Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Advertisements

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

A Grid certificate in 5 minutes large scale federated automated issuing of grid certificates Jan MeijerEGEE’ Sept 2009 Barcelona.

CAs, RAs & PMAs CAs, RAs & PMAs Roberto Cecchini INFN CA Manager EUIndiaGrid kick-off Trieste, 19/10/06.

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!

TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.

EU NREN PKI Jan MeijerAARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney.

Webinar “Operating the TCS shared portals” for NREN admins TCS shared portal project a/TCS_Portal_project Jan Meijer.

The TERENA Academic CA Repository. eIRG Meeting. Dublin, 16/04/2004 Diego R. Lopez – TF-AACE  Task Force on Authentication and.

TERENA Certificate Service (TCS) 9 June Slide 2 › Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘ pop-up.

Community Services WI TF-EMC2 VC Meeting 29 June, 2011 Licia Florio

John Dyer Business & Technology Strategist TERENA 10 February 2014 TF-MSP Meeting ACOnet, Vienna Aggregation of Demand Collaborative.

Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.

TERENA Updates TF-EMC2 Meeting Bologna 7-8 Nov 2011 Licia Florio

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.

TERENA TF-EMC2 Workshop David Groep,

Grid and NREN operational support Tony Genovese ATF team ESnet Lawrence Berkeley National Laboratory.

Updates from the EUGridPMA David Groep, July 16 st, 2007.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Claudio Allocchio TERENA Technical Programme - Update General Assembly, 21 October 2005, Budapest 1 TERENA Technical Programme Update Claudio Allocchio.

European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.

David Groep Nikhef Amsterdam PDP & Grid TERENA Certificate Service Certificates4All! David Groep standing in for Licia Florio, TERENA, using material from.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

Discussions on the Life Ray Portal and credential management David Groep, Oct 11 th, 2011.

Updates from the EUGridPMA David Groep, May 9 st, 2007.

Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.

Updates from the European Side of the Pond David Groep, November 2006.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Programme ›TERENA ›Overview of the middleware initiatives in the European Higher Education ›What is eduroam: the technology and how to set up eduroam ›eduroam-in-a-box:

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting AARC and AARC2 Vienna, 1 st December.

NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.

APGridPMA Update Eric Yen APGridPMA August, 2014.

PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.

TERENA Certificate Service (TCS) 2 August Slide 2 ›TCS is a competitively tendered bulk-buy contract between TERENA and Comodo Limited on behalf.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

Licia Florio Poznan, 5 June SCS Proposal Investigates the possibility to set up a service that offers popup-free cheap server-certificates against.

QuoVadis accreditation with EuGridPMA Alessandro Usai

Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

2007© SWITCH SWITCHslcs the new AAI-based short-lived credential service for Grid users C.Witzig Swiss Grid Day, Berne, May 7, 2007.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Classic X.509 AP updates (v4.1)

Multi-Domain User Applications Research (JRA3)

Presentation transcript:

Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA

Slide 2 Aim of the work item ›Overseeing the patterns of usage and emerging technologies that might be relevant to support NRENs services; ›Proposing enhancements for the current PKI services; ›Promoting the current PKI services to other communities

PKI Initiatives ›SCS service: ›Soon to be knows as TCS; ›TERENA MICS/SLCS Pilot Service Project ›TACAR Slide 3

TERENA Certificates Service Slide 4

SCS  TCS ›Current SCS: ›Provided by GlobalSign BV; ›Only SSL server certs; ›More than certs issued; ›Operating till March 2010; ›New SCS service: ›Comodo CA; ›Expected to start in May 2009; ›Model: ›Yearly flat fee per NREN; ›TERENA contractual party; ›A dedicated TERENA sub-CA; ›NRENs participating can also buy client certificates and code-sign certificates: ›Upon an extra flat fee; ›TCS: TERENA Certificate Services Slide 5

Who is in SCS ›Participants: ›Switzerland out; ›Greece and Finland will now participate. Slide 6

What has been done ›Lots of working spend on certificate profiles: ›Finally ready since last Friday; ›Profiles also for eScience server and client certs; ›Test CA to be expected in 10 days; ›To testing certificates and interfaces; ›Writing CPS for the TERENA sub-CA: ›First version of the CPS will only cover SSL server certs; ›Later client and code signing cert procedures will be addressed. Slide 7

What’s next ›Test phase: ›Two weeks period for the test; ›Launching the SSL server certs: ›Available for all NRENs participating; ›More work on the API: ›The current prototype does not cover client and code signing certs; ›Accreditation with the EuGridPMA Slide 8

A new PKI Service Slide 9

TERENA MICS/SLCS Pilot Service Project ›Aim: ›Establish a shared SLCS/MICS pilot service for the (European) eScience Grid community, under the TERENA umbrella. ›SLCS/MICS CA serving all countries participating; ›EuGridPMA Accreditation; ›Allow for scalability; ›The service will issue x.509 cert to persons ›No hosts Slide 10

Grid CAs Managements ›Grid uses x.509 certs as authN credential; ›Three types of certs are possible: ›Classic ›Short Lived Credential Service (SLCS) ›Member Integrated Credential Service (MICS) ›Grid CAs have to accredited by the IGTF: ›EuGriPMA (Europe) ›TAGPMA (Americas) ›APGridPMA (Asia-Pacific) Slide 11

What are SLCS/MICS certs? ›Vetting process and cert lifetime different: › Classic: ›Face to Face verification of end-entities needed › Manual RA level ›Cert validity: 13 months, but renewal of certs possible without new face-to-face validation. ›SLCS/MICS: ›Vetting process relays on existing AAI framework; ›User authenticates to the CA using an existing electronic identity ›This identity is mapped into a Grid cert ›SLCS certs are 10 days valid; ›MICS certs are 13 months valid; Slide 12

Benefit of EU SLCS/MICS Service ›How many SLCS-CAs does Europe need ;) ›Share operational cost and effort (!) ›Continued operational PKI skills only needed at one place; ›For countries with limited resources very attractive; Slide 13

More about the service ›Use specific federation attribute to decide on SLCS or MICS eligibility ›According to the rules defined by the EuGridPMA SLCS/MICS profiles Slide 14

Who is involved? ›UNINETT ›Jan Meijer, project management: Project Description, CPS ›Henrik Austad: Confusa development ›SURFnet ›Teun Nijssen, Tilburg University ›CA + SLCS/MICS server ops, CPS, euGridPMA accreditation maintenance ›Sunet ›Leif Johanssen: Federation issues ›TERENA ›Licia Florio: Contractual party ›Denmark, Finland, the Netherlands, Norway and Sweden: ›Until Dec 2009 › From Jan 2010 other countries/NRENs may join Slide 15

Status ›Project description almost ready: ›Financial model not fully defined yet; ›Work on the CPS: ›Presentation at the next EuGridPMA in May ›Start operations in June: ›Quite optimistic ;-) Slide 16

TACAR Slide 17

New Developments ›TACAR will be also used to host GN3 root Cas: ›So far only a couple; ›But more is expected in the future; ›TACAR still being used as IGTF official repository; ›Working with Massimiliano Pala: ›To use TACAR for the PKI Resources Query Protocol (PRQP): ›to provide standardised way to query PKI repositories to gather info on CAs; ›New UI: ›Different way to update info; ›Different policy; Slide 18