1 / 18

Community PKIs Initiatives Updates

Community PKIs Initiatives Updates. TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA florio@terena.org. Aim of the work item. Overseeing the patterns of usage and emerging technologies that might be relevant to support NRENs services;

wilmet
Download Presentation

Community PKIs Initiatives Updates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Community PKIs Initiatives Updates TF-EMC2 MeetingLoughborough, UK6-7 May, 2009 Licia Florio, TERENA florio@terena.org

  2. Aim of the work item • Overseeing the patterns of usage and emerging technologies that might be relevant to support NRENs services; • Proposing enhancements for the current PKI services; • Promoting the current PKI services to other communities <lastname@terena.org>

  3. PKI Initiatives • SCS service: • Soon to be knows as TCS; • TERENA MICS/SLCS Pilot Service Project • TACAR

  4. TERENA Certificates Service

  5. SCS  TCS • Current SCS: • Provided by GlobalSign BV; • Only SSL server certs; • More than 20.000 certs issued; • Operating till March 2010; • New SCS service: • Comodo CA; • Expected to start in May 2009; • Model: • Yearly flat fee per NREN; • TERENA contractual party; • A dedicated TERENA sub-CA; • NRENs participating can also buy client certificates and code-sign certificates: • Upon an extra flat fee; • TCS: TERENA Certificate Services

  6. Who is in SCS • Participants: • Switzerland out; • Greece and Finland will now participate.

  7. What has been done • Lots of working spend on certificate profiles: • Finally ready since last Friday; • Profiles also for eScience server and client certs; • Test CA to be expected in 10 days; • To testing certificates and interfaces; • Writing CPS for the TERENA sub-CA: • First version of the CPS will only cover SSL server certs; • Later client and code signing cert procedures will be addressed.

  8. What’s next • Test phase: • Two weeks period for the test; • Launching the SSL server certs: • Available for all NRENs participating; • More work on the API: • The current prototype does not cover client and code signing certs; • Accreditation with the EuGridPMA

  9. A new PKI Service

  10. TERENA MICS/SLCS Pilot Service Project • Aim: • Establish a shared SLCS/MICS pilot service for the (European) eScience Grid community, under the TERENA umbrella. • SLCS/MICS CA serving all countries participating; • EuGridPMA Accreditation; • Allow for scalability; • The service will issue x.509 cert to persons • No hosts

  11. Grid CAs Managements • Grid uses x.509 certs as authN credential; • Three types of certs are possible: • Classic • Short Lived Credential Service (SLCS) • Member Integrated Credential Service (MICS) • Grid CAs have to accredited by the IGTF: • EuGriPMA (Europe) • TAGPMA (Americas) • APGridPMA (Asia-Pacific)

  12. What are SLCS/MICS certs? • Vetting process and cert lifetime different: • Classic: • Face to Face verification of end-entities needed • Manual process @ RA level • Cert validity: 13 months, but renewal of certs possible without new face-to-face validation. • SLCS/MICS: • Vetting process relays on existing AAI framework; • User authenticates to the CA using an existing electronic identity • This identity is mapped into a Grid cert • SLCS certs are 10 days valid; • MICS certs are 13 months valid;

  13. Benefit of EU SLCS/MICS Service • How many SLCS-CAs does Europe need ;) • Share operational cost and effort (!) • Continued operational PKI skills only needed at one place; • For countries with limited resources very attractive;

  14. More about the service • Use specific federation attribute to decide on SLCS or MICS eligibility • According to the rules defined by the EuGridPMA SLCS/MICS profiles

  15. Who is involved? • UNINETT • Jan Meijer, project management: Project Description, CPS • Henrik Austad: Confusa development • SURFnet • Teun Nijssen, Tilburg University • CA + SLCS/MICS server ops, CPS, euGridPMA accreditation maintenance • Sunet • Leif Johanssen: Federation issues • TERENA • Licia Florio: Contractual party • Denmark, Finland, the Netherlands, Norway and Sweden: • Until Dec 2009 • From Jan 2010 other countries/NRENs may join

  16. Status • Project description almost ready: • Financial model not fully defined yet; • Work on the CPS: • Presentation at the next EuGridPMA in May • Start operations in June: • Quite optimistic ;-)

  17. TACAR

  18. New Developments • TACAR will be also used to host GN3 root Cas: • So far only a couple; • But more is expected in the future; • TACAR still being used as IGTF official repository; • Working with Massimiliano Pala: • To use TACAR for the PKI Resources Query Protocol (PRQP): • to provide standardised way to query PKI repositories to gather info on CAs; • New UI: • Different way to update info; • Different policy;

More Related