community pkis initiatives updates
DESCRIPTION
Community PKIs Initiatives Updates. TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA [email protected]. Aim of the work item. Overseeing the patterns of usage and emerging technologies that might be relevant to support NRENs services; - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/1.jpg)
Community PKIs Initiatives Updates
TF-EMC2 MeetingLoughborough, UK6-7 May, 2009
Licia Florio, TERENA
![Page 2: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/2.jpg)
Slide 2
Aim of the work item
› Overseeing the patterns of usage and emerging technologies that might be relevant to support NRENs services;
› Proposing enhancements for the current PKI services;
› Promoting the current PKI services to other communities
![Page 3: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/3.jpg)
PKI Initiatives
› SCS service:› Soon to be knows as TCS;
› TERENA MICS/SLCS Pilot Service Project › TACAR
Slide 3
![Page 4: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/4.jpg)
TERENA Certificates Service
Slide 4
![Page 5: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/5.jpg)
SCS TCS
› Current SCS:› Provided by GlobalSign BV;› Only SSL server certs;› More than 20.000 certs issued;› Operating till March 2010;
› New SCS service:› Comodo CA;› Expected to start in May 2009;
› Model:› Yearly flat fee per NREN;› TERENA contractual party;› A dedicated TERENA sub-CA;
› NRENs participating can also buy client certificates and code-sign certificates:› Upon an extra flat fee;› TCS: TERENA Certificate Services
Slide 5
![Page 6: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/6.jpg)
Who is in SCS
› Participants:› Switzerland out;› Greece and
Finland will now participate.
Slide 6
![Page 7: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/7.jpg)
What has been done
› Lots of working spend on certificate profiles:› Finally ready since last Friday;› Profiles also for eScience server and client certs;
› Test CA to be expected in 10 days;› To testing certificates and interfaces;
› Writing CPS for the TERENA sub-CA:› First version of the CPS will only cover SSL server
certs;› Later client and code signing cert procedures will be
addressed.
Slide 7
![Page 8: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/8.jpg)
What’s next
› Test phase:› Two weeks period for the test;
› Launching the SSL server certs:› Available for all NRENs participating;
› More work on the API:› The current prototype does not cover client and
code signing certs;
› Accreditation with the EuGridPMA
Slide 8
![Page 9: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/9.jpg)
A new PKI Service
Slide 9
![Page 10: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/10.jpg)
TERENA MICS/SLCS Pilot Service Project
› Aim:› Establish a shared SLCS/MICS pilot service for the
(European) eScience Grid community, under the TERENA umbrella. › SLCS/MICS CA serving all countries participating;› EuGridPMA Accreditation;› Allow for scalability;
› The service will issue x.509 cert to persons› No hosts
Slide 10
![Page 11: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/11.jpg)
Grid CAs Managements
› Grid uses x.509 certs as authN credential;› Three types of certs are possible:
› Classic› Short Lived Credential Service (SLCS)› Member Integrated Credential Service (MICS)
› Grid CAs have to accredited by the IGTF:› EuGriPMA (Europe)› TAGPMA (Americas)› APGridPMA (Asia-Pacific)
Slide 11
![Page 12: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/12.jpg)
What are SLCS/MICS certs?
› Vetting process and cert lifetime different:› Classic:
› Face to Face verification of end-entities needed› Manual process @ RA level
› Cert validity: 13 months, but renewal of certs possible without new face-to-face validation.
› SLCS/MICS:› Vetting process relays on existing AAI framework;› User authenticates to the CA using an existing electronic
identity› This identity is mapped into a Grid cert
› SLCS certs are 10 days valid;› MICS certs are 13 months valid;
Slide 12
![Page 13: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/13.jpg)
Benefit of EU SLCS/MICS Service
› How many SLCS-CAs does Europe need ;)
› Share operational cost and effort (!)› Continued operational PKI skills only needed at
one place;› For countries with limited resources very attractive;
Slide 13
![Page 14: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/14.jpg)
More about the service
› Use specific federation attribute to decide on SLCS or MICS eligibility› According to the rules defined by the EuGridPMA
SLCS/MICS profiles
Slide 14
![Page 15: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/15.jpg)
Who is involved?
› UNINETT› Jan Meijer, project management: Project Description,
CPS› Henrik Austad: Confusa development
› SURFnet› Teun Nijssen, Tilburg University
› CA + SLCS/MICS server ops, CPS, euGridPMA accreditation maintenance
› Sunet› Leif Johanssen: Federation issues
› TERENA› Licia Florio: Contractual party
› Denmark, Finland, the Netherlands, Norway and Sweden:› Until Dec 2009
› From Jan 2010 other countries/NRENs may join Slide 15
![Page 16: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/16.jpg)
Status
› Project description almost ready:› Financial model not fully defined yet;
› Work on the CPS: › Presentation at the next EuGridPMA in May
› Start operations in June:› Quite optimistic ;-)
Slide 16
![Page 17: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/17.jpg)
TACAR
Slide 17
![Page 18: Community PKIs Initiatives Updates](https://reader034.vdocuments.us/reader034/viewer/2022042718/5681436d550346895dafee3b/html5/thumbnails/18.jpg)
New Developments
› TACAR will be also used to host GN3 root Cas:› So far only a couple;› But more is expected in the future;
› TACAR still being used as IGTF official repository;› Working with Massimiliano Pala:
› To use TACAR for the PKI Resources Query Protocol (PRQP):› to provide standardised way to query PKI
repositories to gather info on CAs;
› New UI:› Different way to update info;› Different policy;
Slide 18