DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

Slides:

Advertisements

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Security Mechanisms The European DataGrid Project Team

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

The II SAS Testbed Site Jan Astalos - Institute of Informatics Slovak Academy of Sciences.

KFKI CA József Kadlecsik KFKI RMKI

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK

Security Mechanisms The European DataGrid Project Team

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Grid Canada Certificate Authority Darcy Quesnel

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

Digital Certificates Presented by: Matt Weaver. What is a digital certificate? Trusted ID cards in electronic format that bind to a public key; ex. Drivers.

UGRID CA Sergii Stirenko, Oleg Alienin

Certificate management Miroslav Dobrucký Institute of Informatics SAS

MaGrid CA Self audit and update

The GENIUS Security Services

NATIONAL CENTRE FOR PHYSICS PK-Grid-CA

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

KISTI CA Report Status & Self-Audit

BG.ACAD CA Self-audit report 2018

Presentation transcript:

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of Informatics Slovak Academy of Sciences

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS and CrossGrid ● Grid application development – simulations related to prediction of flood events ● Collaborative problem solving environment ● Virtual organization for flood forecasting ● CrossGrid testbed participation ● IISAS Certification Authority

DataGrid WP6 CA meeting, CERN, 12 December 2002 Need for certificates ● Virtual organization for flood forecasting ● Scientists from Slovakia participate in HEP experiments (ATLAS, ALICE) ● Scientists from other application areas, not related to any of current virtual organizations. (we expect new VOs to emerge)

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority ● Managed by IISAS, Bratislava, Slovakia ● Based on openssl ● Certificate issuing machine: – Located in a room with restricted access, in locked case – Not connected to network – Managed by CA operator

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS CA certificate ● Private key is 2048 bits long ● Encrypted by passphrase >15 characters ● CA certificate lifetime is 5 years ● Backup copy of the key and sealed envelope with the passphrase are locked in a safe

DataGrid WP6 CA meeting, CERN, 12 December 2002 Certificates ● IISAS CA issues certificates for subjects: – Related to organizations from Slovakia – Involved in research or deployment of Grids ● Types of certificates: – Server, personal and services ● Applicability – Authentication and communication encryption

DataGrid WP6 CA meeting, CERN, 12 December 2002 Certificates ● Private keys are at least 1024 bits long ● Generated by applicants ● Certificate maximum lifetime is one year ● Naming conventions: – C=SK, O=organizationName, OU=organizationUnit, CN=commonName

DataGrid WP6 CA meeting, CERN, 12 December 2002 Certificate issuing procedure ● IISAS CA accepts authenticated certificate requests from IISAS registration authorities ● Other certificate requests are forwarded to appropriate RAs for authentication and validity checks ● Certificates are issued for authenticated requests ● Issued certificates are sent to the applicant

DataGrid WP6 CA meeting, CERN, 12 December 2002 Authentication checks ● Applicant should contact RA personally ● Authentication is performed by: – Valid official ID document (Passport, ID card) – Firm personal acquaintance with RA ● RA also checks relation of applicant to organization specified in certificate request ● Requests for server or service certificate must be signed by valid certificate of system administrator

DataGrid WP6 CA meeting, CERN, 12 December 2002 Certificate revocation procedure ● IISAS CA accepts revocation requests from RAs or certificate subscriber sent by signed by a valid IISAS certificate ● Other revocation requests are forwarded to appropriate RA for authentication and validity checks ● Certificates are revocated for authenticated requests ● Certificate subscriber is notified

DataGrid WP6 CA meeting, CERN, 12 December 2002 Circumstances for revocation ● Information in certificate becomes wrong or inaccurate ● Private key was lost or compromised ● Certificate is no longer required ● Subject has failed to comply with rules in CP/CPS document ● The server for which the certificate was issued has been retired

DataGrid WP6 CA meeting, CERN, 12 December 2002 CRLs ● CRLs are issued whenever certificate is revocated ● Reissued at least 7 days before CRL expiration ● CRL lifetime is 30 days ● CRLs are published as soon as issued

DataGrid WP6 CA meeting, CERN, 12 December 2002 CP/CPS document ● Draft version 0.4 (September 2, 2002) ● OID: ● Follows structure suggested by the RFC 2527 ● CA, RA’s and certificate owners are obliged to follow procedures specified in CP/CPS document ● Certificate subscribers are notified about changes ● Relation of certificate and version of CPS document is based on the date the version was released

DataGrid WP6 CA meeting, CERN, 12 December 2002 Information publishing ● IISAS CA online repository contains: – IISAS CA certificate – Latest CRL – Copy of CPS/CP document – Other relevant information (list of RAs) – LDAP repository (to be created) ● URL:

DataGrid WP6 CA meeting, CERN, 12 December 2002 Event logs ● Boots of CA signing machine ● Interactive logins and logouts ● Certification requests ● Revocation requests ● Issued certificates ● Issued CRLs

DataGrid WP6 CA meeting, CERN, 12 December 2002 Registration Authorities ● RAs will be created for organization and VO – trusted by members of VO ● CA - RA communication will be secured ● List of RAs will be maintained at: – ● RAs will log – Certificate requests – Revocation requests

DataGrid WP6 CA meeting, CERN, 12 December 2002 Thank you.