Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Published byElizabeth Parker Modified over 10 years ago

Similar presentations

Presentation on theme: "Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/"— Presentation transcript:

1 Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

2 Contents What is a Robot Why robots (use cases) How Robots (how its done) Issues How Robots (Requirements)

3 What is a Robot A long-lived client certificate –Whose private key is unprotected –i.e. not protected with a passphrase Identity –Not tied to a network identity –Tied to a specific user (owner)

4 Use Cases Automated monitoring services Automated data transfer services Mail decipherment …

5 Robot Naming UK version: …/CN=Joe User/CN=Robot:GridClient Dutch version …/O=robots/…/CN=Robot: function - person Italian version /CN=Robot: function - person Your version?

6 Robot Names Mr Robot GridClient does not have : : is in printableString Simple algo to derive owners DN –But not the same for the two CAs Allow disambiguation –/CN=User Name/CN=Robot:Type (314) –No semantics associated to disamb.?

7 Robot Private Keys Held on key token Certificate not tied to a network entity Thus private key tied to physical host If the key is stolen, youll know it If host is compromised: –They can access the private key, signing stuff –But not steal it –Cannot be cloned either (except between virtual hosts?)

8 Robot toolkit for your CP/CPS Describe what a robot is Describe naming of robots –Including relation to owners name, if any Condition of issuance (who can request) Security of private key (cf token talk)

9 Robot toolkit for CP/CPS Perhaps make it a part of a consistent CP/CPS programme (CCPCPSP)? –Mix and match, –Plug and play, –Live and learn

10 How to recognise a robot …from quite a long way away. Check the DN… –Does it have an addl CN with Robot: Check the policyIdentifier –Does it have any Robot 1SCP OID? –State of middleware doing this?

11 Issues Robots are named after what they are, not what they do. –E.g. GridClient, not Monitoring –Get consistent naming for all robots? Should different robots have different OIDs (in addition to robot 1SCP) –Probably not – profile should be sufficient

12 Issues Must robots always name their owner? –Good for log files and the W&F –Good for AUC by DN (W&F) –Good for automated chaining (user leaves disable users robots) –Bad for transfer of ownership

13 Issues How to describe different types –Morally equivalent to services –Define std ones Harmonise std ones across PMA? –Each CA MUST describe non-std ones But not in CP/CPS

14 Issues How RA verifies key generated by token –General token support, not just for robot –Different modus operandi for users

15 Proposed Requirements Robots MUST have a 1SCP OID –Plus of course that of their CP/CPS Robots MUST NOT have server exts –Because they are not – not tied to DNS name –Does not make sense Private key held on secure token

16 Proposed Requirements Robot certificates MUST NOT be shared –Single person responsible for use of robot –CA decides what it is, owner what it does Each Robot has a unique DN –No two Robots share keys –No further requirements on naming atm –Make recommendations ( RECOMMENDED )

17 Open Questions Can anyone apply for a robot? –If not, how should it depend on the type? Distinguish simple from powerful robots –Other than by extns –How to enforce what it does (cf Globus services) Bit like object signing extensions –How does CA assert this? Are robots too tied to their owners name? –Introduce robots owned by projects

Download ppt "Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/"

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Template Profile Jens Jensen, STFC RAL GridNet2/ UK e-Science CA OGF22 Boston.

Template Profile Jens Jensen, STFC RAL GridNet2/ UK e-Science CA OGF22 Boston.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.

Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Author - Title- Date - n° 1 Partner Logo Authentication John Gordon GridPP 2 nd May 2002.

Author - Title- Date - n° 1 Partner Logo Authentication John Gordon GridPP 2 nd May 2002.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
A responsibility based model EDG CA Managers Meeting June 13, 2003.

A responsibility based model EDG CA Managers Meeting June 13, 2003.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 GRID SECURITY INFRASTRUCTURE (GSI) - Globus Toolkit - ADINA RIPOSAN Department of Applied Informatics.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Similar presentations

Ads by Google