March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL

March 27, 2006TAGPMA - Rio de Janeiro2 SLCS Profile The Authentication Profile is managed by the TAGPMA The Authentication Profile is managed by the TAGPMA Derived from EUGridPMA Guidelines Derived from EUGridPMA Guidelines Minimum Requirements version 4.0 Minimum Requirements version 4.0 Reviewed and approved by TAGPMA: Reviewed and approved by TAGPMA: 15 November November 2005

March 27, 2006TAGPMA - Rio de Janeiro3 What is SLCS Short-Term certificate has a life cycle less then 1 million seconds (~11 days) Short-Term certificate has a life cycle less then 1 million seconds (~11 days) A translation of a local site’s native Identity to a Grid Identity. A translation of a local site’s native Identity to a Grid Identity. A KCA can translate a local Kerberos Identity to a Grid Identity. A KCA can translate a local Kerberos Identity to a Grid Identity. MyProxy can be integrated to some sites MyProxy can be integrated to some sites Active credential repositories – different AuthN profile. Active credential repositories – different AuthN profile. Identity is validated by site security office Identity is validated by site security office Leverages Site help desk and customer support Leverages Site help desk and customer support Possible local site service candidates: Possible local site service candidates: Kerberos, Windows Domain, LDAP, One Time Password and Long term Certs. Kerberos, Windows Domain, LDAP, One Time Password and Long term Certs.

March 27, 2006TAGPMA - Rio de Janeiro4 Document Identification Document title:Profile for Short Lived Credential Services X.509 Public Key Certification Authorities with secured infrastructure Document vers:1.1 Document date: November 15, OID: = IGTF OID: IGTF.Policies.Authentication Profiles.SLCS.version Document OID: Location:

March 27, 2006TAGPMA - Rio de Janeiro5 SLIC General Architecture LDAP AuthN Kerberos AuthN RADIUS AuthN SecureID AuthN (RADIUS) slic Certificate Authority Sources of IdentityGrid Identity Mint Local Site AuthN infrastructure Short lived Grid Identity/Proxy/Attribute Certificates

March 27, 2006TAGPMA - Rio de Janeiro6 Identity Every DN in a SLCS cert must be linked to one and only one End Entity. Every DN in a SLCS cert must be linked to one and only one End Entity. The DN owner is the human individual or organizational group that has valid rights to exclusive use of a subject name in a certificate. The DN owner is the human individual or organizational group that has valid rights to exclusive use of a subject name in a certificate.

March 27, 2006TAGPMA - Rio de Janeiro7 Identity Translation rules All identities used to create a Short Lived Certificate will be based on the local Site/Organization identity system. All identities used to create a Short Lived Certificate will be based on the local Site/Organization identity system. A SLCS must identify the Site/Organization identity management service that will be used to provide the authenticated identity to the SLCS. A SLCS must identify the Site/Organization identity management service that will be used to provide the authenticated identity to the SLCS. A SLCS must describe in their CP/CPS: A SLCS must describe in their CP/CPS: How the identity (DN) assigned in the certificate is unique within the namespace of the issuer. How the identity (DN) assigned in the certificate is unique within the namespace of the issuer. How it attests to the validity of the identity. How it attests to the validity of the identity. How it provides accountability, show that they have verified enough identity information to get back to the physical person any time now and in the future How it provides accountability, show that they have verified enough identity information to get back to the physical person any time now and in the future

March 27, 2006TAGPMA - Rio de Janeiro8 Operational Requirements SLCS CA must be a dedicated machine SLCS CA must be a dedicated machine The CA must be located in a secure access controlled environment. The CA must be located in a secure access controlled environment. CA’s private key must be protected: CA’s private key must be protected: FIPS Level 3 HSM FIPS Level 3 HSM Non-FIPS: Must describe the security precautions. Non-FIPS: Must describe the security precautions. CA Key >= 2048, lifetime = 2048, lifetime <= 20 years

March 27, 2006TAGPMA - Rio de Janeiro9 Certificates and CRL profile The accredited SLCS authority must publish a X.509 certificate as a root of trust. The accredited SLCS authority must publish a X.509 certificate as a root of trust. SLCS CAs are not expected to issue CRLs. SLCS CAs are not expected to issue CRLs. The short lived certificates must be in X.509v3 format and compliant with RFC3280 unless explicitly stated otherwise. In the certificate extensions: The short lived certificates must be in X.509v3 format and compliant with RFC3280 unless explicitly stated otherwise. In the certificate extensions: a Policy Identifier must be included and must contain an OID and an OID only a Policy Identifier must be included and must contain an OID and an OID only keyUsage must be included and marked as critical keyUsage must be included and marked as critical basicConstraints may be included, and when included it must be set to ‘CA: false’ and marked as critical so it conforms to general CA and ASN.1 practice. basicConstraints may be included, and when included it must be set to ‘CA: false’ and marked as critical so it conforms to general CA and ASN.1 practice. if an OCSP responder, operated as a production service by the issuing CA, is available, AuthorityInfoAccess must be included and contain at least one URI if an OCSP responder, operated as a production service by the issuing CA, is available, AuthorityInfoAccess must be included and contain at least one URI If a commonName component is used as part of the subject DN, it should contain an appropriate presentation of the actual name of the end-entity. If a commonName component is used as part of the subject DN, it should contain an appropriate presentation of the actual name of the end-entity. The message digests of the certificates must be generated by a trustworthy mechanism, like SHA1 (in particular, MD5 must not be used). The message digests of the certificates must be generated by a trustworthy mechanism, like SHA1 (in particular, MD5 must not be used).

