Presentation is loading. Please wait.

Presentation is loading. Please wait.

Classic X.509 AP updates (v4.1)

Published byStephany Newman Modified over 6 years ago

Similar presentations

Presentation on theme: "Classic X.509 AP updates (v4.1)"— Presentation transcript:

1 The Classic X.509 Profile Update and other assorted issues David Groep, July 2007

2 Classic X.509 AP updates (v4.1)
Major points addressed in 4.1 explicit definition of what we mean with “should” FQDN “ownership” maximum 5 years without any kind of checking reformulated on-line CA architectures includes explicitly the two pre-vetted architectures keyUsage SHOULD (was MUST) be critical in CA certs compliance with Grid Certificate Profile draft (in OGF)

3 Classic v4.1 Updates (1) clearer definition of what we mean by should
FQDN ‘ownership’ A form of validation after at most five years this has been buried in very old minutes and has now been made explicit

4 Classic v4.1 Updates (2) On-line CA architectures

5 Classic v4.1 Updates (4) keyUsage extensions SHOULD be critical in a CA cert this used to be a MUST, but that would unnecessarily exclude some commercial top-level CAs (e.g., NetTrust) Compliance with Grid Certificate Profile document document is now in draft in the OGF CAOPS-WG almost finished embodies lots and lots of community knowledge on what a certificate ought to look like read it before you setup a new CA, or regenerate a root cert, or think about an end-entity certificate profile Auditing: if you re-issue without a new identity vetting, you MUST keep the original records for at least as long as there are certs based on this vetting plus the default grace period

6 Classic v4.1+ - what is still pending
Still pending for a next version some real insights in the necessary site security measures certificate/crl profile to be revised once the OGF document thereon is formally published language clarification on documented traceability in various places

7 Other (non-) contentious issues discussed in TR
CRLs for compromised CAs non-repudiation bit in keyUsage and how that relates to signing the Meaning of Locality and why to use O if you can objectSigning bits should we also address who is allowed to get this bit? should the organisation be involved (Milan)? or does it only asserts that the code was signed by this user, as is done in the UK, NL, AT and so better keep as is? Prepare the profile a bit better for Robot certificates CDP in EE certificates ought to point to a DER CRL auditable tracability in ID vetting and alternative solutions – and the meaning of SHOULD

8 the TERENA Academic CA Repository
TACAR the TERENA Academic CA Repository trusted and centralized place where root CA certs can be stored and safely retrieved which is policy-neutral (but ‘IGTF-ready’) for CAs directly managed by TERENA members belonging to a national academic PKI in member states for all CAs set-up to support not-for-profit research, in which the academic community is directly involved

9 IGTF Distribution in Other Formats
Apart from validation via TACAR, the IGTF manages a distribution of all accredited authorities formerly known as Anders’ RPM set, today also available as: JKS, tar-gz, configure && make, … usually built by the EUGridPMA (me, actually) mirrored twice-daily to the apgridpma.org site copied and re-distributed by downstream vendors (EGEE/LCG, VDT, …) also contains the fetch-crl utility (now at version 2.6.3) Download location

10 Some dates for you to remember and schedule
September 4-5, TF-EMC2 meeting, Prague, CZ September 19-21, th EUGridPMA meeting, Thessaloniki, GR October – OGF 21 CAOPS, IGTF, …, Seattle (WA), USA January 14-16, th EUGridPMA meeting, Amsterdam, NL

Download ppt "Classic X.509 AP updates (v4.1)"

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2.

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp://www.apgridpma.org/meetings/index.html Call for note takers!

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
The CA Distribution Process David Groep, July 2007.

The CA Distribution Process David Groep, July 2007.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
TERENA TF-EMC2 Workshop David Groep, 2004.11.04

TERENA TF-EMC2 Workshop David Groep,
Updates from the EUGridPMA David Groep, July 16 st, 2007.

Updates from the EUGridPMA David Groep, July 16 st, 2007.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
National Institute of Advanced Industrial Science and Technology Some topics from the OGF20 and the EUGrid PMA F2F Meeting Yoshio Tanaka Grid Technology.

National Institute of Advanced Industrial Science and Technology Some topics from the OGF20 and the EUGrid PMA F2F Meeting Yoshio Tanaka Grid Technology.
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2.

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Similar presentations

Ads by Google