Presentation is loading. Please wait.

Presentation is loading. Please wait.

QuoVadis accreditation with EuGridPMA Alessandro Usai

Published byWilliam McGee Modified over 8 years ago

Similar presentations

Presentation on theme: "QuoVadis accreditation with EuGridPMA Alessandro Usai"— Presentation transcript:

1 QuoVadis accreditation with EuGridPMA Alessandro Usai alessandro.usai@switch.ch

2 © 2008 SWITCH 2 So who are they (where are you going:)? The company was founded in 1999 with backing from a venture capital affiliate of the Zurich Financial Services Group. The company later underwent a management buyout and subsequent private equity investment from ABRY Partners. QuoVadis is a member of the CA/Browser Forum, and contributed to the creation of standards for the Extended Validation Certificate.QuoVadis is based in Bermuda. They have offices in Switzerland, UK, Holland, New Zealand;they will also open a second data centre in Zurich in November this year.

3 © 2008 SWITCH 3 QuoVadis current business profile QuoVadis’ accreditations (yearly audits): Qualified Certification Practice Statement (CSP) in Netherlands granted by the Independent Post and Telecommunications Authority (OPTA), based on a certification by the British Standards Institute (BSI) using the TTP.NL Scheme for Certification Authorities. Qualified CSP in Switzerland granted by BAKOM (Bundesamt für Kommunikation I.e.The Federal Office of Communication OFCOM) based on a certification from KPMG using ETSI (European Telecommunications Standards Institute) TS 101 456 and other related standards. Authorised CSP in Bermuda based on that country’s Electronic Transactions Act. WebTrust for Certification Authorities, and WebTrust for Extended Validation (by Ernst & Young).

4 © 2008 SWITCH 4 QuoVadis as a CA They currently have three root CAs (one CP/CPS for CA 1 and 3 and a separate one for CA 2). Switch will be linked to the root 1 CA (the one with 2048 bits). What does the CP/CPS look like? http://www.quovadisglobal.bm/~/media/Files/Repository/QV_RCA1_RCA3_CPCPS_V4_5.ashx Important points to notice: Hardware, security procedures and auditing comply with the EuGridPMA requirements, In particular: HSM for Issuing CA to provide at least FISP Level 3 and/or EAL 4 security standards in both the generation and maintenance in all Root and Issuing CA private keys. Physical controls, procedural controls, personnel controls, audit logging procedures, records archival, key changeover, compromise and disaster recovery.

5 © 2008 SWITCH 5 The QuoVadis CA certificate hierarchy QuoVadis Root Certification Authority 2048 bits, 2001–2021 QV Schweiz ICA 2048 bits, 2006–2016 QuoVadis standard user certificates (1/2/3y) QuoVadis Root CA 2 4096 bits, 2006–2031 QuoVadis Global SSL ICA 2048 bits, 2007–2017 QuoVadis Business SSL server certificates (1/2/3y) QuoVadis EV SSL server certificates (1/2y) QuoVadis Grid ICA 2048 bits, 2008–2018 QuoVadis Grid user and server certificates (1y)

6 © 2008 SWITCH 6 What will the grid certificates look like? Notice In particular that: - common prefix for all Grid certs: DC=com, DC=quovadisglobal, DC=grid - prefix for SWITCH user certs: DC=com, DC=quovadisglobal, DC=grid, DC=switch, OU=users - prefix for SWITCH server certs: DC=com, DC=quovadisglobal, DC=grid, DC=switch, OU=hosts  User Certificate example  Host certificate  Issuing CA Certificate example

7 © 2008 SWITCH 7 EE Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 31 (0x1f) Signature Algorithm: sha1WithRSAEncryption Issuer: C=BM, O=QuoVadis Limited, CN=QuoVadis Grid Issuing CA Validity Not Before: Aug 26 08:41:25 2008 GMT Not After : Aug 26 08:41:25 2009 GMT Subject: DC=com, DC=quovadisglobal, DC=grid, DC=switch, DC=users, O=SWITCH, CN=Alessandro Usai Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): … Exponent: 65537 (0x10001)

8 © 2008 SWITCH 8 X509v3 extensions: X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.8024.0.1 -> ROOT CA 1 id Policy: 1.2.840.113612.5.2.2.1.4 -> IGTF Classic Profile X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Subject Alternative Name: email:alessandro.usai@switch.ch X509v3 Subject Key Identifier: 7A:5E:63:A9:B3:10:3B:CF:45:60:59:ED:61:59:DE:8B:A4:9A:BE:C9 X509v3 Authority Key Identifier: keyid:42:E6:13:39:8B:3A:41:66:EA:40:C1:0B:81:CE:10:F7:DA:71:74:B9 X509v3 CRL Distribution Points: URI:http://crl.quovadisglobal.com/qvgica.crl Authority Information Access: CA Issuers - URI:http://trust.quovadisglobal.com/qvgica.crt Signature Algorithm: sha1WithRSAEncryption … -----BEGIN CERTIFICATE----- … -----END CERTIFICATE-----

