Presentation is loading. Please wait.

Presentation is loading. Please wait.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

Published byEmory Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;"— Presentation transcript:

1 Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation; 1 Armenian e-Science Foundation; 2 Yerevan Physics Institute; 2 Yerevan Physics Institute; 3 Student at Department of Computer Science and Informatics, State 3 Student at Department of Computer Science and Informatics, State Engineering University of Armenia; Engineering University of Armenia; 4 Student at Department of Applied Mathematics, Yerevan State University 4 Student at Department of Applied Mathematics, Yerevan State University Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

2 Armenian e-Science Foundation http://www.escience.am Non-profit Institution, established in 2002. Goals - introduction and dissemination of the e-Science technologies in Armenian scientific, educational and other organizations. Sponsors: Swiss “Fonds Kidagan”; Caloust Gulbenkian Foundation; “Link Ltd” software developing company (http://www.link.am);http://www.link.am “Lans Ltd” computer hardware vending company (http://www.lans.am);http://www.lans.am “Web” Internet Service Provider (http://www.web.am).http://www.web.am Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

3 ArmeSFo Certification Authority http://www.escience.am/ca One of the main objectives of ArmeSFo is the deployment of the Grid infrastructures in Armenia. ArmeSFo CA is an Armenian Certification Authority maintained by ArmeSFo as a courtesy service to the Armenian Grid community. ArmeSFo CA is managed by the ArmeSFo team of the Yerevan Physics Institute ( http://www.yerphi.am ). http://www.yerphi.am Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

4 CA CP/CPS The document is based on the following sources: [RFC 2527], [RFC3280], [DOE CP/CPS], [DutchGrid CP/CPS], [INFN CP/CPS], [Grid-Ireland CP/CPS], [LIP CP/CPS], [UK CP/CPS], [EuroPKI CP], [ASGCCA CP/CPS], [CERN CP/CPS]. Ara A. Grigoryan Object Identifier: 1.3.6.1.4.1.17306.8.1.0.1 01 December 2003, Version 0.1 (Draft-B) http://www.escience.am/ca/policy/ Grid CA meeting, Dublin, December 11 th 2003

5 CA Distinguished Names Scheme Common fixed component: C=AM, O=ArmeSFo Examples of the Distinguished Names: For issuer: C=AM, O=ArmeSFo, CN=ArmeSFo CA For persons: C=AM, O=ArmeSFo, O= YerPhI, OU=Experimental Department, CN=Artem Harutyunyan For servers: C=AM, O=ArmeSFo, O= YerPhI, OU=Experimental Department, CN=aligrid.yerphi.am For grid hosts: C=AM, O=ArmeSFo, O= YerPhI, OU=Experimental Department, CN=host/aligrid.yerphi.am For services: C=AM, O=ArmeSFo, O= YerPhI, OU=Experimental Department, CN=ldap/aligrid.yerphi.am Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

6 CA Certificates Extensions Eight X.509 extension entries/attributes: basicConstraints (critical), keyUsage (critical), subjectKeyIdentifier, authorityKeyIdentifier, subjectAltName, issuerAltName, certificatePolicies, crlDistributionPoints Five Netscape extension entries/attributes: nsCertType, nsBaseUrl, nsCaPolicyUrl, nsComment, nsCaRevocationUrl Three sets of extensions (three sets of attribute values): 1. ArmeSFo CA user certificate extensions; 2. ArmeSFo CA server/host and service certificate extensions; 3. ArmeSFo CA root certificate extensions; Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

7 CA Root Certificate Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 URL: http://www.escience.am/ca/http://www.escience.am/ca/ Self-signed Certificate Subject DN=Issuer DN: C=AM, O=ArmeSFo, CN=ArmeSFo CA Date of issuance: 01.12.2003 Life time: 1096 days Key length: 2048 bits MD5 Fingerprint: 63:B3:08:9F:57:76:4A:B0:FC:D2:3D:26:15:14:CA:E7 Hash value: d0c2a341

8 CA End Entity Certificates Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 Life time: Not more than 1 year Key length: At least 1024 bits Authentication of the entity’s identity: For person requesting a certificate: In person presentation of valid official identification document For server/host/service: Request is sent by e-mail, signed by a valid ArmeSFo CA certificate of the corresponding system administrator Public key delivery to ArmeSFo CA: Signed e-mail, FDs, CDROMs

9 CA Certificate Revocation List Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 URI: http://www.escience.am/ca/crl.pemhttp://www.escience.am/ca/crl.pem CRL issuance frequency: The maximum (minimum) lifetime of the CRL is 30 (7) days; CRL is updated immediately after every revocation; CRL is reissued at least 7 days before expiration Circumstances for revocation:  The private key has been lost or compromised;  The information in the certificate is suspected to be inaccurate;  The subscriber has failed to comply with the rules of ArmeSFo CA CP/CPS;  The system to which the certificate has been issued has been retired.  The subscriber of the certificate has ceased his relation with organization;  At subscriber’s request

10 CA Security Standards Private key security:  Protected by strong (at least 16 characters) pass-phrase;  Kept encrypted in multiple copies in FDs and CDROMS stored in secure places Computer security:  Operating systems of the ArmeSFo CA computers are maintained at a high level of security by applying all recommended and applicable patches;  Operating systems configuration is reduced to the base minimum;  Signing machine is kept in a safe and powered off between uses. Only the ArmeSFo CA personnel have access to the safe’s keys. Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003

11 CA Signing Machine Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 Location: Yerevan Physics Institute

12 CA Recorded and Archived Events Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 Types of events recorded:  Certification requests;  Issued certificates;  Revocation requests;  Issued CRLs;  CA machine boots/logins/logouts. Types of events archived:  Certification requests;  Issued certificates;  Revocation requests;  Issued CRLs;  CA machine boots/logins/logouts;  All electronic messages sent to and by the ArmeSFo CA.

13 CA Personnel Control Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 Background, qualification and experience requirements: The ArmeSFo CA personnel is recruited from the ArmeSFo team of the Yerevan Physics Institute. The recruited persons are familiar with the importance of PKI and are technically and professionally competent. Documentation supplied to personnel:  Copy of the ArmeSFo CA CP/CPS;  The ArmeSFo CA Operations Manual.

14 CA Personnel Ara A. Grigoryan Arsen Hayrapetyan Artem Harutyunyan Grid CA meeting, Dublin, December 11 th 2003 3-year experience of the work on the Grid issues, including certification (AliEn)

15 CA Contact Details Ara A. Grigoryan Grid CA meeting, Dublin, December 11 th 2003 Address for operational issues: Yerevan Physics Institute 2, Brothers Alikhanian Str. 375036 Yerevan Armenia Phone: (+ 3741) 341500; Fax:(+ 3741) 350030 Email: ca@escience.amca@escience.am Contact persons: Ara A. Grigoryan (aagrigor@jerewan1.yerphi.am)aagrigor@jerewan1.yerphi.am Artem Harutyunyan (hartem@moon.yerphi.am)hartem@moon.yerphi.am Yerevan Physics Institute 2, Brothers Alikhanian Str. 375036 Yerevan Armenia Phone: (+ 3741) 341500; Fax: (+ 3741) 350030

Download ppt "Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;"

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Introduction of Grid Security

Introduction of Grid Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
Grid Computing Basics From the perspective of security or An Introduction to Certificates.

Grid Computing Basics From the perspective of security or An Introduction to Certificates.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
AQA Computing A2 © Nelson Thornes 2009 Section 6.4 1 Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.

AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

Similar presentations

Ads by Google