620 likes | 635 Views
EU NREN PKI. Jan Meijer. AARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney. me. 1998-2007: SURFnet CERT, security, PKI, systems engineering, e-voting 2007-now: UNINETT service development, storage, PKI. beautiful morning. 22 NRENs 6 months
E N D
EU NREN PKI Jan Meijer AARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney
me • 1998-2007: SURFnet • CERT, security, PKI, systems engineering, e-voting • 2007-now: UNINETT • service development, storage, PKI
beautiful morning.... • 22 NRENs • 6 months • 12573 server certs • starting personal
PKI purpose Guarantee: • Authenticity • Confidentiality • Integrity • Non repudiation
ehr, no, we want • others not to read our mail • to know the sender is the sender • that, for documents, thanks • no reading of my credit card number • no reading of my health information • no reading of my passwords • log on to my internal web site
if it doesn’t work it doesn’t work
Feb 1993, RFC 1422 Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management obsoletes RFC 1114 Mail Privacy: Key Management (1989)
Feb 1993, RFC 1422 The infrastructure specified in this document establishes a single root for all certification within the Internet, the Internet Policy Registration Authority (IPRA). The IPRA establishes global policies, described in this document, which apply to all certification effected under this hierarchy. Beneath IPRA root are Policy Certification Authorities (PCAs), each of which establishes and publishes (in the form of an informational RFC) its policies for registration of users or organizations. Each PCA is certified by the IPRA.
USA crypto exports <1996: International Traffic in Arms Regulation 1996: Export Administration Regulations (EAR) of the Department Commerce 31 Dec 1998: 56 bit without license 12 January 2000: Freedom to export source: Bert-Jaap Koops’ Crypto Law Survey http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#us
Pretty Good Privacy Jun 5, 1991: PGP 1.0 Jan 18, 1996: Ståle Schumacher from Norway publishes PGP 2.63i…with help: Aug 1996: RFC1991, PGP Message Exchange Formats (FYI) Nov 1998: RFC2440, OpenPGP Message Format (STD)
1994: Netscape Navigator 1.0 1995: Internet Explorer 2.0
(1994) 1996: .nl electronic purse chipper chipknip
13 December 1999: DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
1998: SURFnet PKI • PGP PKI • PGP keyserver pgp.surfnet.nl • x.509 PKI
use PGP • email signing and encryption • document signing and encryption x.509 • email signing and encryption • document signing and encryption • authentication • smartcard deployments
requirements • scalable • identity vetting at university • affordable server and client certificates
SURFnet x.509 PKI 1998: setup 1999: production
~2000 • Netherlands qualified Digital Signature accreditation framework ready • SURFnet PKI: test audit
~2001 “SURFdiensten” GlobalSign discount deal for .nl higher ed
1998-2004: PKI evolves • Focus on policy • Focus on CA operations • Plans to interlink European PKIs • Separate eScience Grid PKI • TACAR • Experience but not large scale deployment
popular? • SSL server certificates • Personal certificates • Code Signing certificates
get root in browsers 2000: $250.000 x 2 2004: IE: WebTrust
puzzling pieces • in browser root,$$ • flat rate • unpunished success • why do I want to run my own CA?
idea • join forces • contract commercial CA • flat-rate for the TERENA community • unlimited • NREN becomes RA • re-use existing contractual relations make it stupid to not secure your server with SSL
SCS timeline • Jan 2005: idea written up (TF-CSIRT!) • Feb 2005: presented at TF-EMC2 “the list” 20 kEUR • Summer 2005: reality + procedure check • September 2005: CfP • January 2006: GlobalSign contract
SCS numbers 12/2007 NRENs # issued # organisations ACONet 979 26 ARNES* 23 n/a BELNET 673 57 CARNet 166 n/a CESNET 452 20 CRU/RENATER 1446 134 GARR** 100 20 JANET (UK) 2300 212 RedIRIS 1077 86 SUNET*** 487 17 SURFnet 1934 91 SWITCH 1200 n/a UNI-C **** 1366 n/a UNINETT 348 24 14 NRENs 12551 certificates
SCS numbers per 1 Aug 2008 # participating NRENs 18 (14) # certificates issued 19.400 (12551) # participating orgs 2.225 # proxies 3.800
2007: mission accomplished!no ssl = lameand behavioural change...
SCS: lessons learned • vested interests, existing services, strong opinions, policy devil.... • browser popup was the problem • certain level of control good • do what matters • good enough = good enough!
2007 • contract renewal with GlobalSign • start preliminary work with new CfP
new CfP, lessons learned • root coverage: browsers *and* other platforms • validity on contract end • ensuring future root coverage • end user interfaces • interface response times • describe certificate request processing • profiles • subjectAltName • multiple valid certificates • internationalisation • support • auditing • training • certificate lifetime
more lessons...optional reqs • alternative lifetimes • end user interface for renewal • per NREN branding • additional profiles • eScience Grid certificate support • API • wildcard certificates • OCSP • extensive reporting