9 © 2008 SWITCH 9 Host Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 33 (0x21) Signature Algorithm: sha1WithRSAEncryption Issuer: C=BM, O=QuoVadis Limited, CN=QuoVadis Grid Issuing CA Validity Not Before: Aug 27 08:33:18 2008 GMT Not After : Aug 27 08:33:18 2009 GMT Subject: DC=com, DC=quovadisglobal, DC=grid, DC=switch, DC=hosts, O=SWITCH, CN=server.switch.ch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): … Exponent: 65537 (0x10001)

10 © 2008 SWITCH 10 X509v3 extensions: X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.8024.0.1 Policy: 1.2.840.113612.5.2.2.1.4 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Authority Key Identifier: keyid:42:E6:13:39:8B:3A:41:66:EA:40:C1:0B:81:CE:10:F7:DA:71:74:B9 X509v3 Subject Key Identifier: 7A:5E:63:A9:B3:10:3B:CF:45:60:59:ED:61:59:DE:8B:A4:9A:BE:C9 X509v3 CRL Distribution Points: URI:http://crl.quovadisglobal.com/qvgica.crl Authority Information Access: CA Issuers - URI:http://trust.quovadisglobal.com/qvgica.crt X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:server.switch.ch Signature Algorithm: sha1WithRSAEncryption -----BEGIN CERTIFICATE----- … -----END CERTIFICATE-----

11 © 2008 SWITCH 11 Issuing CA Certificate Certificate: Data: Version: 3 (0x2) Serial Number: 13 (0xd) Signature Algorithm: sha1WithRSAEncryption Issuer: C=BM, O=QuoVadis Limited, CN=QuoVadis Root Certification Authority Validity Not Before: Aug 26 17:01:51 2008 GMT Not After : Aug 24 17:01:51 2018 GMT Subject: C=BM, O=QuoVadis Limited, CN=QuoVadis Grid Issuing CA (or ICA?) Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): …

12 © 2008 SWITCH 12 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Authority Key Identifier: keyid:AD:0B:3E:70:61:2D:D2:8F:F0:E7:4F:DD:1D:DF:F1:32:70:CD:D6:37 X509v3 Subject Key Identifier: 42:E6:13:39:8B:3A:41:66:EA:40:C1:0B:81:CE:10:F7:DA:71:74:B9 X509v3 CRL Distribution Points: URI:http://crl.quovadisglobal.com/qvrca.crl Authority Information Access: CA Issuers - URI:http://trust.quovadisglobal.com/qvrca.crt Signature Algorithm: sha1WithRSAEncryption … -----BEGIN CERTIFICATE----- … -----END CERTIFICATE-----

13 © 2008 SWITCH 13 Switch Requirements/feedback Certificate lifetime of at least ten years for the Issuing CA End Entities and Server certificates lifetime of no more than 13 months. Any further certificate policies extension for the Issuing CA certificate must not include a URI. No intermediate certificate with a key longer than 2048 bits (CA 1). The issuing CA CRL lifetime will be of at least 7 days. No OCSP (online certificate status protocol) responder URI in the Grid certificates, at least initially.

14 © 2008 SWITCH 14 What will change? SwissSign hierarchy cumbersome e.g. we will not need a safe in a bank anymore:) Less hassle as we will NOT have the email field in the certificates DNs. Switch SLCS CA is not affected by the transition! The RAs management will remain the same What will not change?

15 © 2008 SWITCH 15 QuoVadis timeline QuoVadis CP/CPS and Issuing CA: The process for the Issuing CA and update of the CP/CPS will be roughly as follows: Draft of the initial proposed updates to the CP/CPS over the next few weeks. Agreement with QuoVadis on the technical specifications for the issuing CA and the end user/device certificates (this includes OIDs etc) Build of the issuing CA and first tests: as an estimate the issuing CA should be able to be built by the end of the year. Final updates to the CP/CPS and formal approve by the QuoVadis PMA (dependent on the building of the issuing CA, but quick in principle Submission of the CP/CPS for approval by the EUGridPMA.

16 © 2008 SWITCH 16 EUGridPMA Accreditation Timeline Can we start with the current CP/CPS review?Any volunteers for the reviewers? Start the real review when the CP/CPS document is approved by QuoVadis We would like to be accredited by May 2009 the latest in Zurich, but if possible by January 2009 at the EUGridPMA meeting in Cyprus. A representative of QuoVadis might attend the meeting in Cyprus, if this is deemed useful.

Download ppt "QuoVadis accreditation with EuGridPMA Alessandro Usai"

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.

1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

Similar presentations

Ads by Google