Presentation is loading. Please wait.

Presentation is loading. Please wait.

TERENA Certificate Service (TCS) September 2014. SCS,TCS,TCS-II – the ten year road to simple unlimited certificates › Back in 2004 many NRENs had set-up.

Published byWesley Little Modified over 7 years ago

Similar presentations

Presentation on theme: "TERENA Certificate Service (TCS) September 2014. SCS,TCS,TCS-II – the ten year road to simple unlimited certificates › Back in 2004 many NRENs had set-up."— Presentation transcript:

1 TERENA Certificate Service (TCS) September 2014

2 SCS,TCS,TCS-II – the ten year road to simple unlimited certificates › Back in 2004 many NRENs had set-up a CA - but these certificates issued were not trusted by web browsers (the ‘ pop-up ’ problem) ›Buying large numbers of certs one-by-one is slow, tedious, and expensive – so leads to people inventing ‘self-signed’ certs or leaving services insecure (web logins, imap, radius, …) ›So why not leverage the combined power of many to make a simple and affordable service – which is what Jan Meijer started at a TF-AACE meeting in 2004! Slide 2

3 A long (but rather successful) road Slide 3 IDEACfPcontract signed with GlobalSign Start of SCSContract renewed 2 nd CfP contract signed with Comodo Start of TCSStart TCS eScience End of SCS Contract renewed 3 rd CfP DigiCert selected as TCS partner Start of new TCS End of Comodo TCS service

4 Slide 4 NREN/CountrySPC SPC ACOnetAT  LITNETLT  - BELNETBE  UoMMT  - CARNetHR  --SURFnetNL  CyprusCY  UNINETTNO  CESNETCZ  -PSNCPL  UNICDK  -FCCNPT  -- FUNETFI  -RoEduNetRO  - RENATERFR  -AMRESRS  - GRNETGR  -ARNESSI  -- HUNGARNETHU  --RedIRISES  HEAnetIE  SUNETSE  GARRIT  -JANETUK  -- IUCCIL  -EENETEE  - Participants today

5 Slide 5 ›Five types of certificate available: ›Server Certificate - for authenticating servers and establishing secure sessions with end clients. ›e-Science Server Certificate - for authenticating Grid hosts and services. These are IGTF compliant. ›Personal Certificate - for identifying individual users and securing e-mail communications. ›e-Science Personal Certificate - for identifying individual users accessing Grid services. These are IGTF compliant. ›Code-signing Certificates - for authenticating software distributed over the Internet. Certificate Types today

6 The TCS structure ›TERENA is the ‘owner’ of the certificate services, which is procures on behalf of the participating NRENs (TERENA members) ›It sources the issuing service from a commercial CA service provider and sets the requirements ›Via the tender/RfP requirements ›Via updates to the CP/CPS ›NRENs then act as the user-facing end of the service ›They may re-brand or co-brand the service ›They can (or could) define some of the processes ›All have to agree to the same CP/CPS ›The TCS PMA controlling the CP/CPS is comprised of experts from across the community Slide 6

7 Interesting elements ›By its intention, the TCS CAs should ›Be publicly trusted in all major (mobile) systems ›Use mechanisms that scale to the European R&E community ›Don’t burden the subscribers (institutions) too much – in particular for auditing ›Preserve under TERENA’s control key elements that ensure continuity (no vendor lock-in) – for eScience, this means e.g. the subject namespace ›but of course not everything is under our control ›Changes to baseline requirements affect us ›Server certs are more tightly controlled than personal Slide 7

8 Delegated Responsibilities & Scaling

9 Built using contracts scales well to large numbers of organisations and users assurance requirements on subscribers ensure quality ID bound through legal contracts

10 Slide 10 ›Several NRENs decided to pool resources and operate common portal for personal certificates. ›Utilises mainly Confusa software (for personal) and Djangora (for server) ›Hosted on resilient servers at Tilburg University under contract to TERENA ›Some NRENs use directly the Comodo portal … and sometimes show ‘interesting’ certs as a result  ›For personal certs ›Each NREN community needs to operate at least one IdP, but multiple IdPs are supported ›Delivered only via federated mechanisms Current TCS delivery mechanisms

11 Towards a new TCS ›RfP process ›Initial market consultation to see is there was commercial interest in bidding on a future contract ›Made sure the requirements were ‘doable’ ›RfP requirements ›Explicitly include the eScience & IGTF needs ›Learn from previous experience and look forward to potential needs in the developing AAI space ›Keep an option for specific trust anchor hosting (our thinking was for things like Robots, SLCS services, STS translator services, …) Slide 11

