Marcus Pattloch (DFN-Verein) DESY Technisches Seminar

Slides:



Advertisements
Similar presentations
11/2/2013 2:02:38 AM 5864_ER_FED 1 Importing Certificates into Lotus Notes R6.
Advertisements

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Chapter 1 The Study of Body Function Image PowerPoint
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
UNITED NATIONS Shipment Details Report – January 2006.
Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
© Copyright International Telecommunication Union (ITU). All Rights Reserved page - 1 Alexander NTOKO Project Manager, ITU Electronic Commerce.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Grid Initiatives for e-Science virtual communities in Europe and Latin America The VRC-driven GISELA Science Gateway Diego Scardaci.
© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Building Confidence in E-government Services ITU-T Workshop on.
© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
Click to edit Master title style Page - 1 OneSky Teams Step-by-Step Online Corporate Communication Support 2006.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Exit a Customer Chapter 8. Exit a Customer 8-2 Objectives Perform exit summary process consisting of the following steps: Review service records Close.
Determine Eligibility Chapter 4. Determine Eligibility 4-2 Objectives Search for Customer on database Enter application signed date and eligibility determination.
Create an Application Title 1A - Adult Chapter 3.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
2010 fotografiert von Jürgen Roßberg © Fr 1 Sa 2 So 3 Mo 4 Di 5 Mi 6 Do 7 Fr 8 Sa 9 So 10 Mo 11 Di 12 Mi 13 Do 14 Fr 15 Sa 16 So 17 Mo 18 Di 19.
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Presented by Brad Jacobson The Publisher on the Web Exploiting the new online sales channels.
REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.
ABC Technology Project
1 Authentication Applications Ola Flygt Växjö University, Sweden
Kerberos and X.509 Fourth Edition by William Stallings
1 ITSS This overview deck contains two sections. Please use the links below to navigate –How to Register for ITSS Application AccessHow to Register for.
25 July, 2014 Hailiang Mei, TU/e Computer Science, System Architecture and Networking 1 Hailiang Mei Remote Terminal Management.
VOORBLAD.
“Start-to-End” Simulations Imaging of Single Molecules at the European XFEL Igor Zagorodnov S2E Meeting DESY 10. February 2014.
1 RA III - Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Buenos Aires, Argentina, 25 – 27 October 2006 Status of observing programmes in RA.
Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)
© 2012 National Heart Foundation of Australia. Slide 2.
Services Course Windows Live SkyDrive Participant Guide.
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
1 BRState Software Demonstration. 2 After you click on the LDEQ link to download the BRState Software you will get this message.
25 seconds left…...
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
H to shape fully developed personality to shape fully developed personality for successful application in life for successful.
Januar MDMDFSSMDMDFSSS
Sedex: Registration and Account Set Up Instructions
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
PSSA Preparation.
VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
The Plan Member Secure Site Key features that will help you manage your benefits plan.
Presented by: HCN Clinical Operations Team. 2 TopicPage Top Reasons to have and use the Patient Portal3 Sample Portal Websites4 Portal 1016 Meaningful.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
The Trusted Network · · · LEFIS PKI · · · 2 nd June, 2006 · Sofia by Leonardo Catalinas · May 2006
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
QuoVadis Group Roman Brunner, Group CEO Update for EUGridPMA – May 12, 2009.
Presentation transcript:

Overview of DFN`s Certificate Services - Regular, Grid and short-lived - Marcus Pattloch (DFN-Verein) DESY Technisches Seminar 24. November 2009, Zeuthen

Overview Certificates Regular Certificates Grid Certificates what are they good for (and what not)? Regular Certificates what (almost) everyone needs Grid Certificates why another hierarchy? Short-lived Certificates (SLCS) shibboleth, DFN-AAI, identity management Conclusions

Certificates

What is a certificate? Certificate = digital identity card for use on the internet Once I have a certificate and use it in electronic communication, everyone can prove that I am who I claim to be Marcus Pattloch E.g. on a „chipcard“ (but: not every chipcard contains a certificate)

Use of certificates Confidentiality Signature encryption of documents and e-mails Signature signing .pdf documents signing e-mails creating time stamps on documents Authentication (not authorization!!) server identification (SSL, https) ID for access to protected websites ID for access to databases etc. (ssh, IPsec)

Digital identity card my private key & my personal data Marcus Pattloch An infrastructure is needed to guarantee the link between the private key and the personal data. This is done by a public key infrastructure (PKI)

What is a PKI? A PKI is an infrastructure „generating“ certificates and consisting of the following main components Registration Authorities (RA) Certification Authorities (CA) Policies Directory Service for certificates (PKI-aware applications)

