Presentation is loading. Please wait.

Presentation is loading. Please wait.

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

Similar presentations


Presentation on theme: "EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European."— Presentation transcript:

1 EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European NRENs Licia Florio TERENA

2 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Topics PKI and X.509 certificates Motivation for the TERENA Server Certificate Project What is the project Service Characteristics Why joining

3 EuroCAMP, 3-5 April Ljubljana licia@terena.nl PKI in short Public key cryptography - public key (encryption, signature verification) - private key (decryption, signing) Licia Dear I’ve arrived in Slovenia..   ’    Encryption Diego’s pub key Dear I’ve arrived in Slovenia.. Decryption Diego’s priv key Diego

4 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Problems Public Key distribution Building trust Scalability Solution: create a hierarchical trust fabric: X.509 PKI

5 EuroCAMP, 3-5 April Ljubljana licia@terena.nl X.509 PKI Infrastructure What are the elements - Certification Authority (CA) * Certificates issuer (trusted 3d party) - X.509 Certificates * Bind the pub key to the holder - Registration Authority (RA) * Identity verification - End Entity * Private key holder (machine, end-user) - Relying parties * Users

6 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Real X.509 Certificate Usage Today Grid (closed community) - Use both server and user certs Web servers - Only server certificates - In many case with pop-up problem Large scale user certificate use: nowhere !

7 EuroCAMP, 3-5 April Ljubljana licia@terena.nl The Famous Pop-up: PKI Problem#1 Due to the fact that the issuer of the certificate is not trusted by the browsers

8 EuroCAMP, 3-5 April Ljubljana licia@terena.nl TERENA Server Certificate Service What is it about? –- Service…of course ;-) in short SCS To issue server certificates - popup free - unlimited number - Very low price (price is not per certificate) For whom? –For the National Research and Education Network community in Europe

9 EuroCAMP, 3-5 April Ljubljana licia@terena.nl When SCS started Project started in june 2004 European NREN PKIs around for ~7 years - But still not really deployed Anticipated growth in need: - AAI middleware services - Web-based ‘stuff’ (mail, e-learning, webservices etc.) - VPN, email - eduroam Community needs more server certificates

10 EuroCAMP, 3-5 April Ljubljana licia@terena.nl PKI Growth Problems Pop-up Problem#1 - Typically for NRENs CA - Defeats the security purpose of the certificate Costs Problem#2 - For a large number of server certificates costs can become a problem

11 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Solution 1 Fixing the pop-up problem - Get root certificate in root repositories - Requires webtrust audit - Expensive for an individual NREN PKI (~25.000 first time, annual ~25.000 for the audits, plus all the costs to follow guidelines) --> CA hierarchy adds to cost! Running a CA –Is that so interesting?

12 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Solution 2 Fixing the costs - Try to contract a CA already in the browser - Flexibility in the certificates profiles definitions - Tailored RA procedures - Not per certificate costs

13 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Solution 2: the way forward 8 NRENs + TERENA combined forces (proposal launched feb. 2005) Investigated market Investigated EU tender guidelines Ran a light-weight tender (start Sep 2005) Signed a contract (Jan 2006) First certificate issued on 16 March 2006 !

14 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Who is involved ACOnet (.at), CARnet (.hr), CESnet (.cz), RedIRIS (.es), RENATER (.fr), SURFnet (.nl), SWITCH (.ch) UNI-C (.dk), TERENA signing party

15 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Service Structure TERENA contracts with supplier - For an initial one year - Possibility to extend the contract NRENs contract with TERENA (liability!) NRENs are ‘delegated RA’ for the supplier TERENA appoints delegated RAs NRENs are responsible for delivering RA services and technical support

16 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Service Features Re-use existing RA organisation Certificate profile flexibility (Grids!) Electronic RA procedures (under implementation) Easy server certificate delivery NREN-specific branding!

17 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Benefits for the Universities Need server certificates to enable SSL/TLS channels Very low costs upon agreement with your NRENs

18 EuroCAMP, 3-5 April Ljubljana licia@terena.nl How to join Your NREN has to join After June 06 we can open to service to new NRENs –Some NRENs are already waiting There is fee to pay to join

19 EuroCAMP, 3-5 April Ljubljana licia@terena.nl Conclusion To make security tools a normal habit, they need to be easy to use –Scs is easy SCS proves how a ‘federated’ approach has solved a big problem We got a cool service http://www.terena.nl/activities/tf-emc2/scs.html


Download ppt "EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European."

Similar presentations


Ads by Google