1 / 25

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA

Explore the NAREGI Certification Service for secure grid operations and management in academia. Enhance the CA system for efficient certificate issuance and revocation. Contribute to global cyber science infrastructure.

smurray
Download Presentation

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Aug.28, 2007 APAN 24 Middleware Session, Xi’An Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka, Kento Aida, Shinichi Mineo

  2. OUTLINE NAREGI Certification Service UPKI Common Specifications UPKI Enhancement of CA System Grid Operation Center Plan Issues

  3. NAREGI-CA Certification Service

  4. 1-1 CyberScience Infrastructure for Advanced Science (by NII) To Innovate Academia and Industry Cyber Science Infrastructure Scientific Repository Virtual Organization For science Industry Liaison and Social Benefit NAREGI Middleware UPKI Global Contribution Human Resource Development and strong organization 北海道大学 Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers ★ ● ★ 東北大学 京都大学 ☆ ★ ★ ★ 東京大学 九州大学 ★ NII 名古屋大学 ★ 大阪大学 (東京工業大学、早稲田大学、高エネルギー加速器研究機構等) Publication of scientific results from academia

  5. 1-2 NAREGI Certification Authority • NAREGI (National Research Grid Initiative) PJ develops grid middleware. • NAREGI CA is operated by NAREGI PJ, and it issues certificates for development and doing research using NAREGI grid middleware • NAREGI CA is a member of APGrid - NAREGI CA is authorized by the APGrid PMA as a Production Level CA. - NAREGI PMA is a member of APGrid PMA. • NAREGI CA issues certificates to NAREGI project members (National Institute of informatics, Institute for Molecular Science)

  6. Certificate Users Host Administrators CA Operator RA Administrator 1-3 NAREGI CA operation User site NAREGI CA Account Registration Request Account Registration ①Preparation Application for bulk license ID Issuance of bulk license ID ②License ID request License ID request Receive request, Inspection ③Issuance request ④Revoke request ⑤Reissuance request Receive request, Issuance/Revoke certificate Certificate request ⑥Retrieve data for creating map file Retrieve data for creating map file Make data for creating map file

  7. UPKI Common Specifications

  8. Sign, Encrypt. NII Pub CA Other Pub CA Open Domain PKI Webサーバ S/MIME Webサーバ S/MIME Webサーバ S/MIME Webサーバ S/MIME Web Srv. S/MIME Web Srv. S/MIME Auth, Sign, Encrypt. Auth, Sign, Encrypt. Campus PKI B Univ.CA A Univ.CA 学内用 学内用 学内用 学内用 EE EE Grid Computing NAREGI PKI A Univ.NAREGI CA B Univ.NAREGI CA Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Server, Super Computer Server, Super Computer Student,Faculty Student,Faculty 2-1 UPKI Architecture

  9. Sign, Encrypt. NII Pub CA Other Pub CA Open Domain PKI Webサーバ S/MIME Webサーバ S/MIME Webサーバ S/MIME Webサーバ S/MIME Web Srv. S/MIME Web Srv. S/MIME Auth, Sign, Encrypt. Auth, Sign, Encrypt. Campus PKI B Univ.CA A Univ.CA 学内用 学内用 学内用 学内用 EE EE Grid Computing NAREGI PKI A Univ.NAREGI CA B Univ.NAREGI CA Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Server, Super Computer Server, Super Computer Student,Faculty Student,Faculty 2-2 UPKI Activities Server Certificates S/MIME Certificates UPKI Common Specification Eduroam NAREGI-CA Pack NAREGI-CA Enhancement

  10. Sign, Encrypt. NII Pub CA Other Pub CA Open Domain PKI Webサーバ S/MIME Webサーバ S/MIME Webサーバ S/MIME Webサーバ S/MIME Web Srv. S/MIME Web Srv. S/MIME Auth, Sign, Encrypt. Auth, Sign, Encrypt. Campus PKI B Univ.CA A Univ.CA 学内用 学内用 学内用 学内用 EE EE Grid Computing NAREGI PKI A Univ.NAREGI CA B Univ.NAREGI CA Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Server, Super Computer Server, Super Computer Student,Faculty Student,Faculty 2-3 UPKI Common Specifications UPKI Common Specifications

