EU NREN PKI Jan MeijerAARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney.

Slides:



Advertisements
Similar presentations
Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
PKI Implementation in the Real World
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
A Grid certificate in 5 minutes large scale federated automated issuing of grid certificates Jan MeijerEGEE’ Sept 2009 Barcelona.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 SURFnet PKI efforts TERENA PKI-COORD meeting 6 December 2000 Ton Verschuren – Innovation Manager - SURFnet.
EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Webinar “Operating the TCS shared portals” for NREN admins TCS shared portal project a/TCS_Portal_project Jan Meijer.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
IDA Security Experts Workshop Olivier LIBON Vice President – GlobalSign November 2000.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
TERENA Certificate Service (TCS) 9 June Slide 2 › Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘ pop-up.
Community Services WI TF-EMC2 VC Meeting 29 June, 2011 Licia Florio
John Dyer Business & Technology Strategist TERENA 10 February 2014 TF-MSP Meeting ACOnet, Vienna Aggregation of Demand Collaborative.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Proposal for a server certificate service Towards large-scale usage of affordable popup- free server certificates for the European Research & Educational.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Claudio Allocchio TERENA Technical Programme - Update General Assembly, 21 October 2005, Budapest 1 TERENA Technical Programme Update Claudio Allocchio.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
David Groep Nikhef Amsterdam PDP & Grid TERENA Certificate Service Certificates4All! David Groep standing in for Licia Florio, TERENA, using material from.
Belgian EID Card 15/12/2004 Derette Willy eID program manager.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Status Report & Future TF-MSP Management of Service Portfolios Alberto PEREZ Walter van Dijk John DYER 3 June 2010.
Ljubljana, 4 March 2010 Improvements to PeaR TF-CPR meeting.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA
PKI Policy Determination Process Input from PKI Decision Process PKI Policy Determination Process Application(s) Workflows Players.
Programme ›TERENA ›Overview of the middleware initiatives in the European Higher Education ›What is eduroam: the technology and how to set up eduroam ›eduroam-in-a-box:
Update on the TERENA Compendium, 2003 A talk about comparing apples with oranges in the NREN world TNC/CUC 2003, Session 7b4 Bert van Pinxteren, TERENA.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
The Trusted Network · · · LEFIS PKI · · · 2 nd June, 2006 · Sofia by Leonardo Catalinas · May 2006
TERENA Certificate Service (TCS) 2 August Slide 2 ›TCS is a competitively tendered bulk-buy contract between TERENA and Comodo Limited on behalf.
Licia Florio Poznan, 5 June SCS Proposal Investigates the possibility to set up a service that offers popup-free cheap server-certificates against.
QuoVadis Group Roman Brunner, Group CEO Update for EUGridPMA – May 12, 2009.
Key management issues in PGP
SSL Certificates for Secure Websites
HellasGrid CA & euGridPMA
Security Services for
Organized by governmental sector (National Institute of information )
Public Key Infrastructure (PKI)
Security in ebXML Messaging
Secure Electronic Transaction (SET) University of Windsor
E-Commerce for Developing Countries (EC-DC)
MaGrid CA Self audit and update
National Trust Platform
Presentation transcript:

EU NREN PKI Jan MeijerAARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney

me : SURFnet – CERT, security, PKI, systems engineering, e-voting 2007-now: UNINETT – service development, storage, PKI

beautiful morning NRENs 6 months server certs starting personal

PKI purpose Guarantee: Authenticity Confidentiality Integrity Non repudiation

ehr, no, we want others not to read our mail to know the sender is the sender that, for documents, thanks no reading of my credit card number no reading of my health information no reading of my passwords log on to my internal web site

if it doesn’t work it doesn’t work

the issue ?

direct trust

hierarchical trust

web of trust

Feb 1993, RFC 1422 Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management obsoletes RFC 1114 Mail Privacy: Key Management (1989)

Feb 1993, RFC 1422 The infrastructure specified in this document establishes a single root for all certification within the Internet, the Internet Policy Registration Authority (IPRA). The IPRA establishes global policies, described in this document, which apply to all certification effected under this hierarchy. Beneath IPRA root are Policy Certification Authorities (PCAs), each of which establishes and publishes (in the form of an informational RFC) its policies for registration of users or organizations. Each PCA is certified by the IPRA.

USA crypto exports <1996:International Traffic in Arms Regulation 1996: Export Administration Regulations (EAR) of the Department Commerce 31 Dec 1998:56 bit without license 12 January 2000:Freedom to export source: Bert-Jaap Koops’ Crypto Law Survey

Pretty Good Privacy Jun 5, 1991: PGP 1.0 Jan 18, 1996:Ståle Schumacher from Norway publishes PGP 2.63i…with help: Aug 1996:RFC1991, PGP Message Exchange Formats (FYI) Nov 1998:RFC2440, OpenPGP Message Format (STD)

1994: Netscape Navigator : Internet Explorer 2.0

(1994) 1996:.nl electronic purse chipknip chipper

13 December 1999: DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

1995: Student Chip Card

qualified digital signatures!

