EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

May 06, 2002 Getting Started with Digital Certificates: Is PKI-Lite Real PKI? Internet2 Spring Meeting 2002 Wash, DC.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

(n)Code Solutions A division of GNFC

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

PKI Implementation in the Real World

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

Grid Security. Typical Grid Scenario Users Resources.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

The TERENA Academic CA Repository. eIRG Meeting. Dublin, 16/04/2004 Diego R. Lopez – TF-AACE  Task Force on Authentication and.

Security Management.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

Public Key Infrastructure from the Most Trusted Name in e-Security.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Internet Trust Defined. Delivered. Electronic Business the Way It Was Meant to Be.

1 PKI Update September 2002 CSG Meeting Jim Jokl

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

TERENA Certificate Service (TCS) 9 June Slide 2 › Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘ pop-up.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Configuring Directory Certificate Services Lesson 13.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

King Mongkut’s University of Technology Faculty of Information Technology Network Security Prof. Reuven Aviv 6. Public Key Infrastructure Prof. R. Aviv,

NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,

1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Proposal for a server certificate service Towards large-scale usage of affordable popup- free server certificates for the European Research & Educational.

Claudio Allocchio TERENA Technical Programme - Update General Assembly, 21 October 2005, Budapest 1 TERENA Technical Programme Update Claudio Allocchio.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA

Programme ›TERENA ›Overview of the middleware initiatives in the European Higher Education ›What is eduroam: the technology and how to set up eduroam ›eduroam-in-a-box:

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

TERENA Certificate Service (TCS) 2 August Slide 2 ›TCS is a competitively tendered bulk-buy contract between TERENA and Comodo Limited on behalf.

Licia Florio Poznan, 5 June SCS Proposal Investigates the possibility to set up a service that offers popup-free cheap server-certificates against.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Public Key Infrastructure (PKI)

Public Key Infrastructure from the Most Trusted Name in e-Security

Multi-Domain User Applications Research (JRA3)

CS 465 Certificates Last Updated: Oct 14, 2017.

Fed/ED December 2007 Jim Jokl University of Virginia

PKI (Public Key Infrastructure)

September 2002 CSG Meeting Jim Jokl

Presentation transcript:

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European NRENs Licia Florio TERENA

EuroCAMP, 3-5 April Ljubljana Topics PKI and X.509 certificates Motivation for the TERENA Server Certificate Project What is the project Service Characteristics Why joining

EuroCAMP, 3-5 April Ljubljana PKI in short Public key cryptography - public key (encryption, signature verification) - private key (decryption, signing) Licia Dear I’ve arrived in Slovenia..   ’    Encryption Diego’s pub key Dear I’ve arrived in Slovenia.. Decryption Diego’s priv key Diego

EuroCAMP, 3-5 April Ljubljana Problems Public Key distribution Building trust Scalability Solution: create a hierarchical trust fabric: X.509 PKI

EuroCAMP, 3-5 April Ljubljana X.509 PKI Infrastructure What are the elements - Certification Authority (CA) * Certificates issuer (trusted 3d party) - X.509 Certificates * Bind the pub key to the holder - Registration Authority (RA) * Identity verification - End Entity * Private key holder (machine, end-user) - Relying parties * Users

EuroCAMP, 3-5 April Ljubljana Real X.509 Certificate Usage Today Grid (closed community) - Use both server and user certs Web servers - Only server certificates - In many case with pop-up problem Large scale user certificate use: nowhere !

EuroCAMP, 3-5 April Ljubljana The Famous Pop-up: PKI Problem#1 Due to the fact that the issuer of the certificate is not trusted by the browsers

EuroCAMP, 3-5 April Ljubljana TERENA Server Certificate Service What is it about? –- Service…of course ;-) in short SCS To issue server certificates - popup free - unlimited number - Very low price (price is not per certificate) For whom? –For the National Research and Education Network community in Europe

EuroCAMP, 3-5 April Ljubljana When SCS started Project started in june 2004 European NREN PKIs around for ~7 years - But still not really deployed Anticipated growth in need: - AAI middleware services - Web-based ‘stuff’ (mail, e-learning, webservices etc.) - VPN, - eduroam Community needs more server certificates

EuroCAMP, 3-5 April Ljubljana PKI Growth Problems Pop-up Problem#1 - Typically for NRENs CA - Defeats the security purpose of the certificate Costs Problem#2 - For a large number of server certificates costs can become a problem

EuroCAMP, 3-5 April Ljubljana Solution 1 Fixing the pop-up problem - Get root certificate in root repositories - Requires webtrust audit - Expensive for an individual NREN PKI (~ first time, annual ~ for the audits, plus all the costs to follow guidelines) --> CA hierarchy adds to cost! Running a CA –Is that so interesting?

EuroCAMP, 3-5 April Ljubljana Solution 2 Fixing the costs - Try to contract a CA already in the browser - Flexibility in the certificates profiles definitions - Tailored RA procedures - Not per certificate costs

EuroCAMP, 3-5 April Ljubljana Solution 2: the way forward 8 NRENs + TERENA combined forces (proposal launched feb. 2005) Investigated market Investigated EU tender guidelines Ran a light-weight tender (start Sep 2005) Signed a contract (Jan 2006) First certificate issued on 16 March 2006 !

EuroCAMP, 3-5 April Ljubljana Who is involved ACOnet (.at), CARnet (.hr), CESnet (.cz), RedIRIS (.es), RENATER (.fr), SURFnet (.nl), SWITCH (.ch) UNI-C (.dk), TERENA signing party

EuroCAMP, 3-5 April Ljubljana Service Structure TERENA contracts with supplier - For an initial one year - Possibility to extend the contract NRENs contract with TERENA (liability!) NRENs are ‘delegated RA’ for the supplier TERENA appoints delegated RAs NRENs are responsible for delivering RA services and technical support

EuroCAMP, 3-5 April Ljubljana Service Features Re-use existing RA organisation Certificate profile flexibility (Grids!) Electronic RA procedures (under implementation) Easy server certificate delivery NREN-specific branding!

EuroCAMP, 3-5 April Ljubljana Benefits for the Universities Need server certificates to enable SSL/TLS channels Very low costs upon agreement with your NRENs

EuroCAMP, 3-5 April Ljubljana How to join Your NREN has to join After June 06 we can open to service to new NRENs –Some NRENs are already waiting There is fee to pay to join

EuroCAMP, 3-5 April Ljubljana Conclusion To make security tools a normal habit, they need to be easy to use –Scs is easy SCS proves how a ‘federated’ approach has solved a big problem We got a cool service