Presentation is loading. Please wait.

Presentation is loading. Please wait.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

Published byAllison Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre."— Presentation transcript:

1 Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre

2 Outline Introduction Procedural Security Physical Security Technical Security Contact Information Related Information

3 Introduction The ASGCCA locates at Academia Sinica Computing Centre in Taiwan and has been running since July 2002. It is managed by Academia Sinica Computing Centre It provides X.509 certificate to support the secure environment in grid computing.

4 Procedural Security End Entity and Certificate Type Identification and Authentication Certificate Request Certificate Revocation Records Archival

5 End Entity and Certificate Type End Entities: –Users of Academia Sinica Computing Centre –Users of Domestic/International Grid-based Application/Projects Certificate Type –User Certificate C=TW, O=AS, OU=CC, CN=Yuan Tein Horng / emailAddress=yth@beta.wsl.sinica.edu.tw –Host Certificate C=TW, O=AS, OU=CC, CN=beta.wsl.sinica.edu.tw –Service Certificate C=TW, O=AS, OU=CC, CN=FTP/beta.wsl.sinica.edu.tw

6 Identification and Authentication User certificate: –Subscriber must be already registered at the Academia Sinica Grid Computing Directory Service (ASGCDS) as a Academia Sinica employee or collaborator. –RA staff will check account registered on ASGCDS and contact subscriber personally. Host or service certificate: –Requests must be signed with a valid personal ASGCCA certificate –RA will check the FQDN of the host before issuing certificate

7 Certificate Request- Users of Academia Sinica Computing Centre subscriberRACA ASGCDS 1 2 7 4 3 5 6 1.Subscriber registers on ASGCDS 2.Subscriber requests certificate 3.RA checks the subscriber’s identity on ASGCDS 4.RA contacts and confirms subscriber’s identity personally 5. RA send certificate request to CA by signed e-mail 6. CA issues certificate 7. RA sends Email notice to subscriber and subscriber picks up new certificate

8 Certificate Request- Users of Domestic/International Grid-based Application/Projects subscriberRACA ASGCDS 1 6 2 3 4 5 1.Subscriber requests certificate 2.RA checks and confirms the subscriber’s identity personally 3.RA registers subscriber’s information on ASGCDS 4. RA send certificate request to CA by signed e-mail 5. CA issues certificate 6. RA sends Email notice to subscriber and subscriber picks up new certificate

9 Certificate Revocation Circumstances for Revocation –The entity’s private key is lost or suspected to be compromised. –The information in the entity's certificate is suspected to be inaccurate. –The entity terminate services. –The entity violated its obligations.

10 Certificate Revocation (cont.) Procedure for Revocation Request –Sending an email, signed by subscriber’s valid ASGCCA certificate. RA will then contact subscriber by phone for confirmation. –In the other cases, authentication is performed with the same procedure used to authenticate the identity of person.

11 Records Archival RA must record and archive –All requests (application form) –All confirmations CA must record and archive –All requests for certificates –All issued certificates –All requests for revocation –All issued CRLs –Login/Logout/Reboot of the issuing machine All archive data is stored in optical storage The retention period for archives is three years

12 Physical Security The CA issuing machine is –a dedicated machine –not connected to any network –located in a secure environment only accessible by CA administrator –configured to have private key and pass phrase stored in optical storage and locked in a safe

13 Technical Security Key Generation Key Restriction Certificate Restriction CRL Policy

14 Key Generation Private key is generated by browsers on the users’ machine. CA and RA will never generate private key on user’s behalf. CA and RA have no access to the users’ private key.

15 Key Restriction Key Length –ASGCCA private key is 2048 bits –User private key must have at least 1024 bits –Host private key must has at least 1024 bits –Service private key must has at least 1024 bits Pass phrase –The pass phrase of CA’s private key is at least 15 characters –The pass phrase of end entity’s private key is at minimum 8 characters. –Protecting the pass phrase from others

16 Certificate Restriction Certificate Lifetime for –ASGCCA certificate is 5 years –user certificate is one year –host certificate is one year –service certificates is one year User certificate should not be shared. The certificate issued by ASGCCA must not be used for financial transaction.

17 CRL Policy The lifetime of CRL is 30 days CRL is updated immediately after every revocation CRL is reissued 7 days before expiration even if there have been no revocations

18 Contact Information Yuan, Tein Horng Phone: 886-2-27899247 Fax: 886-2-2783-6444 Email: asgcca@grid.sinica.edu.twasgcca@grid.sinica.edu.tw Mail Box: Nankang PO BOX 1-8 Taipei, Taiwan 11529 Address: 128, Sec. 2, Academic Rd., Nankang, Taipei, Taiwan 11529

19 Related Information Homepage –http://ca.grid.sinica.edu.twhttp://ca.grid.sinica.edu.tw CP/CPS –Latest version: 1.1 –OID: 1.3.6.1.4.1.5935.10.1.1.1 –Follows the RFC 2527 structure –http://ca.grid.sinica.edu.tw/CPS/ ASGCCA certificate –http://ca.grid.sinica.edu.tw/ASGCCA.crt CRL –http://ca.grid.sinica.edu.tw/CRL/

20 The End

Download ppt "Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March 08 2008.

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Summer School Certificates Diego Romano & Gilda Team.

Summer School Certificates Diego Romano & Gilda Team.
Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien F2F Meeting 8 th March 2010.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien F2F Meeting 8 th March 2010.
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.

Similar presentations

Ads by Google