Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

Published byHenry Dorsey Modified over 8 years ago

Similar presentations

Presentation on theme: "A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi."— Presentation transcript:

1 A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi NISHIMURA, Kento AIDA National Institute of Informatics, Japan 1 International Symposium on Grids & Clouds 2016 15 March 2016 Academia Sinica, Taipei, Taiwan

2 Outline Introduction Objects and Issues – Typical CA Architecture Proposals Discussions Related Works Summary 2

3 Introduction Background – Among certification authorities (CAs) in an academic PKI trust federation, most of academic organizations that operate CA install by themselves the CA equipment in their building. – It is necessary to maintain such CA equipment and to obtain the special operators. – Consequently, the high cost of CA operation weighs heavily on the CA organization. – For research institutes whose essential duties are not the CA operation, the burden on the high cost of CA operation is an earnest problem, and cost reduction with increasing the efficiency of the operation is an important issue. 3

4 Introduction (cont’d) Guiding question – How about trying for more than one operating organization to reduce cost operations? Importance of the research – We propose a method of increasing the efficiency of CA operations in cooperation between more than one CA operating organization. 4

5 Premise of the Argument We do not discuss how to build from scratch a CA that covers each research community. – Keep the independence of CA operating organization. We do not discuss the following: – Two CA operating organizations outsource CA to a commercial CA vendor and share the expenses. We discuss how to integrate existing CAs without being forced to a drastic change in order to reduce the cost of the CA operations. – From user’s point of view, CA service procedures for users should be unchanged as possible. – From operator’s point of view, the changes of CA operation procedures should be small if possible. 5

6 Typical CA Architecture CA architecture in question – Composed of IA and RA servers – IA located in a private network connects only the RA and is a dedicate machine for only signing operations. – RA connected to the public network receives the request from end-entities and conveys it to the IA. 6 Certificate Policy A IA RA End entities, Relying parties HSM

7 Certificate Policy B IA RA End entities, Relying parties Certificate Policy A IA RA End entities, Relying parties HSM Typical CA Architecture (cont’d)

8 Basic Idea Interference in certificate policies would be kept down to a minimum if each RA is independently operated as before. – The research community should have the responsibility to vet user identities. – It is difficult for one RA to vet user identities in the other community because RA operations are heavy duties. Issuing operations are the following: – Strictly management of the CA private key – Response to the requests from the RA It would be unnecessary to operate the IA at one’s own expense as long as the IA communicates reliable RAs. The integration of IAs is more better. 8

9 Certificate Policy B RA(β) End entities, Relying parties Certificate Policy A IA RA End entities, Relying parties HSM How to connect RA with outside IA How connect?

10 Proposed IA-RA Connections Direct connection – A virtual private network (VPN) connecting between RA(β) and IA. Relaying RA – Secure connection IA-RA-RA(β) on the public network. 10

11 Certificate Policy A Certificate Policy B Internet IA RA End entities RA(β) End Entities VPN Direct Connecting: VPN 11 HSM

12 Certificate Policy A Certificate Policy B Internet IA RA End entities RA(β) End Entities 12 Relaying RA HSM

13 Certificate Policy A IAd RAd Clients Certificate Policy B RAd(β) Clients Relaying RA (cont’d) 13 RAd- compat. Secure connection Sending a request to “IA” as before Receiving the request like “IA” HSM

14 Discussion on IA-RA connection Direct connecting – Advantages Unchanged I/F to users. Basically no software development. – Disadvantages Some trouble to establish a VPN. Further difficulty in connecting CA components across countries via VPN Relaying RA – Advantages Unchanged I/F to users. No difficulty with network infrastructure. – Disadvantages Software development is needed. Connection depends on the software package. 14

15 Discussion on AP There are two CA authentication profiles that enable CA to issue long-lived certificates, provided by IGTF: – Classic – MICS (Member Integrated Credential Service) An example of 4 combinations – IA and RA: MICS, RA(β): Classic – RA(β) should change from Classic RA to MICS IdM. – This basically ensure each independence of organization and does not interfere in the policy. – IA needs to go through the formalities for permit it to issue certificates to the RA(β). 15

16 Related Works RPS (Registration Practice Statement) – Discussed in IGTF – Can be considered as a subordinate document to the CPS – It is suggested that separating RAs from the CA function has benefits that are useful for more efficient trust processing of the overall system. – RPS framework would help the proposed integration model in policy arrangement. ASGC CA as real integrated CA – ASGC CA has foreign RAs such as AU, NZ, VN, PH. 16

17 Summary We considered an integration model of certificate authorities in a PKI trust federation such IGTF. We proposed two connection types between IA and RA: – Direct connecting using VPN – Relaying RA We would like to implement the proposed relaying RA model to NAREGI-CA software and perform demonstrative evaluation. We would like to consider integration procedures with RPS framework. 17

Download ppt "A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Introduction of Grid Security

Introduction of Grid Security
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
PKI Implementation in the Real World

PKI Implementation in the Real World
August 2004 Providing Industry-wide Security and Identity Management Solutions.

August 2004 Providing Industry-wide Security and Identity Management Solutions.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure Ben Sangster February 23, 2006.

Public Key Infrastructure Ben Sangster February 23, 2006.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Similar presentations

Ads by Google