  11. 2-4 UPKI Common Specifications • UPKI Common Specifications • Campus PKI procurement guidelines • Campus PKI CP/CPS templates • Campus PKI model • Two outsource models and one insource model • Developed and Published for outsource model • https://upki-portal.nii.ac.jp/upkispecific/specific Only available in JAPANESE! • To promote Campus • PKI deployment • To reduce cost • To keep multi-university • cooperativity 2006 2007 2008 2009 - Campus PKI Spec. Outsource model Insource model Multi-university cooperative model • Deployment of • campus PKI at • each universities • Connecting • universities • Federation of • applications Campus CP/CPS templates Outsource model Insource model Multi-university cooperative model

  12. Full outsource provider • Univ. IA RA Insource IA outsource provider • Univ • Univ RA IA IA RA 2-5 Operation Models of CA CP/CPS

  13. UPKI Enhancement of CA System

  14. Enhancement for actual operation of CA/RA at universities; To split and delegate RA. To provide staffs/students means to apply by themselves. To issue grid certificate by identification of campus certificate. 3-1 Enhancement in UPKI

  15. 3-2 Enhancement in UPKI (1),(2) • To split and delegate RA. • Created RA/LRA operator authorities split from RA administrator authorities. • Secure delegation by using IC card. • Delegation to hierarchized institutions in universities for actual operation. • To provide staffs/students means to apply by themselves. • Easy application of registration, issuance, and revocation from the web. • Secure application by using challenge PIN. • Reduced burden of RA operation.

  16. IC Card 3-3 Enhanced Procedure To Issue Certificate CA RA Apply License ID License ID Identify License ID Local RA CA Administrator User RA Administrator License ID Issue Certificate CA RA Application Server (web) RA Administrator Challenge PIN Apply CA Administrator Delegate Identify User Approve RA Operator Management Server (web) Challenge PIN Issue Certificate

  17. 3-4 Enhancement in UPKI (3) • To issue grid certificate by identification of campus certificate. • Cooperation of Grid CA and Campus CA. • Reduced burden of RA operation. • Any certificate can be issued for other AP.

  18. CampusCA User IC Card Super Computer Super Computer Super Computer 3-5 Campus-Grid PKI Federation Campus PKI Grid PKI NAREGI CA Issue Certificate Issue Certificate LDAP NAREGI RA Request Certificate (Use IC Card as credential) Grid System Access Certificate for Grid System

  19. Grid Operation Center Plan

  20. 4-1 Grid Operation Center Plan • GOC CA issues certificates to authorized members of CSI using grid • Operation will be compliant with APGrid policies • Cooperate with many universities and research institutes

  21. 4-2 Operation models of GOC • GOC will operate three models. (1) LRA in GOC operates registration; GOC will inspect user documents, and face to face identification. (2)LRA in university operates registration; University will inspect user documents, and face to face identification. (3)Use Campus certificate as an identification to issue grid certificate; University will inspect user documents, but skip face to face identification.

  22. Issues

  23. 5-1. Issue 1 • User Identification - APGrid PMA minimum CA requirements; “In order for an RA to validate the identity of a person, the subject must contact the RA personally and present photo-id and/or valid official documents showing that the subject is an acceptable end entity as defined in the CP/CPS document of the CA.” - Campus PKI CPS template; “The information of students or faculties will be collected on admission and stored in database in universities. Campus PKI CA will issue campus certificate by using and trusting the collected information in the database” -> Is it proper and feasible to use Campus certificate as an identification for issuing grid certificate? -> Add a following term to Campus PKI CPS template? “photo-id and/or valid official documents in the case of using campus certificate as an identification for grid certificate.”

  24. 5-2. Issue 2 • On revocation of campus certificate; • For the grid certificate that has issued by identifying with campus certificate -> Keep the grid certificate valid? -> Revoke the grid certificate? How? Check CRL of campus certificate?

  25. 5-3. Issue 3 • Audit • GOC: APGrid PMA will do mutual audit • LRA in universities: GOC will audit? • CA for campus PKI in universities: Need audit? and who?

More Related