Academia Sinica Grid Computing Certification Authority (ASGCCA)

Slides:

Advertisements

Similar presentations

INFN CA1 active since July manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.

Advertisements

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Summer School Certificates Diego Romano & Gilda Team.

Chapter 11: Active Directory Certificate Services

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien F2F Meeting 8 th March 2010.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

UNLP CA (Argentina) Universidad Nacional de La Plata Was created as a national university in 1905 Is the 3rd largest.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

KFKI CA József Kadlecsik KFKI RMKI

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien April 20, th APGridPMA in Taipei.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Grid Canada Certificate Authority Darcy Quesnel

Creating and Managing Digital Certificates Chapter Eleven.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

Egypt Certification Authority Dr. Ayman Bahaa-Eldin EUN Director 8 May th EuGridPMA meeting, Germany.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

CAISO Public Key Infrastructure: Supporting Secure ICCP Leslie DeAnda Senior Information Security Analyst, Information Security, CAISO EMS Users Group.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

MD-Grid CA Valentin Pocotilenco RENAM Association

جايگاه گواهی ديجيتالی در ايران

MaGrid CA Self audit and update

NATIONAL CENTRE FOR PHYSICS PK-Grid-CA

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

HKU Grid Certificate Authority (HKU Grid CA) CP/CPS Reviewer’s Comments Bill Yau

KISTI CA Report Status & Self-Audit

Presentation transcript:

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Outline Introduction Procedural Security Physical Security Technical Security Contact Information Related Information

Introduction The ASGCCA locates at Academia Sinica Grid Computing Centre in Taiwan and has been running since July It is managed by Academia Sinica Grid Computing Centre It provides X.509 certificate to support the secure environment in grid computing.

Procedural Security End Entity and Certificate Type Identification and Authentication Certificate Request Certificate Revocation Records Archival

End Entity and Certificate Type End Entities: –Users of Academia Sinica Computing Centre –Users of Domestic/International Grid-based Application/Projects Certificate Type –User Certificate C=TW, O=AS, OU=PHYS, CN=Su Hao / –Host Certificate C=TW, O=AS, OU=PHYS, CN=testbed043.sinica.edu.tw –Service Certificate C=TW, O=AS, OU=PHYS, CN=FTP/testbed043.sinica.edu.tw

Identification and Authentication User certificate: –Subscriber must submit his/her application sign with supervisor’s signature via fax to ASGCCA Host or service certificate: –Requests must be signed with a valid personal ASGCCA certificate –RA will check the FQDN of the host before issuing certificate

Certificate Request- Users of Academia Sinica Computing Centre subscriberCA staffCA server CA website Subscriber makes requests on CA website 2.Subscriber send application fax to CA staff 3.Website send csr file to CA staff 4.CA staff confirms subscriber’s identity personally 5. CA staff send csr file to CA server 6. CA server issues certificate 7. CA staff sends notice to subscriber and subscriber picks up new certificate

Certificate Revocation Circumstances for Revocation –The entity’s private key is lost or suspected to be compromised. –The information in the entity's certificate is suspected to be inaccurate. –The entity terminate services. –The entity violated its obligations.

Certificate Revocation (cont.) Procedure for Revocation Request –Sending an , signed by subscriber’s valid ASGCCA certificate. CA staff will then contact subscriber by phone for confirmation. –In the other cases, authentication is performed with the same procedure used to authenticate the identity of person.

Records Archival CA must record and archive –All requests (application form) –All confirmations ( s) CA must record and archive –All requests for certificates –All issued certificates –All requests for revocation –All issued CRLs –Login/Logout/Reboot of the issuing machine All archive data is stored in optical storage The retention period for archives is three years

Physical Security The CA issuing machine is –a dedicated machine –not connected to any network –located in a secure environment only accessible by CA administrator –configured to have private key and pass phrase stored in optical storage and locked in a safe

Technical Security Key Generation Key Restriction Certificate Restriction CRL Policy

Key Generation Private key is generated by browsers on the users’ machine. CA will never generate private key on user’s behalf. CA have no access to the users’ private key.

Key Restriction Key Length –ASGCCA private key is 2048 bits –User private key must have at least 1024 bits –Host private key must has at least 1024 bits –Service private key must has at least 1024 bits Pass phrase –The pass phrase of CA’s private key is at least 15 characters –The pass phrase of end entity’s private key is at minimum 8 characters. –Protecting the pass phrase from others

Certificate Restriction Certificate Lifetime for –ASGCCA certificate is five years –user certificate is one year –host certificate is one year –service certificates is one year User certificate should not be shared. The certificate issued by ASGCCA must not be used for financial transaction.

CRL Policy The lifetime of CRL is 30 days CRL is updated immediately after every revocation CRL is reissued 7 days before expiration even if there have been no revocations

Staff Contact Information Su, Howard Phone: Fax: Mail Box: Nankang PO BOX 1-8 Taipei, Taiwan Address: 128, Sec. 2, Academic Rd., Nankang, Taipei, Taiwan 11529

Related Information Homepage – CP/CPS –Latest version: 1.5 –OID: –Follows the RFC 2527 structure – ASGCCA certificate – CRL –

The End