Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka, Kento Aida, Shinichi Mineo APAN 24 Middleware Session, Xi’An Aug.28, 2007
2 OUTLINE NAREGI Certification Service UPKI Common Specifications UPKI Enhancement of CA System Grid Operation Center Plan Issues
NAREGI-CA Certification Service
4 ● Publication of scientific results from academia Human Resource Development and strong organization NAREGI Middleware Virtual Organization For science 1-1 CyberScience Infrastructure for Advanced Science (by NII) for Advanced Science (by NII) To Innovate Academia and Industry UPKI ★ ★ ★ ★ ★ ★ ★ ☆ Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers Cyber Science Infrastructure 北海道大学 東北大学 東京大学 NIINII 名古屋大学 京都大学 大阪大学 九州大学 (東京工業大学、早稲田大学、高 エネルギー加速器研究機構等) Scientific Repository Industry Liaison and Social Benefit Global Contribution
5 1-2 NAREGI Certification Authority NAREGI (National Research Grid Initiative) PJ develops grid middleware. NAREGI CA is operated by NAREGI PJ, and it issues certificates for development and doing research using NAREGI grid middleware NAREGI CA is a member of APGrid - NAREGI CA is authorized by the APGrid PMA as a Production Level CA. - NAREGI PMA is a member of APGrid PMA. NAREGI CA issues certificates to NAREGI project members (National Institute of informatics, Institute for Molecular Science)
6 Certificate Users Host Administrators RA Administrator CA Operator Application for bulk license ID Issuance of bulk license ID ① Preparation License ID request Receive request, Inspection ② License ID request Certificate request ③ Issuance request ④ Revoke request ⑤ Reissuance request Receive request, Issuance/Revoke certificate Retrieve data for creating map file Make data for creating map file ⑥ Retrieve data for creating map file NAREGI CA User site Account Registration Request Account Registration 1-3 NAREGI CA operation
UPKI Common Specifications
8 2-1 UPKI Architecture Web サーバ NII Pub CA Web Srv. Web サーバ S/MIME Other Pub CA S/MIME Web Srv. 学内用 A Univ. CA EE 学内用 B Univ. CA EE A Univ. NAREGI CA EE B Univ. NAREGI CA Campus PKI Open Domain PKI NAREGI PKI S/MIME Auth, Sign, Encrypt. Sign, Encrypt. Auth, Sign, Encrypt. Grid Computing Proxy EE Proxy EE Student, Faculty Server, Super Computer Student, Faculty Server, Super Computer
9 2-2 UPKI Activities Web サーバ NII Pub CA Web Srv. Web サーバ S/MIME Other Pub CA S/MIME Web Srv. 学内用 A Univ. CA EE 学内用 B Univ. CA EE A Univ. NAREGI CA EE B Univ. NAREGI CA Campus PKI Open Domain PKI NAREGI PKI S/MIME Auth, Sign, Encrypt. Sign, Encrypt. Auth, Sign, Encrypt. Grid Computing Proxy EE Proxy EE Student, Faculty Server, Super Computer Student, Faculty Server, Super Computer NAREGI-CA Enhancement NAREGI-CA Pack UPKI Common Specification Server Certificates S/MIME Certificates Eduroam
UPKI Common Specifications Web サーバ NII Pub CA Web Srv. Web サーバ S/MIME Other Pub CA S/MIME Web Srv. 学内用 A Univ. CA EE 学内用 B Univ. CA EE A Univ. NAREGI CA EE B Univ. NAREGI CA Campus PKI Open Domain PKI NAREGI PKI S/MIME Auth, Sign, Encrypt. Sign, Encrypt. Auth, Sign, Encrypt. Grid Computing Proxy EE Proxy EE Student, Faculty Server, Super Computer Student, Faculty Server, Super Computer UPKI Common Specifications
11 UPKI Common Specifications Campus PKI procurement guidelines Campus PKI CP/CPS templates Campus PKI model Two outsource models and one insource model Developed and Published for outsource model Only available in JAPANESE! 2-4 UPKI Common Specifications Campus CP/CPS templates Deployment of campus PKI at each universities - -Connecting universities - - Federation of applications 2008 Campus PKI Spec. Outsource modelInsource model Multi-university cooperative model Outsource modelInsource model Multi-university cooperative model -To promote Campus PKI deployment PKI deployment -To reduce cost -To keep multi-university cooperativity cooperativity
12 Insource Univ RA IA Univ. provider Full outsource RA IA IA outsource Univ provider IA RA CP/CPS 2-5 Operation Models of CA
UPKI Enhancement of CA System
Enhancement in UPKI Enhancement for actual operation of CA/RA at universities; 1. To split and delegate RA. 2. To provide staffs/students means to apply by themselves. 3. To issue grid certificate by identification of campus certificate.
Enhancement in UPKI (1),(2) 1. To split and delegate RA. - Created RA/LRA operator authorities split from RA administrator authorities. - Secure delegation by using IC card. - Delegation to hierarchized institutions in universities for actual operation. 2. To provide staffs/students means to apply by themselves. - Easy application of registration, issuance, and revocation from the web. - Secure application by using challenge PIN. - Reduced burden of RA operation.
16 CA Administrator CARA RA Administrator IC Card 3-3 Enhanced Procedure To Issue Certificate CA Administrator RA Administrator RA Operator User License ID Issue Certificate RACA Apply Identify Approve Issue Certificate Application Server (web) Management Server (web) Delegate Challenge PIN License ID Local RA User Identify Apply License ID
Enhancement in UPKI (3) 3. To issue grid certificate by identification of campus certificate. - Cooperation of Grid CA and Campus CA. - Reduced burden of RA operation. - Any certificate can be issued for other AP.
18 CampusCA Issue Certificate Campus PKI Grid PKI NAREGI CA Super Computer Grid System Super Computer Issue Certificate Request Certificate (Use IC Card as credential) LDAP NAREGI RA IC Card Certificate for Grid System Access User 3-5 Campus-Grid PKI Federation
Grid Operation Center Plan
Grid Operation Center Plan GOC CA issues certificates to authorized members of CSI using grid Operation will be compliant with APGrid policies Cooperate with many universities and research institutes
Operation models of GOC GOC will operate three models. (1) LRA in GOC operates registration; GOC will inspect user documents, and face to face identification. (2)LRA in university operates registration; University will inspect user documents, and face to face identification. (3)Use Campus certificate as an identification to issue grid certificate; University will inspect user documents, but skip face to face identification.
Issues
Issue 1 - User Identification - APGrid PMA minimum CA requirements; “In order for an RA to validate the identity of a person, the subject must contact the RA personally and present photo-id and/or valid official documents showing that the subject is an acceptable end entity as defined in the CP/CPS document of the CA.” - Campus PKI CPS template; “The information of students or faculties will be collected on admission and stored in database in universities. Campus PKI CA will issue campus certificate by using and trusting the collected information in the database” -> Is it proper and feasible to use Campus certificate as an identification for issuing grid certificate? -> Add a following term to Campus PKI CPS template? “photo-id and/or valid official documents in the case of using campus certificate as an identification for grid certificate.”
Issue 2 - On revocation of campus certificate; - For the grid certificate that has issued by identifying with campus certificate -> Keep the grid certificate valid? -> Revoke the grid certificate? How? Check CRL of campus certificate?
Issue 3 - Audit - GOC : APGrid PMA will do mutual audit - LRA in universities: GOC will audit? - CA for campus PKI in universities: Need audit? and who?