Presentation is loading. Please wait.

Presentation is loading. Please wait.

KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.

Published byWillis Griffin Modified over 8 years ago

Similar presentations

Presentation on theme: "KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu."— Presentation transcript:

1 KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI hernath@sunserv.kfki.hu pki.kfki.hu

2 Overview Background & History Present Status & Future Plans Self-assessment & Issues Lessons learned & Suggestions Discussion…

3 1. Background & History Why 2 CAs in Hungary? - Community needed the service in 2004 - NREN CA (NIIF) was planned, but no progress or roadmap - RMKI had ~90% of LCG users & resources EUGridPMA in Brussels, Sept. 2004: - KFKI RMKI CA presented - PMA demanded community agreement to preempt a 2 CA situation Dec. 2004: Community agreement presented - Hungarian grid community will endorse KFKI RMKI CA until the NIIF CA can setup an RA at KFKI campus - PMA accepted the agreement, KFKI RMKI CA accredited - started production in Jan. 2005 Recent progress in the setup of NIIF RA

4 2. Present Status Reliable operation on Debian/OpenCA Stats: - All issued: 230 (6 for testing) - Revoked: 126 (none compromised) - Valid: 47 (14 user, 33 host) - All host: 145 (68 DNs, even less idenities) - All user: 79 (50 DNs, even less identities) - All CRLs: 120 (1 overdue  ) NIIF RA progress: - RA secure admin interface deployed & tested (based on tokens) - User web interface in development - IdP for NIIF AAI Federation in deployment (for user preauth) - RA contract in preparation

5 3. Future Plans NIIF RA in production later this year Will probably keep the CA for local purposes - will rekey or extend the root - could produce new CP/CPS After the NIIF RA is in production, will replace all grid certs Need to leave the club  …

6 4. Self-assessment Work in progress, preliminary results Major issues: CA (5) CP/CPS is RFC 2527 D/D (7) Secure environment, access control & log D/D (9) Secure environment undocumented/unaudited D (11) CA key protection B/D (50) Operational audit D/D (51) List of personnel D Major Issues: RA (2) Identity vetting (user) B/C (3) Identity vetting (host) A/C (4) FQDN ownership B/C (10) Record archival in auditable form C

7 5. Other Issues Insufficient resources No long-term planning (was not expected) Missing operational documents Too many hats ‘Rescheduled’ paperwork

8 6. Recommendations More is less: - specify everything as strict as possible - write all operational documents before production Operational audit/review ASAP (before production) Separation of GRID namespace is recommended Accreditation profile version should be recorded on accreditation Audit guidelines updates for AP changes? (versions for each AP version?) Separate audit guidelines for different APs?

9 Thankyou !

Download ppt "KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu."

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
Status of Auditing Guidelines Document Oct. 15 Yoshio Tanaka, AIST.

Status of Auditing Guidelines Document Oct. 15 Yoshio Tanaka, AIST.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Hungrid A Possible Distributed Computing Platform for Hungarian Fusion Research Szabolcs Hernáth MTA KFKI RMKI EFDA RP Workshop.

Hungrid A Possible Distributed Computing Platform for Hungarian Fusion Research Szabolcs Hernáth MTA KFKI RMKI EFDA RP Workshop.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.

NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
PKI Activities at Virginia September 2000 Jim Jokl

PKI Activities at Virginia September 2000 Jim Jokl
IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr. 2009 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar. 2010 Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

Similar presentations

Ads by Google