1. TERENA Certificate Service (TCS) 2 August 2011

2. Slide 2 ›TCS is a competitively tendered bulk-buy contract between TERENA and Comodo Limited on behalf of NRENs. ›Allows participating NRENs to issue unlimited numbers of certificates for flat fee (EUR 7.2-11.7K per year). ›TERENA member NRENs in Europe, Central Asia, the Middle East and North Africa are eligible. ›Uses commercially trusted CA (AddTrust/UTN-USERFirst), with dedicated sub-CAs established for each TCS certificate type. ›TCS expands on old SCS (provided by GlobalSign) by offering client and code-signing certificates in addition to SSL certificates. Background

3. Slide 3 ›Five types of certificate available: ›Server Certificate - for authenticating servers and establishing secure sessions with end clients. ›e-Science Server Certificate - for authenticating Grid hosts and services. These are IGTF compliant. ›Personal Certificate - for identifying individual users and securing e-mail communications. ›e-Science Personal Certificate - for identifying individual users accessing Grid services. These are IGTF compliant. ›Code-signing Certificates - for authenticating software distributed over the Internet. Certificate Types

4. Slide 4 ›Comodo contract runs from 1 July 2009 until 31 June 2012, with option to extend for further 2 years. ›It is a full service: ›Server certificates available since 1 July 2009. ›Personal and eScience Personal certificates available since 5 February 2010 ›Code-Signing certificates available since 1 June 2010 ›eScience Server certificates available since 1 October 2010 › Currently 26 of 39 NRENs using service, but … ›How they implement it is a national decision. ›Not all currently offer all certificate types. Service Details

5. Slide 5 ›eScience variants come free when NRENs subscribe to TCS Server and/or Personal certificate types. ›Grid certificates have specific requirements. ›Maximum validity of 13 months. ›Attribute values restricted to 7-bit ASCII. ›Only bound one end entity. ›TCS eScience Personal Certificates: › IGTF profile “ Member Integrated X.509 PKI Credential Services (MICS) ” ›EUGridPMA accreditation received in January 2010 ›TCS eScience Server Certificates: › IGTF profile “ Classic X.509 CAs with secured infrastructure ” ›EUGridPMA accreditation received in August 2010 ›Thanks to Jan Meijer, Milan Sova and David Groep who guided the accreditation process with EUGridPMA. eScience Certificates

6. Slide 6 Participants NREN/Country SESPEPCNREN/Country SESPEPC ACOnetAT  -  -  IUCCIL  -- BELNETBE  -  LITNETLT  ---- CARNetHR  ----UoMMT  - CyprusCY  P  SURFnetNL  CESNETCZ  -UNINETTNO  -  - UNICDK  --  -PSNCPL  RedIRISES  -  -  FCCNPT  ---- FUNETFI  --  -RoEduNetRO  -  -- RENATERFR  -  --AMRESRS  ---- GRNETGR  -  --ARNESSI  ---- HUNGARNETHU  ----SANETSKPPPPP HEAnetIE  ---  SUNETSE  GARRIT  -JANET(UK)UK  ----

7. Slide 7 ›Comodo web interface ›Web-based interface suitable for NRENs issuing small numbers of certificates. ›Basic and not recommended. › Can ’ t be used for eScience Personal certificates as EUGridPMA accreditation requires IdP authentication. ›Comodo API ›Accessed via HTTPS and authenticated with username/password. ›Instructions sent as POST parameters, with responses sent in plain text or URL-encoded. ›Allows NRENs to develop their own custom front ends for issuing certificates. ›Documented at http://secure.comodo.net/api/pdf Issuing Certificates

8. Slide 8 ›Djangora (Django + RA) ›Supports issuing of Server, eScience Server & Code-signing certificates. ›Developed by Kent Engström (Linköping) University on behalf of SUNET. ›Based on Django Python framework & MySQL/PostgreSQL database. ›Web interface. ›Source code available, can be customised by NRENs. ›Confusa (named after flowering plant growing in Arctic regions) ›Allows users to apply for Personal & eScience Personal certificates. ›Developed by UNINETT and NDGF. ›Based on PHP with customisable web interface. ›User authentication undertaken through existing institutional identity providers (IdPs), normally used in conjunction with identity federations. ›Available under GPL licence from http://www.confusa.org/http://www.confusa.org/ Djangora & Confusa

9. Slide 9 ›Several NRENs decided to pool resources and operate common portal for personal certificates. ›Hosted on resilient servers at Tilburg University under contract to TERENA. ›Utilises Confusa software. ›Each NREN community needs to operate at least one IdP, but multiple IdPs are supported. ›Participants: ›ACOnet (AT), BELNET (BE), FUNET (FI), GARR (IT), RENATER (FR), SUNET (SE), SURFnet (NL), UNI-C (DK), UNINETT (NO) ›This is now also a full service. TCS Portal

10. Slide 10 Statistics (1 July 2009 – 16 June 2011) TypeTotal Server(from 1 Jul 2009)59,901 eScience Server(from 1 Oct 2010)227 Personal(from 5 Feb 2010)2,194 eScience Personal(from 5 Feb 2010)844 Code-Signing(from 1 Jun 2010)81 Overall63,247

11. Slide 11 ›TERENA has not done much promotion to date. ›Other priorities and staff resources. ›TCS is primarily nationally oriented. ›How best to target? › NRENs don ’ t see much demand, therefore don ’ t buy into service or actively promote. ›Not always close cooperation between NRENs and Grid communities. ›Grid communities are reluctant to relinquish their own CAs. ›Some grid software has problems with longer chains of trust found in TCS certificates. Not TCS problem per se, but gets the blame! Take-up of eScience certificates