1. 2015/6/21 UPKI project update Yasuo Okabe Academic Center for Computing and Media Studies Kyoto University

2. 2015/6/22 UPKI ― Inter-University Authentication and Authorization Platform for CSI  Conducted by NII and the information infrastructure centers in 7 universities Supported by Ministry of Education, Science and Technology Campus AAI UPKI common specification UPKI A 大アクセスポイント B 大の教授 B 大職員 A 大学 B 大学 C 大学 C 大電子コンテンツ B 大アクセスポイント Wireles LAN roaming C 大事務システム

3. NII International Workshop on Cyber Science Infrastructure 3 UPKI: concept  Targets various applications SSO of Web services E-mail Digital Signature/Encryption by S/MIME Network Services wireless LAN roaming and VPN Grid computing  Utilization of PKI “U” stands University/Universal/Ubiquitous Deployment of Grid/PKI middleware for national academic AA infrastructure

4. 2015/6/24 Planned Schedule of UPKI Developing, deploying and fostering new applications UPKI common Specification Applications UPKI Initiative ２００６ FY ２００７ FY ２００８ FY founded ・ Gathering common interests and opinions, and feedback, ・ Interoperability check, knowledge transfer, publicity, tutorial works, … Campus PKI specification Model design Outsource model Campus PKI CP/CPS template Outsource model ２００９ FY and later CA software Development of CA software package Distribution and support for deployment of CA software package Insource model, multi-university cooperative model Wireless LAN roaming Single Sign On to Web Services S/MIME ・ Deployment of campus PKI at each university ・ Connecting universities ・ Federation of applications etc.

5. 2015/6/25 Ongoing Subprojects  Designing Common CP/CPS, Profiles, …  Development and Deployment of “NAREGI-CA” Certificate Authority Middleware  PKI based Applications InterUniversity Web SSO SAML2.0/Shibboleth + PKI Wireless LAN Roaming 802.1X, EduRoam compatible (www.eduroam.jp) VPN Secure E-mail Service via S/MIME Supercomputing Grid etc.

6. 2015/6/26 UPKI three layer Architecture Shibboleth/SAML

7. 2015/6/27 Subprojects by NII  UPKI common CP/CPS 【 WP1 】  Public server certificate 【 WP2 】  Inter-University W-LAN roaming 【 WP3 】  SSO for Digital Library Service by NII and other universities via Shibboleth/SAML 【 WP4 】  Development of CA middleware 【 WP5 】  Deployment of S/MIME e-mail signature/encryption architecture 【 WP6 】

8. 2015/6/28 Operation Models of CA Insource Univ RA IA Univ. provider Full outsource RA IA IA outsource Univ provider IA RA CP/CPS

9. 2015/6/29 NAREGI National Research Grid Initiative  http://www.naregi.org/ http://www.naregi.org/  collaboration projects among industry, academic sector and the government.

10. 2015/6/210 NAREGI Grid Middleware stack http://www.naregi.org/concept/index_e.html#05

11. 2015/6/211 Nationwide Academic Grid Networks over SuperSINET (experimental) AIST (Tsukuba) Kyushu I. Tech. NAREGI Grid network Kyushu U. I. Molecular Sci. (Okazaki) Tokyo I. Tech. Osaka U. NII NAREGI core NAREGI NII Cluster NAREGI IMS Cluster Doshisha SD 8-center Grid Computing WG network Hokkaido U. Tohoku U. U. Tokyo Nagoya U. Doshisha U. Kyoto U. Kyushu U.

