TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs.

Slides:

Advertisements

Similar presentations

Joining eduroam Wireless Roaming for Education and Research.

Advertisements

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Installation & User Guide

Digital Certificate Installation & User Guide For Class-2 Certificates.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

Digital Certificate Installation & User Guide For Class-2 Certificates.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Summer School Certificates Diego Romano & Gilda Team.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

Configuring Active Directory Certificate Services Lesson 13.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

TERENA Certificate Service (TCS) 9 June Slide 2 › Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘ pop-up.

John Dyer Business & Technology Strategist TERENA 10 February 2014 TF-MSP Meeting ACOnet, Vienna Aggregation of Demand Collaborative.

Nynox.com Nynox Help Desk Affordable Help Desk Solution.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring Directory Certificate Services Lesson 13.

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

John DYER 2 nd NREN – Grids Workshop 17 October 2005, Schiphol. 1 Second NREN – Grids Workshop John DYER TERENA Schiphol, Amsterdam 17 October 2005.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004.

Windows 2000 Certificate Authority By Saunders Roesser.

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Slide 1 August CSF NEbraskaCERT Certificate Authority Matthew G. Marsh 08/20/03.

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

John Douglass, Developer Ron Hutchins, Dir. Engineering Herbert Baines, Dir. InfoSec.

Proposal for a server certificate service Towards large-scale usage of affordable popup- free server certificates for the European Research & Educational.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Comité Réseau des Universités News from CRU activities: Identity federation, eduroam, PKI, SCS, Sympa, security policies cru.fr 7th.

Claudio Allocchio TERENA Technical Programme - Update General Assembly, 21 October 2005, Budapest 1 TERENA Technical Programme Update Claudio Allocchio.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

David Groep Nikhef Amsterdam PDP & Grid TERENA Certificate Service Certificates4All! David Groep standing in for Licia Florio, TERENA, using material from.

Next Steps: becoming users of the NGS Mike Mineter

Claudio Allocchio - VP Technical Programme TERENA GA - Catania May TAC Report Held in Catania May 15th 2006.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Status Report & Future TF-MSP Management of Service Portfolios Alberto PEREZ Walter van Dijk John DYER 3 June 2010.

Fermilab CA Infrastructure EDG CA Managers Mtg June 13, 2003.

Creating and Managing Digital Certificates Chapter Eleven.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA

Programme ›TERENA ›Overview of the middleware initiatives in the European Higher Education ›What is eduroam: the technology and how to set up eduroam ›eduroam-in-a-box:

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.

TERENA Certificate Service (TCS) 2 August Slide 2 ›TCS is a competitively tendered bulk-buy contract between TERENA and Comodo Limited on behalf.

Licia Florio Poznan, 5 June SCS Proposal Investigates the possibility to set up a service that offers popup-free cheap server-certificates against.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

QuoVadis Group Roman Brunner, Group CEO Update for EUGridPMA – May 12, 2009.

SAP Digital Business Services June 2016

10 Years of eduroam (from an idea to a product)

SSL Certificates for Secure Websites

Ready for PKI tests with the SWITCH Swisskey Corporate ID

Presentation transcript:

TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs Licia Florio, John Dyer TERENA & members of the community

TNC 2006, Catania Motivation for the TERENA SCS Project description Service Characteristics Why join ? AGENDA

TNC 2006, Catania The background European NREN PKIs around for many years - But still not widely deployed Anticipated growth in need: -AAI middleware services -Grids - Web-based ‘stuff’ (mail, e-learning, webservices etc.) - VPN, -eduroam Only major use outside Grids is for Servers

TNC 2006, Catania Why have Server Certificates Pop-ups Self Issued Certificate not-recognized by browsers User sees a pop-up Doesn’t check the certificate Clicks YES Could be connected to anything In reality subverting the Certificate concept

