The CA Distribution Process David Groep, July 2007.

Slides:

Advertisements

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Advertisements

© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

Version Control What it is and why you want it. What is Version Control? A system that manages changes to documents, files, or any other stored information.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.

Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

Updates from the EUGridPMA David Groep, Oct 11 th, 2011.

SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.

Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) VOMS Installation and configuration Bouchra

© 2011 Delmar, Cengage Learning Chapter 7 Managing a Web Server and Files.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

Yannick Patois – Datagrid Repository Presentation- 2001/11/21 - n° 1 Partner Logo DataGrid Software Repository presentation A short presentation of the.

INFSOM-RI Juelich, 10 June 2008 ETICS - Maven From competition, to collaboration.

Lundi 12 octobre 2015 CA update procedure Hélène Cordier IN2P3/CNRS Computing Centre, Lyon, France.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

TERENA TF-EMC2 Workshop David Groep,

Updates from the EUGridPMA David Groep, July 16 st, 2007.

Introducing HingX now with Capacity Development Network.

Release Management Configuration management. Release Management Goal Coordinate the processes through the project development life cycle Ensure the.

LearningSpace 2.0. What is LearningSpace 2.0 Program designed for project-based learning and real-time collaboration in virtual workspaces. Includes safe.

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.

SWGData and Software Access - 1 UCB, Nov 15/16, 2006 THEMIS SCIENCE WORKING TEAM MEETING Data and Software Access Ken Bromund GST Inc., at NASA/GSFC.

Distribution Repository Structure David Groep,

Discussions on the Life Ray Portal and credential management David Groep, Oct 11 th, 2011.

Higher Ed Certificate Authority by CREN: Update CSG February 2, 2000.

EGI-InSPIRE RI EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling.

Updates from the EUGridPMA David Groep, May 9 st, 2007.

Updates from the European Side of the Pond David Groep, November 2006.

The SharePoint Shepherd’s Course for End Users Based on the book by Robert L. Bogue Copyright 2011 AvailTek LLC All Rights Reserved.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

Yannick Patois - Datagrid Software Repository Presentation - March, n° 1 Datagrid Software Repository Presentation CVS, packages and automatic.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Communication tools between Grid Virtual.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

18-May-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) Barcelona 18 May 2004 David Kelsey CCLRC/RAL, UK

TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.

© 2007 Open Grid Forum CAOPS-WG RP Namespace Constraints Policy David Groep CAOPS-WG OGF20 May 8 th, 2007.

II EGEE conference Den Haag November, ROC-CIC status in Italy

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.

Maite Barroso – WP4 Workshop – 10/12/ n° 1 -WP4 Workshop- Developers’ Guide Maite Barroso 10/12/2002

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Dashboard for Operations Cyril L’Orphelin.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK

Updates from the EUGridPMA David Groep, Oct 17 st, 2007.

IGTF Risk Assessment Team 5/11/091.

Web Cacheability of CRLs David Groep, Jan 26 th, 2009.

All Partners Access Network

Classic X.509 AP updates (v4.1)

Services Course 9/9/2018 3:37 PM Services Course Windows Live SkyDrive Participant Guide © 2008 Microsoft Corporation. All rights reserved.

Resource Certificate Profile

MaGrid CA Self audit and update

AuthN Middleware Requests

Lecture 5: Functions and Parameters

Presentation transcript:

The CA Distribution Process David Groep, July 2007

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Aim  Common naming for all registered CAs in the IGTF  In a variety of formats as suitable for our larger RPs  Well-trusted  but backed by TACAR where available

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – IGTF Distribution and Formats  Apart from validation via TACAR, the IGTF manages a distribution of all accredited authorities  formerly known as Anders’ RPM set, today also available as: JKS, tar-gz, configure && make, …  usually built by the EUGridPMA (me, actually)  mirrored twice-daily to the apgridpma.org site  copied and re-distributed by downstream vendors (EGEE/LCG, VDT, …)  also contains the fetch-crl utility (now at version 2.6.3)  Download location

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Implementation CVS Repository ssh access for committers only web access for IGTF members YT DG AW MK MH Buildhost local network only to CVS, dist PGP signing key on USB flash (stored in safe when not in use) DG ssh only from local network http/https/rsync from anywhere no other services, apache serves static content only DG YT

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Getting into CVS (EUGridPMA process)  Supply all information specified at  In a secure way (F2F, or electronic: trivial with PGP, or with designated personal cert off your existing CA for updates)  CVS-committer (me) re-checks this information  like a limited version of the operational review  basic sanity of the root cert and CRL URL  does the contact address work?  is namespace defined and exclusive?  generate the signing_policy.conf file  based on the data provided by the CA  in some cases, the CA provides the entire EACL file  generate the derived.namespaces file therefrom  except where the ‘namespaces’ file is actually better, or in case the signing_policy.conf syntax cannot express the policy  Yoshio, or you, may use a different process, i.e. rely on the results of the operational review, or rely on what the CA gives you …

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – CVS browsing

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Building the distribution  See  on a dedicated buildhost  so a CVS update will show all changes  review all modifications, check for sanity, and update the CHANGES file for the release  Update version file, build the distribution and post on a private web page so that everyone can comment

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Announcements  New releases built in a coordinated fashion  pre-announcement to igtf-general  version number should increase monotonically  every committer could build (using documentation and the cabuild.pl script)  each PMA should PGP-sign the RPMs and other content, but if you just mirror you get the EUgridPMA key #3 signature  Build and upload to the distribution site, and then:  builder (DG) sends announcement to igtf-general  each PMA should announce to the subscriber/RP base via their standard list (in the EUGridPMA, that’s the list)  Downstream vendors pick up the distribution

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – A Downstream Vendor: EGEE/LCG with my EGEE SA1 hat on …  EGEE/LCG relies  on RPM and yum/apt for distribution  on fetch-crl for CRL download and management  on SAM/SFT for site monitoring and consistency follow-up  EGEE security and release process coordinators are subscribed to the eugridpma-announce list  on release, trouble ticket is entered in system (GGUS) which triggers: 1.the CA liaison (me) to build the lcg-CA RPM metapackage 2.the SAM/SFT developers to update the site functional tests 3.the middleware integration team to upload to the pre-prod repository and test the release again 4.when SAM/SFT update is done, the MW release team migrates the RPMs to the public EGEE repository and announces the update to the sites 5.All sites than have 7 (or 1) days to update. While they are not updated, SAM/SFT test show WARN  After 7 (1) days error becomes critical and site is blocked by most VOs