12. 2015/6/212 NAREGI Certification Service CA Software (NAREGI-CA) Policy Management Management(NAREGI-PMA) Operation (NII GOC CA) - CP/CPS -Satisfy APGrid minimum requirement minimum requirement - CA/RA - UI (Character, Web) - Operation of CA - Authorized by the APGrid PMA Production Level CA PMA Production Level CA

13. 2015/6/213 NAREGI-CA  A full-fledged CA (Certificate Authority) Software for PKI  Originally developed for Grid computing, but can be used for general purpose  Free open source software Ver2.0 (May.10.2006) Ver2.0 (May.10.2006) is available at http://www.naregi.org/download/ http://www.naregi.org/download/  Research collaboration Audit of CA :AIST, JapanAudit of CA :AIST, Japan PMA for international cooperation : APGRIDPMA for international cooperation : APGRID  User Sites NAREGI, AIST, Several UniversitiesNAREGI, AIST, Several Universities

14. 2015/6/214 Comparison among CA softwares Product nameIssue of Certif. CRL periodi cal LDAPHSMMultip le CA Profile manage ment HW token Operat or Loggi ng NAREGI CA file, bulk, WEB, LCMP ○○○○○○○○ OpenSSL file ×××○×××× Microsoft Certificate Server WEB, LDAP ○ △ (Active Directory only) △ (Domain Controll er onlu) × △ (Domain Controller only) ○× △ (Event logging) Entrust Authority CMP, bulk, LDAP,WEB, SCEP ○○○×○○○○ ○ ： available 、 × ： not available 、△： some restriction

15. 2015/6/215  License ID management Transfer authentication responsibility to Local RA  Grid operation extensions Assistance of Grid-mapfile creation  Dual interfaces for certificate request Web & command line enrollment  CA/RA architecture Independent Registration Authority (RA) Server Practical CP/CPS Template NAREGI-CA Software Features

16. 2015/6/216 NAREGI-CA Architecture RA (Registration Authority) CA (Certificate Authority) Local RA (Site Administrator) End User &Host Administrator Site Administrator ① Get License ID ② Authorize to pass License ID ④ Pass License ID & Public Key ⑦ Get Certificate ⑤ Send CSR ⑥ Issue Certificate ③ Generate a Key Pair ⑧ Get Grid Map file

17. 2015/6/217 CA Administrator CARA RA Administrator IC Card Enhanced procedure to issue certificate User CA Administrator RA Administrator RA Operator User License ID Identify Issue Certificate RACA Apply License ID Identify Authorize Issue Certificate Application Server (web) Management Server (web) Delegate Challenge PIN License ID

18. 2015/6/218 CampusCA Issue Certificate Campus PKI Grid PKI NAREGI CA Super Computer Grid System Super Computer Issue Certificate Request Certificate (Use IC Card as credential) LDAP NAREGI RA IC Card Certificate for Grid System Access User Campus-Grid PKI Federation

19. 2015/6/219 UPKI Initiative  Founded in 16 Aug 2006  Sponsored by NII AAI TWG  Mission Gathering interests and opinions of not only universities but also industries  https://upki-portal.nii.ac.jp/ AAI TWG UPKI Initiative Univ Tech. College J. College Common specification join Research Institute Hokkaido UTohoku UU. TokyoNagoya U Kyoto UOsaka UKyushu U KEKTokyo Tech NII NII CSI Headquarter Opinions and comments etc.

20. NII International Workshop on Cyber Science Infrastructure 20 Summary  UPKI national academic authentication and authorization infrastructure project has started. Conducted by NII and the information infrastructure centers in the 7 universities As a basic platform of Cyber Science Infrastructure  We have started later, so we have get some advantages  International federation/collaboration is a very important issue.

21. 2015/6/221 APAN Middleware Working Group APAN (Asia-Pacific Advanced Networking)  20 th APAN (Taipei, Aug. 2005) National Authentication and Authorization Infrastructure and NREN (proposed session)  21 st APAN (Tokyo, Jan. 2006) Middleware Workshop (full day) Middleware Working Group is approved for a period of two years  22 nd APAN (Singapore, today) Grid Middleware Workshop  23 rd APAN (Manila, Jan. 2007) Grid Middleware Workshop  24 th APAN (Xian, Aug. 2007) Middleware Workshop