1 / 21

NECTEC-GOC CA

NECTEC-GOC CA. APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand. Introduction. NECTEC: National Electronics and Computer Technology Center Government research institute under Ministry of Science

lance-oconnor
Download Presentation

NECTEC-GOC CA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep VannaratNational Electronics and Computer Technology Center, Thailand

  2. Introduction • NECTEC:National Electronics and Computer Technology Center • Government research institute under Ministry of Science • For electronics, telecommunication, computer and information technologies including Grid Computing • NECTEC GOC CA:NECTEC GRID Operation Center Certificate Authority • NECTEC GRID PMA • Large Scale Simulation Research Laboratory, • Network Technology Laboratory • Thai Computer Emergency Response Team

  3. CP/CPS • Current version:1.0 (October, 2006) • Object ID: 1.3.6.1.4.1.25149.1.1.1.0 • Conform to RFC 2527 • Managed by the NECTEC GRID PMA • Changes in contents need to be approved by the NECTEC GRID PMA

  4. GRID CA PMA CA Manager CA Operator RA Operator NECTEC-GOC CA Organization Table 1-2 Organization... • GRID CA PMA: Policy Management Authority • CA Manager: Administrates all tasks on the CA system • RA Operator: • Accepts and verifies User Application form • Checks Certificate Signing Request form • Informs CA to issue certificate • CA Operator: • Issues certificates • Manages CA and RA servers • Maintains the CA system • Manages CA private key Remove CP/CPS 2.2.5

  5. End Entity • NECTEC-GOC CA issues certificates for the following subjects: • Users of NECTEC. • Users of domestic Grid-based applications or projects. • Collaborators related to NECTEC Grid Computing research.

  6. Certificate Type • User Certificate:C=TH,O=NECTEC,OU=GOC,CN=Sornthep Vannarat/ emailAddress=sornthep@nectec.or.th • Grid Host Certificate:C=TH,O=NECTEC,OU=GOC, CN=host/grid64.hpcc.nectec.or.th

  7. Identification and Authentication • User and Grid Host Certificate: • Subscriber meet in-person with RA Operator • RA Operator review and approve Application and Certificate Request according to user’s documents [CPS 1.3.2 and 3.1.x]

  8. Certificate Restrictions • Certificate Lifetime: • 13 months for End Entity certificate. • 10 years for CA certificate.

  9. Issuing Certificates • End entities request certificates • Each generate keypair by itself • Submit Applications and Certificate Signing Request forms • RA Operator checks the Requests • RA Operator uses secure communication method e.g. signed and encrypted email

  10. Issuing Certificates (cont’d) • RA Operator transfers the Request to CA Operator • RA Operator tar ball the CSRs and copy to USB drive • CA Operator copy tar ball from USB drive to CA machine

  11. Issuing Certificates (cont’d) • CA Operator checks CSRs and issues certificates • CA Operator transfers certificates to RA Operator • CA Operator tar ball certificates to USB drive • RA Operator copy tar ball into RA server • RA Operator publishes certificates to website and informs users by emails

  12. Certificate Revocation • Certificates are revoked when • User private key compromised • Inaccurate user information suspected • UserObligation violated (CPS 2.1.4) • CA private key compromised • User leaves his/her organization

  13. Revocation Request Procedure • Revocation Requests can be submitted through web interface • OR to CA Manager

  14. CRL • CRL validity is 30 days. • New CRL issued • 7 days before expiration of previous one • immediately after certificate revocation

  15. Physical Security • CA Server: • Stored in a safe deposit box, which is protected by six-digit code • Not connected to network of any sort • Located in a room, which is restricted to CA Operator during its operations • CA private key: • Protected by passpharse 15 characters. • Backup in USB drive and stored in the safe box by CA Operator.

  16. CA Room & Equipments (1) • CA Room

  17. CA Room & Equipments (2) • RA Server • CA Machine • UPS

  18. CA Room & Equipments (3) • Safe box

  19. Records Archival • Types of archive data: • All issued certificates and CRLs • All enrollment requests and notifications between the NECTEC-GOC CA and users. • Operation history of the CA key • Events of interest, as described in CP/CPS section 4.7.1 • The retention period is 3 years. • Archived files are stored in CD or DVD located at NECTEC server room’s safe box.

  20. Key Pair • CA private key generated by CA operator using OpenCA • User and Grid Host key pair generated by User using e.g. grid-cert-req • Key Length: • CA Certificate 2048 bits • End Entity Certificate: 1024 bits

  21. Contact Information Sornthep Vannarat and Suriya U-ruekolan National Electronics and Computer Technology Center Grid Operation Center 112 Paholyotin Road, Klong 1, Klong Luang, Pathumthani 12120 Thailand Tel: (662) 564-6900 ext 2278 Fax: (662) 564-6772 Email: camanager@hpcc.nectec.or.th

More Related