170 likes | 186 Views
Comprehensive overview of OCSP requirements for TACAR and Grids, featuring CertiVeR's capabilities, GGF's CAOPS-WG efforts, and new CertiVeR v4 service with scalability enhancements and transponder connections.
E N D
Status of the Validation and Authentication service for TACAR and Grids.
Summary • OCSP Requirements for Grids • CertiVeR’s features • OCSP Client • OCSP Service • Future • Questions
OCSP Requirements for TACAR • Centralized OCSP service for all the hierarchies • Centralized root certificate management • The service should be able to sign the response for each CA with an authorized certificate (Authorized responder mode)
OCSP Validation for Grids • Grids special requirements for OCSP services: discoverable, fault tolerant, low latency, CA interoperability, etc. • GGF´s CAOPS-WG has been working in the document “OCSP Requirements for Grids”. • Such document provides information on: • OCSP Client Requirements, • OCSP Responder Requirements, • CA/Certificate Issuer Requirements and • OCSP Service Architecture.
OCSP Client requirements for Grids • Revocation source requirements: • Several sources (OCSP, CRL, AIA) and query order. • Fault-tolerant requirements: • Multiple service invocation. • Caching of OCSP Responses. • Security requirements: • Nonce usage. • OCSP Request signing. • Adoption of http and https. • Error handling (i.e. Try Later, Respond with final status, etc.) • OCSP Extension handling. • “Unknown” status code handling for Proxy and Non-Proxy Certificates.
GridOCSP Client API - features • Open source code for Globus TK 4 about to be released. • Implements a XML-based OCSP Policy that supports: • The policy file used by our client allows for the definition of per-Issuer rules or a default behavior for each feature. • Each VO could place such file on a specific URI for all its clients
GridOCSP Client – policy definition e.g. (I) <?xml version="1.0" ?> <ocsppolicy> <issuerdn name="AC CertiVeR" dn="C=ES,O=CertiVeR,CN=AC CertiVeR" hash="o6MjoB5y4b2cNvILPcBxWafHs7k="> <revsources> <source order=“1" type="ocsp" location="http://aai.certiver.com" trust=“trusted" timeout="3600" /> <source order=“2" type="crl" location="c://config//myrevlist.crl" signingcert="c://config//ACcertiver.crt" /> </revsources> <unknownstatus action="revoked" /> <proxycert> <unknownstatus action="good" /> </proxycert>
GridOCSP Client – policy definition e.g. (II) <request> <signrequest value="true" /> <usenonce value="true" /> <protocol value="https" /> </request> <response> <cache> <status value="true" /> <size value="1000" /> <lifetime value="36000" /> </cache> </response> <errorhandler> <action order="1" type="trylater" maxretries="1" /> <action order="2" type="setfinalresponse" value="revoked" /> </errorhandler> </issuerdn> </ocsppolicy>
OCSP Responder requirements for Grids • Performance: • Scalability: To cover for growth in terms of • Client requests. • Revocation sources. • Use of cryptographic hardware. • Flexibility: • Revocation source requirements. • Support different operation modes: • Transponder mode. • Trusted Responder mode. • Authorized Responder mode. • Coverage of proxy certificates revocation is a recommended feature. • Reliability • Fault-tolerance is a recommended feature.
OCSP Serviceclient scalability and reliability • Intrasite • Using balanced NAT • Extrasite • Using balanced DNS with very low persistence
CA/RA LDAP OCSP Service – revocation source scalability • CertiVeR v4 can set N Updater processes in order to push DeltaCRLs from the CAs CAs ∆CRL CRL Updater Cert Status Database CRL Cert Status OCSP Responder
OCSP Service – Flexibility Courtesy of CAOPS-WG
New CertiVeR service available ! • A new service - CertiVeR v4 - has been implemented covering the required features for Grids. Such service has just passed the Beta tests and it is available at: • http://globus-grid.certiver.com • http://tacar.certiver.com • Current features of the new service:
The next steps... • Release of client open source code • Dissemination and Validation of the service • Provision of pilots for Grid and Tacar CAs • Technical improvements • Addition of servers in order to improve scalability and fault-tolerance • Use of cryptographic hardware • Setting up of Transponder connections • DeltaCRL push mechanism to be directly provided to each CA
For information about revocation services, try our demo at: http://www.certiver.com