1 / 62

EU NREN PKI

EU NREN PKI. Jan Meijer. AARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney. me. 1998-2007: SURFnet CERT, security, PKI, systems engineering, e-voting 2007-now: UNINETT service development, storage, PKI. beautiful morning. 22 NRENs 6 months

rodd
Download Presentation

EU NREN PKI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EU NREN PKI Jan Meijer AARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney

  2. me • 1998-2007: SURFnet • CERT, security, PKI, systems engineering, e-voting • 2007-now: UNINETT • service development, storage, PKI

  3. beautiful morning.... • 22 NRENs • 6 months • 12573 server certs • starting personal

  4. PKI purpose Guarantee: • Authenticity • Confidentiality • Integrity • Non repudiation

  5. ehr, no, we want • others not to read our mail • to know the sender is the sender • that, for documents, thanks • no reading of my credit card number • no reading of my health information • no reading of my passwords • log on to my internal web site

  6. if it doesn’t work it doesn’t work

  7. the issue ?

  8. direct trust

  9. hierarchical trust

  10. web of trust

  11. Feb 1993, RFC 1422 Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management obsoletes RFC 1114 Mail Privacy: Key Management (1989)

  12. Feb 1993, RFC 1422 The infrastructure specified in this document establishes a single root for all certification within the Internet, the Internet Policy Registration Authority (IPRA). The IPRA establishes global policies, described in this document, which apply to all certification effected under this hierarchy. Beneath IPRA root are Policy Certification Authorities (PCAs), each of which establishes and publishes (in the form of an informational RFC) its policies for registration of users or organizations. Each PCA is certified by the IPRA.

  13. USA crypto exports <1996: International Traffic in Arms Regulation 1996: Export Administration Regulations (EAR) of the Department Commerce 31 Dec 1998: 56 bit without license 12 January 2000: Freedom to export source: Bert-Jaap Koops’ Crypto Law Survey http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#us

  14. Pretty Good Privacy Jun 5, 1991: PGP 1.0 Jan 18, 1996: Ståle Schumacher from Norway publishes PGP 2.63i…with help: Aug 1996: RFC1991, PGP Message Exchange Formats (FYI) Nov 1998: RFC2440, OpenPGP Message Format (STD)

  15. 1994: Netscape Navigator 1.0 1995: Internet Explorer 2.0

  16. (1994) 1996: .nl electronic purse chipper chipknip

  17. 13 December 1999: DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

  18. 1995: Student Chip Card

  19. qualified digital signatures!

  20. 1998: SURFnet PKI • PGP PKI • PGP keyserver pgp.surfnet.nl • x.509 PKI

  21. use PGP • email signing and encryption • document signing and encryption x.509 • email signing and encryption • document signing and encryption • authentication • smartcard deployments

  22. requirements • scalable • identity vetting at university • affordable server and client certificates

  23. SURFnet x.509 PKI 1998: setup 1999: production

  24. more levels

  25. europe

  26. down in the trenches

  27. soon

  28. ~2000 • Netherlands qualified Digital Signature accreditation framework ready • SURFnet PKI: test audit

  29. ~2001 “SURFdiensten” GlobalSign discount deal for .nl higher ed

  30. 1998-2004: PKI evolves • Focus on policy • Focus on CA operations • Plans to interlink European PKIs • Separate eScience Grid PKI • TACAR • Experience but not large scale deployment

  31. SURFnet PKI numbers

  32. popular? • SSL server certificates • Personal certificates • Code Signing certificates

  33. biggest problem?

  34. get root in browsers 2000: $250.000 x 2 2004: IE: WebTrust

  35. puzzling pieces • in browser root,$$ • flat rate • unpunished success • why do I want to run my own CA?

  36. TERENA

  37. idea • join forces • contract commercial CA • flat-rate for the TERENA community • unlimited • NREN becomes RA • re-use existing contractual relations make it stupid to not secure your server with SSL

  38. use existing relations

  39. SCS timeline • Jan 2005: idea written up (TF-CSIRT!) • Feb 2005: presented at TF-EMC2 “the list” 20 kEUR • Summer 2005: reality + procedure check • September 2005: CfP • January 2006: GlobalSign contract

  40. 16 March 2006: SCS is born

  41. SCS numbers 12/2007 NRENs # issued # organisations ACONet 979 26 ARNES* 23 n/a BELNET 673 57 CARNet 166 n/a CESNET 452 20 CRU/RENATER 1446 134 GARR** 100 20 JANET (UK) 2300 212 RedIRIS 1077 86 SUNET*** 487 17 SURFnet 1934 91 SWITCH 1200 n/a UNI-C **** 1366 n/a UNINETT 348 24 14 NRENs 12551 certificates

  42. SCS numbers per 1 Aug 2008 # participating NRENs 18 (14) # certificates issued 19.400 (12551) # participating orgs 2.225 # proxies 3.800

  43. 2007: mission accomplished!no ssl = lameand behavioural change...

  44. SCS: lessons learned • vested interests, existing services, strong opinions, policy devil.... • browser popup was the problem • certain level of control good • do what matters • good enough = good enough!

  45. 2007 • contract renewal with GlobalSign • start preliminary work with new CfP

  46. new CfP, lessons learned • root coverage: browsers *and* other platforms • validity on contract end • ensuring future root coverage • end user interfaces • interface response times • describe certificate request processing • profiles • subjectAltName • multiple valid certificates • internationalisation • support • auditing • training • certificate lifetime

  47. more lessons...optional reqs • alternative lifetimes • end user interface for renewal • per NREN branding • additional profiles • eScience Grid certificate support • API • wildcard certificates • OCSP • extensive reporting

  48. interesting CfP

  49. TERENA Certificate Service

More Related