 1096 days Key length: 2048 bits MD5 Fingerprint: 63:B3:08:9F:57:76:4A:B0:FC:D2:3D:26:15:14:CA:E7 Hash value: d0c2a341

CA End Entity Certificates Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 Life time: Not more than 1 year Key length: At least 1024 bits Authentication of the entity’s identity: For person requesting a certificate: In person presentation of valid official identification document For server/host/service: Request is sent by , signed by a valid ArmeSFo CA certificate of the corresponding system administrator Public key delivery to ArmeSFo CA: Signed , FDs, CDROMs

CA Certificate Revocation List Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 URI: CRL issuance frequency: The maximum (minimum) lifetime of the CRL is 30 (7) days; CRL is updated immediately after every revocation; CRL is reissued at least 7 days before expiration Circumstances for revocation:  The private key has been lost or compromised;  The information in the certificate is suspected to be inaccurate;  The subscriber has failed to comply with the rules of ArmeSFo CA CP/CPS;  The system to which the certificate has been issued has been retired.  The subscriber of the certificate has ceased his relation with organization;  At subscriber’s request

CA Security Standards Private key security:  Protected by strong (at least 16 characters) pass-phrase;  Kept encrypted in multiple copies in FDs and CDROMS stored in secure places Computer security:  Operating systems of the ArmeSFo CA computers are maintained at a high level of security by applying all recommended and applicable patches;  Operating systems configuration is reduced to the base minimum;  Signing machine is kept in a safe and powered off between uses. Only the ArmeSFo CA personnel have access to the safe’s keys. Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

CA Signing Machine Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 Location: Yerevan Physics Institute

CA Recorded and Archived Events Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 Types of events recorded:  Certification requests;  Issued certificates;  Revocation requests;  Issued CRLs;  CA machine boots/logins/logouts. Types of events archived:  Certification requests;  Issued certificates;  Revocation requests;  Issued CRLs;  CA machine boots/logins/logouts;  All electronic messages sent to and by the ArmeSFo CA.

CA Personnel Control Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 Background, qualification and experience requirements: The ArmeSFo CA personnel is recruited from the ArmeSFo team of the Yerevan Physics Institute. The recruited persons are familiar with the importance of PKI and are technically and professionally competent. Documentation supplied to personnel:  Copy of the ArmeSFo CA CP/CPS;  The ArmeSFo CA Operations Manual.

CA Personnel Ara A. Grigoryan Arsen Hayrapetyan Artem Harutyunyan Grid CA meeting, Dublin, December 11 th year experience of the work on the Grid issues, including certification (AliEn)

CA Contact Details Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 Address for operational issues: Yerevan Physics Institute 2, Brothers Alikhanian Str Yerevan Armenia Phone: (+ 3741) ; Fax:(+ 3741) Contact persons: Ara A. Grigoryan Artem Harutyunyan Yerevan Physics Institute 2, Brothers Alikhanian Str Yerevan Armenia Phone: (+ 3741) ; Fax: (+ 3741)