TNC 2006, Catania Problem #2 Authorized CAs are known to the browsers Accreditation of a CA is very expensive Certificates are relatively expensive when bought in large numbers on a per certificate cost Our Community needs a cost effective way to obtain large numbers of server certificates

TNC 2006, Catania Finding a community solution TF-EMC2 discussions started in 2004 First (draft) proposal in October 2004: Interest expressed by a number of NRENs Call for Proposals issued by TERENA in August 2005; Offers from commercial CAs received in September 2005, preferred supplier (GlobalSign) announced on 19 December 2005, contract signed on 9 January 2006

TNC 2006, Catania Participating NRENs ACOnet (Austria), CARNet (Croatia), CESNET (Czech Republic), CRU (France), RedIRIS (Spain), SURFnet (Netherlands), SWITCH (Switzerland), UNIC (Denmark) TERENA is the contracting party

TNC 2006, Catania What did we get ?

TNC 2006, Catania The Basics Each participating NREN has nominated RA Administrators These people have been trained at GlobalSign on how to administer the process They are the contact point between the Server SysAdmins and GlobalSign They are responsible for maintaining the integrity of the identification process They can requested unlimited number of certificates during the 1 year pilot

TNC 2006, Catania The Process 1)Sysadmin generates key pair and creates CSR 2)Sysadmin submits CSR through GlobalSign’s enrollment pages 3)Admin contact of organization receives a challenge e- mail to be replied to (with postal mail, fax, with scan of signed document, later possibly with a digitally signed ) 4)RA administrator verifies request (identity of the applicant, organization, DNS domain in subject) 5)RA administrator approves (or rejects) the request 6)If approved: sysadmin receives certificate by mail

TNC 2006, Catania The SCS pre-installed root. SCS server certificates chain up to the ubiquitous GTE CyberTrust Global Root, which comes preinstalled with all major operating systems (Windows, Mac OS 9 ff., …) most Web browsers/applications (Mozilla, Opera, …) many software suites (Sun JRE/JDK, IBM Websphere, Lotus Notes, Oracle Wallet Manager, KDE, OpenSSL, …) many mobile devices (Palm, Blackberry; phones from Nokia, Sony Ericsson, Motorola, …) For issuing SCS certificates, the Cybertrust Educational CA intermediate cert is used (2006–2013)

TNC 2006, Catania Certificates Available No User Certificates Server Certificates only Available with 1, 2, 3 years validity Three specific Types

TNC 2006, Catania SureServerEDU TLS recommended default type for general-purpose servers (Web, , directory service, …) mandatory attributes: countryName (C), organizationName (O), commonName (CN) optional attributes: stateOrProvinceName (S), localityName (L), organizationalUnitName (OU), domainComponent (DC)

TNC 2006, Catania SureServerEDU TLS server special-purpose type for servers creating messages on their own (alerting service or similar) – not needed for standard SMTP/IMAP/POP servers mandatory attributes: countryName (C), organizationName (O), commonName (CN), Address (E) optional attributes: stateOrProvinceName (S), localityName (L), organizationalUnitName (OU), domainComponent (DC)

TNC 2006, Catania SureServerEDU standard type used by GlobalSign (includes legacy netscape-cert-type extension)

TNC 2006, Catania Not yet available Expected June 2006 subjectAltName extension with one or more dNSNames (support for DNS aliases)

TNC 2006, Catania Service Operational First Certificate Issued: 16 March 2006

TNC 2006, Catania Acknowledgements So many people in the community Some around the table, others not Licia, Karel These slides were based on material from Licia Florio of TERENA and Kasper Brand of SWITCH – Sorry for any liberties I have taken with their material

TNC 2006, Catania In Licia’s words:

TNC 2006, Catania “We got a cool service”

TNC 2006, Catania Joining the TERENA SCS Initial Pilot runs for one year After June 06 we can open to service to new NRENs Some NRENs are already waiting There is fee to pay to join If the pilot is successful, we will expand again