1 / 19

TERENA Server Certificate Service

TERENA Server Certificate Service. Towards the large-scale use of affordable popup-free server certificates for the European NRENs. Licia Florio TERENA. Topics. PKI and X.509 certificates Motivation for the TERENA Server Certificate Project What is the project Service Characteristics

colorado-hooper
Download Presentation

TERENA Server Certificate Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European NRENs Licia Florio TERENA EuroCAMP Ljubljana, 3-5 March 2006

  2. Topics • PKI and X.509 certificates • Motivation for the TERENA Server Certificate Project • What is the project • Service Characteristics • Why joining licia@terena.nl

  3. Diego’s priv key Diego’s pub key Dear I’ve arrived in Slovenia.. Dear I’ve arrived in Slovenia.. Dear I’ve arrived in Slovenia.. Decryption Encryption Diego Licia PKI in short • Public key cryptography - public key (encryption, signature verification) - private key (decryption, signing) licia@terena.nl

  4. Problems • Public Key distribution • Building trust • Scalability • Solution: create a hierarchical trust fabric: X.509 PKI licia@terena.nl

  5. X.509 PKI Infrastructure • What are the elements - Certification Authority (CA) * Certificates issuer (trusted 3d party) - X.509 Certificates * Bind the pub key to the holder - Registration Authority (RA) *Identity verification - End Entity * Private key holder (machine, end-user) - Relying parties *Users licia@terena.nl

  6. Real X.509 Certificate Usage Today • Grid (closed community) - Use both server and user certs • Web servers - Only server certificates - In many case with pop-up problem Large scale user certificate use: nowhere ! licia@terena.nl

  7. The Famous Pop-up:PKI Problem#1 • Due to the fact that the issuer of the certificate is not trusted by the browsers licia@terena.nl

  8. TERENA Server Certificate Service • What is it about? • - Service…of course ;-) in short SCS • To issue server certificates - popup free - unlimitednumber - Very low price (price is not per certificate) • For whom? • For the National Research and Education Network community in Europe licia@terena.nl

  9. When SCS started • Project started in june 2004 • European NREN PKIs around for ~7 years - But still not really deployed • Anticipated growth in need: - AAI middleware services - Web-based ‘stuff’ (mail, e-learning, webservices etc.) - VPN, email - eduroam • Community needs more server certificates licia@terena.nl

  10. PKI Growth Problems • Pop-up Problem#1 - Typically for NRENs CA - Defeats the security purpose of the certificate • Costs Problem#2 - For a large number of server certificates costs can become a problem licia@terena.nl

  11. Solution 1 • Fixing the pop-up problem - Get root certificate in root repositories - Requires webtrust audit - Expensive for an individual NREN PKI (~25.000 first time, annual ~25.000 for the audits, plus all the costs to follow guidelines) --> CA hierarchy adds to cost! • Running a CA • Is that so interesting? licia@terena.nl

  12. Solution 2 • Fixing the costs - Try to contract a CA already in the browser - Flexibility in the certificates profiles definitions - Tailored RA procedures - Not per certificate costs licia@terena.nl

  13. Solution 2: the way forward • 8 NRENs + TERENA combined forces (proposal launched feb. 2005) • Investigated market • Investigated EU tender guidelines • Ran a light-weight tender (start Sep 2005) • Signed a contract (Jan 2006) • First certificate issued on 16 March 2006 ! licia@terena.nl

  14. Who is involved • ACOnet (.at), • CARnet (.hr), • CESnet (.cz), • RedIRIS (.es), • RENATER (.fr), • SURFnet (.nl), • SWITCH (.ch) • UNI-C (.dk), • TERENA signing party licia@terena.nl

  15. Service Structure • TERENA contracts with supplier - For an initial one year - Possibility to extend the contract • NRENs contract with TERENA (liability!) • NRENs are ‘delegated RA’ for the supplier • TERENA appoints delegated RAs • NRENs are responsible for delivering RA services and technical support licia@terena.nl

  16. Service Features • Re-use existing RA organisation • Certificate profile flexibility (Grids!) • Electronic RA procedures (under implementation) • Easy server certificate delivery • NREN-specific branding! licia@terena.nl

  17. Benefits for the Universities • Need server certificates to enable SSL/TLS channels • Very low costs upon agreement with your NRENs licia@terena.nl

  18. How to join • Your NREN has to join • After June 06 we can open to service to new NRENs • Some NRENs are already waiting • There is fee to pay to join licia@terena.nl

  19. Conclusion • To make security tools a normal habit, they need to be easy to use • Scs is easy • SCS proves how a ‘federated’ approach has solved a big problem • We got a cool service  • http://www.terena.nl/activities/tf-emc2/scs.html licia@terena.nl

More Related