HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Slides:



Advertisements
Similar presentations
April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
Advertisements

Introduction of Grid Security
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
INFSO-RI Enabling Grids for E-sciencE Security, Authorisation and Authentication Mike Mineter Training, Outreach and Education National.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
Computer Science Public Key Management Lecture 5.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Masud Hasan Secue VS Hushmail Project 2.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Security, Authorisation and Authentication.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
IHEP Grid CA Status Report Gongxing Sun 5 th F2F Meeting 16 Sep Computer Center, IHEP,CAS,China.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.
Next Steps: becoming users of the NGS Mike Mineter
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK
Security, Authorisation and Authentication Mike Mineter, Guy Warner Training, Outreach and Education National e-Science Centre
The NGS Support Centre Katie Weeks. NGS Support Centre SLD Many areas to NGS Support Centre –SLD defines supported areas including: Certification Authority.
0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
X509 Web Authentication From the perspective of security or An Introduction to Certificates.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
GRID-FR French CA Alice de Bignicourt.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Mike Mineter, National e-Science Centre.
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
Key management issues in PGP
Tweaking the Certificate Lifecycle for the UK eScience CA
Organized by governmental sector (National Institute of information )
Presentation transcript:

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL Structure of CA CA RA User Request Approved Request Certificate RA = Registration Authority CA = Certification Authority

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL Certificate The string is the Distinguished Name, which can be used to uniquely identify the user (i.e., the owner of the corresponding private key) The public key correspond to the users private key (RSA) Other stuff specifies lifetime of certificate, issuer, etc. Extensions specify e.g. which things the certificate can be used for. A certificate ties together a string, a public key, some other stuff and extensions

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL The Distinguished Name Contains the user’s name (verified by RA) Also identifies the RA that approved the original request No project information in the DN –Must not authorise based on DN alone BUT: The name establishes only reasonable identity of the user (more than one Joe Smith?) BUT: (ideally) the name should be used for authentication only, not identification –Should be seen as a string tied to the key –Every time someone connects with this string, you can be assured it’s the same user

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL The Registration Authority RAs are trusted to approve (or reject) requests from users Therefore it was felt that RAs should be formally appointed RAs are local to users More about RAs and appointment later.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL Identification of users Users must show photo ID to RA. The reason for this is: –We promise to verify the name in the DN –We aim to be (are) a medium assurance CA as defined by the latest GridForum policy draft (v6) –We aim to be (are) a medium level CA according to the DFN (Deutsche Forschungsnetz)

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL External Policies and Recommendations Strong policy Harder to get certificate But easier to have certificates accepted by Relying Parties Weak policy Easy to get certificate Harder to persuade admins to accept certificate for authentication purposes

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL Status New e-Science CA being deployed UKHEP CA will be terminated UKHEP certificates will be allowed to expire UKHEP still issues certificates for users not yet covered by new CA

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL 25 November certificates 10 RA managers + 15 operators Issuing 50 certs /month Adding 3 RAs / month Adding 6 RA operators /month

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL What’s done Software (OpenCA based) installed Keys generated Some RAs appointed, certificates issued CA staff trained Close-to-final CP/CPS issued Physical security implemented

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL What’s currently being done New RAs being appointed and trained CP/CPS being updated to reflect proposed change in extensions RA and CA procedures being reviewed - must ensure that they conform to CPS

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL What else must be done Must issue final CP/CPS Approval as DataGrid CA (December) Take over RAs from UKHEP Then - announce deployment!

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL Renewal Should send reminder to user 30 days before expiry (with instructions) Procedure doesn’t exist yet Easy with OpenSSL but how to do it with the web interface? Must issue certificate with same DN as an existing certificate...

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL (Proposed) extensions basicConstraints (critical): not CA keyUsage (critical) [interpretation sometimes woolly!]: –nonRepudiation - used to verify digital signatures in repudiation services –digitalSignature - private key is used for signatures (not certificates or CRLs!!), e.g. SSL client, entity authentication –keyEncipherment - public key is used for key transport, e.g. encryption, SSL server –keyAgreement - used to agree e.g. a symmetric key between client and server

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL More (proposed) extensions certificatePolicies: policyIdentifier (OID)

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL RA structure Manager Operator Head of Department = Appointment Department Operators verify users’ requests

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL RA Appointment 1 Agree Name with CA (manager) OU and L identify the RA, not the project OU =Institution, L =Department in which the RA is appointed

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL RA Appointment 2 RA Manager is appointed by Head of Department The Manager is responsible for the operations of the RA

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL RA Appointment 3 RA Manager appoint RA Operators. Operators approve requests for Users Operators must have certificates

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL RA Appointment 4 Grid Support Centre offers training courses for RA Operators RA Operators are expected to know the system and to be able to advise Users Next training course: 18th December 2002

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL RA Appointment 5 RA Operators then approve requests from Users

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL Contacts Web site: Training courses –Alistair Mills Setting up RAs –Alistair Mills –Jens G Jensen –David Boyd Anything else –Jens G Jensen

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.