Presentation is loading. Please wait.

Presentation is loading. Please wait.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

Published byMelina Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of."— Presentation transcript:

1 DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of Informatics Slovak Academy of Sciences http://www.ui.sav.sk

2 DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS and CrossGrid ● Grid application development – simulations related to prediction of flood events ● Collaborative problem solving environment ● Virtual organization for flood forecasting ● CrossGrid testbed participation ● IISAS Certification Authority

3 DataGrid WP6 CA meeting, CERN, 12 December 2002 Need for certificates ● Virtual organization for flood forecasting ● Scientists from Slovakia participate in HEP experiments (ATLAS, ALICE) ● Scientists from other application areas, not related to any of current virtual organizations. (we expect new VOs to emerge)

4 DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority ● Managed by IISAS, Bratislava, Slovakia ● Based on openssl ● Certificate issuing machine: – Located in a room with restricted access, in locked case – Not connected to network – Managed by CA operator

5 DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS CA certificate ● Private key is 2048 bits long ● Encrypted by passphrase >15 characters ● CA certificate lifetime is 5 years ● Backup copy of the key and sealed envelope with the passphrase are locked in a safe

6 DataGrid WP6 CA meeting, CERN, 12 December 2002 Certificates ● IISAS CA issues certificates for subjects: – Related to organizations from Slovakia – Involved in research or deployment of Grids ● Types of certificates: – Server, personal and services ● Applicability – Authentication and communication encryption

7 DataGrid WP6 CA meeting, CERN, 12 December 2002 Certificates ● Private keys are at least 1024 bits long ● Generated by applicants ● Certificate maximum lifetime is one year ● Naming conventions: – C=SK, O=organizationName, OU=organizationUnit, CN=commonName

8 DataGrid WP6 CA meeting, CERN, 12 December 2002 Certificate issuing procedure ● IISAS CA accepts authenticated certificate requests from IISAS registration authorities ● Other certificate requests are forwarded to appropriate RAs for authentication and validity checks ● Certificates are issued for authenticated requests ● Issued certificates are sent to the applicant

9 DataGrid WP6 CA meeting, CERN, 12 December 2002 Authentication checks ● Applicant should contact RA personally ● Authentication is performed by: – Valid official ID document (Passport, ID card) – Firm personal acquaintance with RA ● RA also checks relation of applicant to organization specified in certificate request ● Requests for server or service certificate must be signed by valid certificate of system administrator

10 DataGrid WP6 CA meeting, CERN, 12 December 2002 Certificate revocation procedure ● IISAS CA accepts revocation requests from RAs or certificate subscriber sent by e-mail signed by a valid IISAS certificate ● Other revocation requests are forwarded to appropriate RA for authentication and validity checks ● Certificates are revocated for authenticated requests ● Certificate subscriber is notified

11 DataGrid WP6 CA meeting, CERN, 12 December 2002 Circumstances for revocation ● Information in certificate becomes wrong or inaccurate ● Private key was lost or compromised ● Certificate is no longer required ● Subject has failed to comply with rules in CP/CPS document ● The server for which the certificate was issued has been retired

12 DataGrid WP6 CA meeting, CERN, 12 December 2002 CRLs ● CRLs are issued whenever certificate is revocated ● Reissued at least 7 days before CRL expiration ● CRL lifetime is 30 days ● CRLs are published as soon as issued

13 DataGrid WP6 CA meeting, CERN, 12 December 2002 CP/CPS document ● Draft version 0.4 (September 2, 2002) ● OID: 1.3.6.1.4.1.13496.1.2.1.0.4 ● Follows structure suggested by the RFC 2527 ● CA, RA’s and certificate owners are obliged to follow procedures specified in CP/CPS document ● Certificate subscribers are notified about changes ● Relation of certificate and version of CPS document is based on the date the version was released

14 DataGrid WP6 CA meeting, CERN, 12 December 2002 Information publishing ● IISAS CA online repository contains: – IISAS CA certificate – Latest CRL – Copy of CPS/CP document – Other relevant information (list of RAs) – LDAP repository (to be created) ● URL: http://ups.savba.sk/ca/

15 DataGrid WP6 CA meeting, CERN, 12 December 2002 Event logs ● Boots of CA signing machine ● Interactive logins and logouts ● Certification requests ● Revocation requests ● Issued certificates ● Issued CRLs

16 DataGrid WP6 CA meeting, CERN, 12 December 2002 Registration Authorities ● RAs will be created for organization and VO – trusted by members of VO ● CA - RA communication will be secured ● List of RAs will be maintained at: – http://ups.savba.sk/ca/ra-list.html ● RAs will log – Certificate requests – Revocation requests

17 DataGrid WP6 CA meeting, CERN, 12 December 2002 Thank you.

Download ppt "DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of."

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Security Mechanisms The European DataGrid Project Team

Security Mechanisms The European DataGrid Project Team
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.

13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Similar presentations

Ads by Google