1998: SURFnet PKI PGP PKI PGP keyserver pgp.surfnet.nl x.509 PKI

use PGP – signing and encryption – document signing and encryption x.509 – signing and encryption – document signing and encryption – authentication – smartcard deployments

requirements scalable identity vetting at university affordable server and client certificates

SURFnet x.509 PKI 1998: setup 1999: production

more levels

europe

down in the trenches

soon

~2000 Netherlands qualified Digital Signature accreditation framework ready SURFnet PKI: test audit

~2001 “SURFdiensten” GlobalSign discount deal for.nl higher ed

: PKI evolves Focus on policy Focus on CA operations Plans to interlink European PKIs Separate eScience Grid PKI TACAR Experience but not large scale deployment

SURFnet PKI numbers New CAsPersonalServer course 

popular? SSL server certificates Personal certificates Code Signing certificates

biggest problem?

get root in browsers 2000: $ x : IE: WebTrust

puzzling pieces in browser root,$$ flat rate unpunished success why do I want to run my own CA?

TERENA

idea join forces contract commercial CA flat-rate for the TERENA community unlimited NREN becomes RA re-use existing contractual relations make it stupid to not secure your server with SSL

use existing relations

SCS timeline Jan 2005:idea written up (TF-CSIRT!) Feb 2005:presented at TF-EMC2 “the list” 20 kEUR Summer 2005:reality + procedure check September 2005:CfP January 2006:GlobalSign contract

16 March 2006: SCS is born

SCS numbers 12/2007 NRENs# issued# organisations ACONet97926 ARNES*23n/a BELNET67357 CARNet166n/a CESNET45220 CRU/RENATER GARR**10020 JANET (UK) RedIRIS SUNET***48717 SURFnet SWITCH1200n/a UNI-C ****1366n/a UNINETT NRENs certificates

SCS numbers per 1 Aug 2008 # participating NRENs18 (14) # certificates issued (12551) # participating orgs2.225 # proxies3.800

2007: mission accomplished! no ssl = lame and behavioural change...

SCS: lessons learned vested interests, existing services, strong opinions, policy devil.... browser popup was the problem certain level of control good do what matters good enough = good enough!

2007 contract renewal with GlobalSign start preliminary work with new CfP

new CfP, lessons learned 1.root coverage: browsers *and* other platforms 2.validity on contract end 3.ensuring future root coverage 4.end user interfaces 5.interface response times 6.describe certificate request processing 7.profiles 8.subjectAltName 9.multiple valid certificates 10.internationalisation 11.support 12.auditing 13.training 14.certificate lifetime

more lessons...optional reqs 1.alternative lifetimes 2.end user interface for renewal 3.per NREN branding 4.additional profiles 5.eScience Grid certificate support 6.API 7.wildcard certificates 8.OCSP 9.extensive reporting

interesting CfP

TERENA Certificate Service

crucial lesson GlobalSign SCS certificates revoked 3 months after contract expiry

CfP failure Plan B?

New TCS! 5 TERENA CAs – Server – Code signing – Personal – eScience Server – eScience Personal own CPS own front-ends Comodo backend + roots

TCS numbers Jan RENATER2758 SURFnet2499 UNI-C1643 JANET(UK)1289 SUNET1088 CESNET1069 ACOnet733 UNINETT599 BELNET383 PSNC140 GRNET116 FCCN61 CARNet56 HUNGARNET35 GARR22 LITNET21 RedIRIS21 HEAnet11 ARNES7 CSC6 AMRES2 UoM0 # issued12573 # NRENs22

TCS is

TCS organisation TERENA – contractual party, financial clearing house, contact conduit to Comodo TCS PMA, club of 5 – CPS responsibility TCS Representatives – 1 per NREN, formal decisions TCS RAs – day to day operations

TCS Members CountryNRENServerCodePersonal AustriaACOnetXXX BelgiumBELNETXXX CroatiaCARnetX Czech RepublicCESNETXX DenmarkUNI-CX FinlandCSCXX FranceRENATERXX GreeceGRNETXX HungaryHUNGARNETX IrelandHEAnetXX LithuaniaLITNETXX MaltaUoMX NetherlandsSURFnetXXX NorwayUNINETTXXX PolandPSNCXXX PortugalFCCNX SerbiaAMRESXX SloveniaARNESX SpainRedIRISXXX SwedenSUNETXXX UKJANETX 22714

how? SCS Guido Aben, Jan Meijer, Teun Nijssen (SURFnet), Kaspar Brandt (SWITCH), Licia Florio, Karel Vietsch (TERENA), Milan Sova (CESNET), and more... TCS Kent Engstrøm (SUNET), Licia Florio, Jan Meijer, Kevin Meynell, Teun Nijssen, Milan Sova, Karel Vietsch, Henrik Austad, and more... TCS Tender Committee Kurt Bøge (UNI-C), Daniel Garcia (RedIRIS), Licia Florio, Dominique Launay (RENATER), Jan Meijer, Damien Shaw (JANET), Milan Sova, Karel Vietsch

PKI landscape Europe 2010 TCS DFN-PKI SWITCH-PKI Grid PKI Geant3 PKI activity

obituaries chipknip: dead chipper: dead studenten chipkaart:dead SURFnet PGP PKI:dead SURFnet x.509 PKI:dead

alive and kicking TERENA Certificate Service PGP: FIRST, 209 teams, 47 countries Grid PKI Personal certificates?

purpose

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.