March 27, 2006TAGPMA - Rio de Janeiro10 Revocation It is assumed that the Short Lived Certificates will not need to be revoked because their life time is shorter than the update cycle of most CRLs. It is assumed that the Short Lived Certificates will not need to be revoked because their life time is shorter than the update cycle of most CRLs. If revocation is supported, then revocation requests can be made by: If revocation is supported, then revocation requests can be made by: certificate holders, Site identity managers and the SLCS CA. Others… certificate holders, Site identity managers and the SLCS CA. Others… Individual holders of a SLCS certificate must request revocation if the private key pertaining to the certificate is lost or has been compromised, or if the data in the certificate are no longer valid. Individual holders of a SLCS certificate must request revocation if the private key pertaining to the certificate is lost or has been compromised, or if the data in the certificate are no longer valid.

March 27, 2006TAGPMA - Rio de Janeiro11 Publication and Repository responsibilities Each SLCS authority must publish: Each SLCS authority must publish: a SLCS CA root certificate or set of CA root certificates up to a self-signed root; a SLCS CA root certificate or set of CA root certificates up to a self-signed root; a http or https URL of the PEM-formatted CA certificate; a http or https URL of the PEM-formatted CA certificate; a http or https URL of the web page of the CA for general information; a http or https URL of the web page of the CA for general information; the CP and CPS documents; the CP and CPS documents; an official contact address for inquiries and fault reporting an official contact address for inquiries and fault reporting a physical postal contact address a physical postal contact address The SLCS CA shall provide their trust anchor to a trust anchor repository, specified by the accrediting PMA, via the method specified in the policy of the trust anchor repository. The SLCS CA shall provide their trust anchor to a trust anchor repository, specified by the accrediting PMA, via the method specified in the policy of the trust anchor repository.

March 27, 2006TAGPMA - Rio de Janeiro12 Audits The SLCS CA must record and archive all requests for certificates, along with all the issued certificates, all the requests for revocation and the login/logout/reboot of the issuing machine. The SLCS CA must record and archive all requests for certificates, along with all the issued certificates, all the requests for revocation and the login/logout/reboot of the issuing machine. The SLCS CA must keep these records for at least three years. These records must be made available to external auditors in the course of their work as auditor. The SLCS CA must keep these records for at least three years. These records must be made available to external auditors in the course of their work as auditor. Each SLCS CA must accept being audited by other accredited CAs to verify its compliance with the rules and procedures specified in its CP/CPS document. Each SLCS CA must accept being audited by other accredited CAs to verify its compliance with the rules and procedures specified in its CP/CPS document. The SLCS CA should perform operational audits of the CA/RA staff at least once per year. A list of CA and site identity management personnel should be maintained and verified at least once per year. The SLCS CA should perform operational audits of the CA/RA staff at least once per year. A list of CA and site identity management personnel should be maintained and verified at least once per year. The identity management system on which the SLCS CA relies should undergo a periodic review or audit. This review should be conducted by persons other than the system operators. The identity management system on which the SLCS CA relies should undergo a periodic review or audit. This review should be conducted by persons other than the system operators.

March 27, 2006TAGPMA - Rio de Janeiro13 SLCS Etcetera Privacy and confidentiality Privacy and confidentiality Accredited SLCS CAs must define a privacy and data release policy compliant with the relevant national legislation. Accredited SLCS CAs must define a privacy and data release policy compliant with the relevant national legislation. Compromise and Disaster recovery Compromise and Disaster recovery The SLCS CA must have an adequate compromise and disaster recovery procedure, and be willing to discuss this procedure in the TAGPMA. The procedure need not be disclosed in the policy and practice statements. The SLCS CA must have an adequate compromise and disaster recovery procedure, and be willing to discuss this procedure in the TAGPMA. The procedure need not be disclosed in the policy and practice statements. Due diligence of subscribers Due diligence of subscribers The SLCS CA should make a reasonable effort to make sure that people realize the importance of properly protecting their private data. The SLCS CA should make a reasonable effort to make sure that people realize the importance of properly protecting their private data.