12 The new TCS Make migration (also for eScience) easy ›Start early with pilots (about now) ›Transition period until June-2015 ›Old certs remain valid for their entire ‘life time’ (including revocation capability) ›Same namespace for subjects (but new issuing intermediates) ›We get OV (and now also EV) certs Details to be worked out over the coming months Slide 12

13 TCS for eScience certs Attempting a ‘painless’ transition ›keep the subject namespace (which is TERENA’s) /DC=org/DC=terena/DC=tcs… /C=XX/O=YY/CN=Given Surname ePPN@ishID ›intermediate and root CAs will change name, but services like VOMS can handle that ›Specific configuration hints will come through EGI ›It prevents the trouble that OSG had post-ESnet ›both hierarchies will operate in parallel ›Mid-2016 the last ‘Comodo eScience TCS’ will expire ›non-eScience server SSL certs will take till 2018 Slide 13

14 And while we’re at it ›eScience trust anchor will also be publicly trusted ›This is essential for portals that are user-facing ›Will pose some additional constraints on policy to comply with CABforum BR – but it’s worth it ›We do this today, so does not limit use cases ›Move to SHA-2 for intermediates and EECs ›In line with MS, Google Chrome and FF decisions no new SHA-1 EECs from publicly trusted CAs past 2016 allowed Slide 14

15 Transition ›We will need a revision to the CP/CPS ›aiming for January 2015 presentation ›it remains the same CA organisation (TERENA) so we consider this an update ›Two options ›Align TCS CP/CPS with supplier CP ›Extract registration practices and naming from current TCS CP/CPS and append to supplier CP/CPS (‘RPS model’) ›Keeping in mind ›eScience namespace to stay with TERENA ›leverage the public trust expertise from supplier ›don’t inadvertently shift a lot of audit requirements onto the NRENs or institutions Slide 15

16 Technical changes After presentation in January ›Security/operational audit has already been done ›DigiCertAssuredIDRootCA-Root is already in ›Plenty of external auditing done ›PMA to endorse the updates to the CP/CPS or RPS ›Introduce new intermediate trust anchors ›Additional namespace for DigiCertAssuredIDRoot ›New intermediates ›Fully operational early 2015 ›Testing is going to start soon! Slide 16

Download ppt "TERENA Certificate Service (TCS) September 2014. SCS,TCS,TCS-II – the ten year road to simple unlimited certificates › Back in 2004 many NRENs had set-up."

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
A Grid certificate in 5 minutes large scale federated automated issuing of grid certificates Jan MeijerEGEE’09 21-25 Sept 2009 Barcelona.

A Grid certificate in 5 minutes large scale federated automated issuing of grid certificates Jan MeijerEGEE’ Sept 2009 Barcelona.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
The TERENA Academic CA Repository. eIRG Meeting. Dublin, 16/04/2004 Diego R. Lopez – TF-AACE  Task Force on Authentication and.

The TERENA Academic CA Repository. eIRG Meeting. Dublin, 16/04/2004 Diego R. Lopez – TF-AACE  Task Force on Authentication and.
© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. Code Signing Distributing trustworthy software over the Internet.

© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. Code Signing Distributing trustworthy software over the Internet.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
TERENA Certificate Service (TCS) 9 June 2011. Slide 2 › Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘ pop-up.

TERENA Certificate Service (TCS) 9 June Slide 2 › Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘ pop-up.
Community Services WI TF-EMC2 VC Meeting 29 June, 2011 Licia Florio

Community Services WI TF-EMC2 VC Meeting 29 June, 2011 Licia Florio
John Dyer Business & Technology Strategist TERENA 10 February 2014 TF-MSP Meeting ACOnet, Vienna Aggregation of Demand Collaborative.

John Dyer Business & Technology Strategist TERENA 10 February 2014 TF-MSP Meeting ACOnet, Vienna Aggregation of Demand Collaborative.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Networks ∙ Services ∙ People David Groep TCS TNC2015 Workshop https://www.digicert.com/sso TCS SAML demo background June 16, 2015 TCS PMA.

Networks ∙ Services ∙ People David Groep TCS TNC2015 Workshop TCS SAML demo background June 16, 2015 TCS PMA.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
David Groep Nikhef Amsterdam PDP & Grid TERENA Certificate Service Certificates4All! David Groep standing in for Licia Florio, TERENA, using material from.

David Groep Nikhef Amsterdam PDP & Grid TERENA Certificate Service Certificates4All! David Groep standing in for Licia Florio, TERENA, using material from.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

Similar presentations

Ads by Google