Splitting tasks makes it much easier done on site operated by DFN for all (!) sites Registration Authority administrative tasks Certification Authority technically demanding tasks organisationally demanding tasks

Hierarchy of CAs DFN-PCA . . . . . . . . . . . . . . . . . . Certification Authority n Univ. of Hamburg CA DESY CA . . . . . . . . . . . . . . . . . . Person A Server B Person C Server D Person X

List of DFN-PKI participants http://www.pki.dfn.de

Mozilla and certificates Very useful add-on for Mozilla Firefox and Thunderbird Cert Viewer Plus 1.5 by Kaspar Brand (Switch - Swiss research network) extension of menue improved saving and viewing of certificates

Regular Certificates

Regular certificates Regular (non-grid) certificates are what most people need Validity of certificates server certificates max. 5 years user certificates max. 3 years CA certificate max. 12 years Certificates are linked into standard web-browsers, i.e. no „pop-up boxes“ from webservers e-mail signatures can automatically be verified

Status of integration Status of integration of Telekom Root CA2, thus also of root of DFN-PKI Global Windows: all desktop versions (2k, XP, Vista, 7) Apple: since June 2008 (OS X, iPod, iPhone) Opera: since 2008 Mozilla: from Firefox 3.0.12, Thunderbird 2.0.0.23 Sun Java: from V6u11 (11.08) Google Chrome: yes, independent of OS All details about integration: www.pki.dfn.de/integration

Obtaining a regular certificate http://www.pki.dfn.de/testpki-zugang

Summary: Regular certificates Around 300 sites in Germany have a CA within DFN-PKI More than 100.000 valid certificates issued Regular certificates do the job and are what everyone needs but there is one exception ...

Grid Certificates

Accessing resources in D-Grid (1) Within a VO no (grid) certificates necessary TextGrid AstroGrid BauVOGrid

Accessing resources in D-Grid (2) TextGrid More than 25 other D-Grid projects! AstroGrid BauVOGrid

Grid PMAs To deal with certificates in grids a new body was set-up by grid / HEP people European Grid Policy Management Authority (EUGridPMA) definition of policies and procedures for (world-wide) use of grid certificates International Grid Trust Federation IGTF EUGridPMA Asia Pacific PMA The Americas PMA

Grid certificates in Germany DFN Grid CA (DFN-Verein) and GridKA CA (FZ Karlsruhe) are both accredited to EUGridPMA

Obtaining a grid certificate

Regular vs. grid certificates Why not just use regular certificates in grids? technically no difference (both based on X.509) But grid certificates have to follow some „strange rules“, e.g. basically just one CA per country no sub-CAs thus no CA-hierarchies very short validity of certificates (max. 13 months) „Strange rules“ for grid certificates force users to have more than just one certificate hard to see a practical reason for this ...

Status quo Issuing grid certificates in D-Grid works Number of issued certificates is much smaller than in the regular world Users complain that they need different certificates that they have to obtain a new grid certificate every 12 month The question remains whether current grid certificates are the perfect solution ...

Certificates in D-Grid Documents about certificates in D-Grid „Authentifizierung im D-Grid“ (12.2005) Split between authentication and authorization Registration authorities (RAs) per site, not for dynamic structures like projects or VOs Non-academic partners can basically be served by every RA „Verwendung von Zertifikaten im D-Grid“ (3.2008) „New“ types of Grid certificates possible (SLCS, Robot- certificates for use in portals) All D-Grid certificates require face-to-face identification of subscribers (= someone who wants a certificate)

Short-lived Certificates

SLCS (1) Some grid users don’t want to have a certificate at all but: use of grid middleware is only possible with certificates Idea for new type of grid certificates was born SLCS (Short Lived Credential Services) idea: create short-lived certificate on-the-fly using standard user credentials (userid, password) this should make everything much easier, but ...

SLCS (2) Security requirements for SLCS are as high as for grid certificates e.g. face-to-face identification of subscribers This results in an even more complicated basic infrastructure GridShib software Shibboleth based authentication / authorization infrastructure (DFN-AAI) identity management system in place, data must be updated regularly

Obtaining a SLC (certificate) https://test-slcs.pca.dfn.de/gridshib-ca/

SLCS architecture for portals

Conclusions

Conclusions DFN offers different kinds of certificates regular, grid, SLCS share of regular certificates is around 98% (!) but for the time being grid users need at least two certificates Obtaining a certificate is quite easy and about 300 sites take part in DFN-PKI More information www.pki.dfn.de pki@dfn.de

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.