Classic X.509 AP updates (v4.1)

Slides:



Advertisements
Similar presentations
Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
Advertisements

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
The CA Distribution Process David Groep, July 2007.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
TERENA TF-EMC2 Workshop David Groep,
Updates from the EUGridPMA David Groep, July 16 st, 2007.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
National Institute of Advanced Industrial Science and Technology Some topics from the OGF20 and the EUGrid PMA F2F Meeting Yoshio Tanaka Grid Technology.
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Distribution Repository Structure David Groep,
Updates from the European Side of the Pond David Groep, November 2006.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.
TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.
QuoVadis accreditation with EuGridPMA Alessandro Usai
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
GRID-FR French CA Alice de Bignicourt.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
Feyza Eryol TÜBİTAK ULAKBİM TR-GRID CA SELF-AUDIT & UPDATES.
The Americas Grid Policy Management Authority TAGPMA Update Derek Simmel 27 th EUGridPMA Meeting Rome, Italy January 14-16, 2013.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Updates from the EUGridPMA David Groep, Oct 17 st, 2007.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
International Grid Trust Federation Session GGF 19 Chapel Hill, NC, USA Thursday, Feb CAOPS-WG session #1.
PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.
Key management issues in PGP
Jens Jensen EU Grid PMA, Berlin Jan 2015
OGF PGI – EDGI Security Use Case and Requirements
AEGIS Certification Authority
EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI.
UGRID CA Sergii Stirenko, Oleg Alienin
HellasGrid CA & euGridPMA
Organized by governmental sector (National Institute of information )
APNIC Trial of Certification of IP Addresses and ASes
APNIC Trial of Certification of IP Addresses and ASes
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Resource Certificate Profile
SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam
Digital Certificates and X.509
MaGrid CA Self audit and update
AuthN Middleware Requests
and the SHA-1 depreciation time line and status
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
PKI (Public Key Infrastructure)
Emir Imamagić University Computing Centre (Srce)
KISTI CA Report Status & Self-Audit
BG.ACAD CA Self-audit report 2018
Presentation transcript:

The Classic X.509 Profile Update and other assorted issues David Groep, July 2007

Classic X.509 AP updates (v4.1) Major points addressed in 4.1 explicit definition of what we mean with “should” FQDN “ownership” maximum 5 years without any kind of checking reformulated on-line CA architectures includes explicitly the two pre-vetted architectures keyUsage SHOULD (was MUST) be critical in CA certs compliance with Grid Certificate Profile draft (in OGF)

Classic v4.1 Updates (1) clearer definition of what we mean by should FQDN ‘ownership’ A form of validation after at most five years this has been buried in very old minutes and has now been made explicit

Classic v4.1 Updates (2) On-line CA architectures

Classic v4.1 Updates (4) keyUsage extensions SHOULD be critical in a CA cert this used to be a MUST, but that would unnecessarily exclude some commercial top-level CAs (e.g., NetTrust) Compliance with Grid Certificate Profile document document is now in draft in the OGF CAOPS-WG almost finished embodies lots and lots of community knowledge on what a certificate ought to look like read it before you setup a new CA, or regenerate a root cert, or think about an end-entity certificate profile Auditing: if you re-issue without a new identity vetting, you MUST keep the original records for at least as long as there are certs based on this vetting plus the default grace period

Classic v4.1+ - what is still pending Still pending for a next version some real insights in the necessary site security measures certificate/crl profile to be revised once the OGF document thereon is formally published language clarification on documented traceability in various places

Other (non-) contentious issues discussed in TR CRLs for compromised CAs non-repudiation bit in keyUsage and how that relates to email signing the Meaning of Locality and why to use O if you can objectSigning bits should we also address who is allowed to get this bit? should the organisation be involved (Milan)? or does it only asserts that the code was signed by this user, as is done in the UK, NL, AT and so better keep as is? Prepare the profile a bit better for Robot certificates CDP in EE certificates ought to point to a DER CRL auditable tracability in ID vetting and alternative solutions – and the meaning of SHOULD

the TERENA Academic CA Repository TACAR the TERENA Academic CA Repository trusted and centralized place where root CA certs can be stored and safely retrieved which is policy-neutral (but ‘IGTF-ready’) for CAs directly managed by TERENA members belonging to a national academic PKI in member states for all CAs set-up to support not-for-profit research, in which the academic community is directly involved

IGTF Distribution in Other Formats Apart from validation via TACAR, the IGTF manages a distribution of all accredited authorities formerly known as Anders’ RPM set, today also available as: JKS, tar-gz, configure && make, … usually built by the EUGridPMA (me, actually) mirrored twice-daily to the apgridpma.org site copied and re-distributed by downstream vendors (EGEE/LCG, VDT, …) also contains the fetch-crl utility (now at version 2.6.3) Download location https://dist.eugridpma.info/distribution/

Some dates for you to remember and schedule September 4-5, 2007 TF-EMC2 meeting, Prague, CZ September 19-21, 2007 11th EUGridPMA meeting, Thessaloniki, GR October 15-19 – OGF 21 CAOPS, IGTF, …, Seattle (WA), USA January 14-16, 2007 12th EUGridPMA meeting, Amsterdam, NL

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.