1 / 14

ARCS SLCS CA

Sam Morrison Australian Research Collaboration Service (ARCS) (formally APAC). ARCS SLCS CA. What is SLCS?. Short Lived Credential Service Lifetime < 1 million sec Online CA Authenticate using Identity Management system. Why SLCS?.

paynechristopher
Download Presentation

ARCS SLCS CA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sam Morrison Australian Research Collaboration Service (ARCS) (formally APAC) ARCS SLCS CA

  2. What is SLCS? • Short Lived Credential Service • Lifetime < 1 million sec • Online CA • Authenticate using Identity Management system

  3. Why SLCS? • Allow users to access HPC/Data/other via existing PKI infrastructure. • Users need know nothing about certificates, crls, private keys etc.

  4. Identity Management • Shibboleth • Australian Access Federation (AAF) • Will include all universities in Australia (and NZ) • IdP = Identity Provider • SP = Service Provider

  5. ARCS SLCS system • Semi Production • Two VMs • Switch SLCS server with Shibboleth SP • Online CA (ejbca)

  6. DN Uniqueness • Generate DN from values sent from the IdP • /DC=au/DC=org/DC=arcs/DC=slcs/O=<Organisation> • /CN=<commonName> <auEduPersonSharedToken> • auEduPersonSharedToken is unique and persistent

  7. Future • Write CP/CPS • Purchase dedicated server and HSM for online CA • Get Accredited

  8. Proposed Network Structure

  9. Policy • Each IdP has agreement with the SLCS server (as well as federation agreement) • Need to make sure IdPs are well managed. Ensured by AAF policy. • CP/CPS under development

  10. Level of Assurance (LoA) • All identities have a LoA • Some services don't require high LoA • Have 2 Online CAs • One for high LoA – IGTF (planned) • One for other services – non IGTF

  11. Delegating credential retrieval • Allow another SP to get a SLCS cert on behalf of a user • Key/cert stored on web server not on client • Security Concerns?

  12. Questions?

More Related