NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand

2 NECTEC-GOC CA Organization GRID CA PMA CA Manager RA Operator CA Operator » GRID CA PMA: Policy Management Authority » CA Manager: Administrates all tasks on the CA system » RA Operator: » Accepts and verifies User Application form » Checks Certificate Signing Request form » Informs CA to issue certificate » CA Operator: » Issues certificates » Manages CA and RA servers » Maintains the CA system » Manages CA private key

3 Update NECTEC GOC CA Status » Accredited to be in Production Level by APGrid PMA on October » Bundled with IGTF CA distribution. » Started operation on January » Web Repository » Moved form ThaiSarn to NECTEC local network for stability better.

4 Issued Certificate Status » None has been issues certificates. » NECTEC GOC CA issues certificates to » Collaborators related to NECTEC Grid Computing research.  Computation Fluid Dynamic Grid projects.  Information Grid project.

5 Plan » NECTEC GOC CA have plans to, » Draft the CP/CPS according to RFC 3647 on October » Internal audit after drafted the CP/CPS.

6 Detail report on compliance with the latest Classic Authentication profile

7 Identity and End-Entity certificate expiration » User and Grid Host Certificate: » Subscriber meets in-person with RA Operator » RA Operator reviews and approves Application and Certificate Request according to user’s documents [CPS and 3.1.x] » RA communicate with the CA by signed s. » NECTEC GOC CA uses the re-key certificates method.

8 Operation Requirements » CA Server: » Stored in a safe deposit box, which is protected by six-digit code » Not connected to network of any sort » Located in a room, which is restricted to CA Operator during its operations » CA private key: » Key length 2048 bits and life time 10 years » Protected by passpharse 15 characters. » Backup in USB drive and stored in the safe box by CA Operator.

9 CP/CPS Identification » Current version:1.0 (October, 2006) » Object ID: » Conform to RFC 2527 (plan for draft according to RFC 3647 on October 2007) » Managed by the NECTEC GRID PMA » Changes in contents need to be approved by the NECTEC GRID PMA

10 Certificate and CRL profile (1) » CA’s Certificate: » DN: C=TH,O=NECTEC,OU=GOC,CN=NECTEC GOC CA » Signature Algorithm: sha1WithRSAEncryption. » Extensions field:  Basic constraints : critical –CA:TRUE  Key Usage : critical –digitalSignature,crlSign,keyCertSign

11 Certificate and CRL profile (2) » End-Entity Certificate » Key length are 1024 bits and life time 13 months. » Extension field:  basicConstraints : critical –CA:false  keyUsage : critical –nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment (User Certificate) –digitalSignature, keyEncipherment, dataEncipherment (Host Certificate)  PolicyIdentifier : OID (Refer CPS 1.2)  CRLDistributionPoints: URI of CRL  subjectAltnativeName : Address of User (User Certificate)  subjectAltnativeName : FQDN (Host Certificate)

12 Certificate and CRL profile (3) » Comply with RFC » CRL profile: » Basic field:  Version : 2  algorithmIdentifer : SHA1 » Extensions field:  cRLNumber : integer  distributionPointName : URI of the CRL

13 CRL » CRL validity is 30 days. » New CRL issued » 7 days before expiration of previous one. » immediately after certificate revocation. » Published in web repository.

14 Publication and Repository » NECTEC GOC CA repository consists: » CP/CPS. » CA’s Certificate (DER,CRT and PEM format). » CRL (DER,PEM and r0 format). » Application form, user guide and contact information.

15 END Any comment or suggestion?