1 / 12

Secure Distribution of Accredited CA Trust Anchors

The PMA provides trust anchors for CAs, offering simple, common mechanisms such as tar-based installs or RPM/yum/apt. The distribution structure ensures easy installation and updates.

loislee
Download Presentation

Secure Distribution of Accredited CA Trust Anchors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. http://www.eugridpma.org/ Distribution Repository StructureDavid Groep, 2005.03.15

  2. Distribution of trust anchors • The PMA distributes a set of trust anchors for the community of all accredited CAs • Although published via a secure web site, RPs are invited to cross-check the trust anchors against TACAR &c. • When using common auth profiles, RPs are likely to install all accredited authorities from all PMAs • Need simple, common mechanisms • Support both simple tar-based installs and RPM/yum/apt (and debian?)

  3. Distribution items • RPMs • one per CA • including meta-data like CRL URL • “policy” meta-RPMS for accredited authorities • tar balls • per CA • a combined tarball with configure/install script

  4. Current layout (one profile only) /distribution/current -> 0.27 /distribution/0.27/... .../accredited/RPMS/ca_NAME1-0.27-1.noarch .../accredited/RPMS/ca_NAME2-0.27-1.noarch .../accredited/tgz/ca_NAME.tar.gz .../accredited/ /cabundle-eugridpma-accredited.tar.gz .../ca_policy_eugridpma-0.27-1.noarch.rpm /distribution/0.27/headers/...

  5. Proposed structure (multiple profiles) /distribution/current -> eugridpma/1.0 /distribution/eugridpma/1.0/accredited/RPMS/... .../accredited/RPMS/ca_NAME-1.0-1.noarch.rpm .../accredited/RPMS/ca_policy_eugridpma-classic-1.0-1.noarch.rpm .../accredited/RPMS/ca_policy_eugridpma-acs-1.0-1.noarch.rpm .../accredited/tgz/ca_NAME.tar.gz .../accredited/tgz/cabundle-eugridpma-accredited.tar.gz* /distribution/eugridpma/1.0/headers/... /distribution/mirror/current/apgridpma/... .../apgridpma/current/accredited/ca_policy_apgridpma-classic-0.3-.. /distribution/mirror/current/tagpma/... .../tagpma/current/accredited/ca_policy_tagpma-sips-1.2-1.noarch... /distribution/mirror/current/eugridpma/current/... /distribution/mirror/current/igf/... .../igf/current/accredited/RPMS/ca_policy_igf-classic-1.0-1.noarch requires: ca_policy_eugridpma-classic requires: ca_policy_apgridpma-classic /distribution/mirror/current/headers/... *) ./configure --prefix=/etc/security/grid --with-profile=acs make install

  6. Using the RPM repository • Having all PMA current repositories mirrored under one root allows YUM/APT updates from a single source • If the “current” is mirrored and old files removed, manual installation is also unambiguous • Mirroring ensures getting always the latest from every PMA • Install all “classic” CAs with a singleyum –y install ca_policy_igf-classic • Have an “overall” policy file that includes all profiles:yum –y install ca_policy_igf

  7. RPM dependencies ca_policy_pma-classic-2.3 requires ca_authname = 2.3 ca_policy_pma-3.4 requires ca_policy_pma-classic = 3.4 ca_policy_pma-sips = 3.4 ca_policy_pma-acs = 3.4 ca_policy_igf-classic-1.0 requires ca_policy_eugridpma-classic [no version!] ca_policy_apgridpma-classic [no version!] ca_policy_tagpma-classic [no version!] ca_policy_igf-1.0 requires ca_policy_igf-classic = 1.0 ca_policy_igf-sips = 1.0 ca_policy_igf-acs = 1.0

  8. CA package contents • Required content • trust anchor: c_hash.0 • CRL location: c_hash.crl_url • Namespace definition: c_hash.signing_policy • Optional content • CERT location c_hash.ca_url • CA web page c_hash.url • Package dependencies (RPM only) • for a hierarchical PKI the RPM name of the parent CA • Proposed content • metadata c_hash.docwith: alias, full name, AuthProfile, email addresses, PDS, CP/CPS link, all as “attribute=value” pairs

  9. Tar/Configure based installation • RP will download three tarballs • Runs ./configure three times • but same format for all: • –prefix=path [default: /etc/grid-security/certificates] • –with-profile=authprofilename [default: all profiles]

  10. Naming conventions • Each Authority will have an alias of 4-16 chars • Each PMA will have a shortname “eugridpma”, “apgridpma”, “tagpma” • Each profile will have a shortname for use in RPM specialisation and for the –with-profile= configure option • “classic”: traditional, secured PKI CAs • “sips”: Site Integrated Proxy Servers, kCAs • “acs”: secured Active Certs Stores, NERSC-style • “experimental”: testing and experimental authorities of any kind that need distribution • “test”: internal testing only

  11. Mirroring requirements • Each PMA will mirror all others & the IGF • web site / directory naminghttp://www.pmaname.org/distribution/mirror/ • Mirror frequency: once daily • also mirror yourself for consistencyso “/distribution/mirror” will be same everywhere

  12. Implementation plan • …

More Related