FP6−2004−Infrastructures−6-SSA-026409 www.eu-eela.org E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

Slides:

Advertisements

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Functional component terminology - thoughts C. Tilton.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

CAs, RAs & PMAs CAs, RAs & PMAs Roberto Cecchini INFN CA Manager EUIndiaGrid kick-off Trieste, 19/10/06.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Pilot Test-bed Operations and Support Work.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

Configuring Directory Certificate Services Lesson 13.

Risks of data manipulation and theft Gateway Average route travelled by an sent via the Internet from A to B Washington DC A's provider Paris A.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CAOPS-IGTF Session An Update from the TAGPMA Vinod Rebello given by Scott Rea OGF 25, Catania, Italy March 2, 2009 The Americas Grid Policy Management.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA Two Factor CA Jim Basney

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America EELA Infrastructure (WP2) Roberto Barbera.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Wrote by Jorge Gomes and presented by Bruno.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

E-science grid facility for Europe and Latin America Task TSA1.3 - Authentication Services and Policies Acheivements Jacques Alves da Silva.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The EELA Grid Infrastructure Roberto Barbera.

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

20-21 January 2005 Athens, January 2005 HellasGrid CA & euGridPMA EGEE 3rd Parties Advanced Induction Course January, NTUA, Athens Kanellopoulos.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

Content Introduction History What is Digital Signature Why Digital Signature Basic Requirements How the Technology Works Approaches.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL.

AEGIS Certification Authority

HellasGrid CA & euGridPMA

Public Key Infrastructure (PKI)

Presentation transcript:

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification Authority Vinod Rebello Universidade Federal Fluminense TAGPMA Face-to-Face Meeting Rio de Janeiro, Brazil,

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Introduction Repository Name Spaces Certificate and CRL profiles LA Catch-all CA Structure End Entity Identification and Verification Process Certificate Issuance Security controls Audit/Archive procedures Compromise procedures Disaster recovery What’s next and future plans Presentation Outline

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Introduction Repository Name Spaces Certificate and CRL profiles LA Catch-all CA Structure End Entity Identification and Verification Process Certificate Issuance Security controls Audit/Archive procedures Compromise procedures Disaster recovery What’s next and future plans Presentation Outline

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Traditional X.509 Public Key Certification Authority which issues long-term credentials. CP/CPS follows the IETF’s RFC 3647 –Based on the CP/CPS of the Brazilian Grid (BrGrid) CA. –Version 0.3, OID Fully compliant with the IGTF Classic CA Profile, maintained by EUgridPMA. –The purpose is to issue certificates to support EGEE e-Science activities in the Latin American countries that have yet to establish IGTF accredited Grid CAs of their own. The LACa CA is not envisioned to be a long-term commitment, rather a temporary solution for end users in countries without appropriately accredited CAs. LACa CA Overview

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Flexibility Expect the LACa CA to be a comparatively short term endeavour. Facilitate the transfer one or other of the CAs to another location if seen to be appropriate. Separate LACa and BrGrid policy issues –Differing legal questions –Vetting procedures –Operational procedures Why Two Separate CAs

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Universidade Federal Fluminense (UFF), Niterói, Brazil –Instituto de Computação  Smart Grid Computing Laboratory Vinod Rebello (CA Manager) Daniela Vianna Jacques da Silva Carlos Cunha (Technical support) Rafael Pereira (Technical support)  Web repository:  LACa CA Operations

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, The certificate subject names obey the X.501 standard. Subject names start with the fixed component to which a variable component is appended to make it unique. –/O=LACaCA/C=country/O=organization/OU=organizational- unit/CN=subject-name  /O=LACaCA/C=BR/O=UFF/OU=IC/CN=John Smith –/O=LACaCA/C=country/O=organization/OU=organizational- unit/CN=host/host-dns-name  /O=LACaCA/C=BR/O=UFRJ/OU=IF/CN=host/ce.if.ufrj.br –/O=LACaCA/C=country/O=organization/OU=organizational- unit/CN=service/host-dns-name  /O=LACaCA/C=BR/O=UFF/OU=IC/CN=ldap/ca.ic.uff.br Name Space

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, If an organization or unit intends to requests a number of certificates, it is encouraged to setup a LACa CA RA For first time requests, the CA (when request is to become an RA) or the RA (in the case of a certificate request from end entity) must ascertain: –whether or not that the organization or organizational unit exists; –is entitled to request BrGrid certificates; and –obtain competent information on who is entitled to sign documents on behalf of that institution. Organization Identification

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Verification of Affiliation The current relationship between the subscriber and the organization or unit mentioned in the subject name must be proved through: –a legally acceptable document; –an organization identity card; or –an official organization document stamped and signed by an official representative of that organization. The request may optionally be authorized through the digital signature of an official representative of the organization in possession of a valid LACa CA issued certificate. In special cases, an organization can provide the RA with access to official databases to verify the relationship.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, Individuals are authenticated through the presentation of a valid identity document officially recognized under law of the country where the subscriber resides. The individual should present himself in person to a LACa CA RA for their identity to be verified. At that moment, the individual must present: –Proof of their current relationship with the organization(s) to be specified in the DN; –Identity document with photograph; and –A photocopy of this documentation to be archived by the RA. Identity Validation (1)

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, If, for example due to a subscriber’s geographical remote location, physical presence is not possible this presentation may be held by video conference. Exceptionally, the subscriber’s identity may be confirmed by a digitally signed from another subscriber in possession of a valid LACa CA issued certificate. In either case, an authenticated photocopy of all identity documentation together with the subscriber’s notarized signature must be sent by mail/courier to the RA manager (or the CA Manager in the case of setting up an RA) prior to the meeting. Identity Validation (2)

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America TAGPMA F2F Meeting, Rio de Janeiro, Brazil, The LACa CA is not operational nor is the repository online. The same CA management software and resources will be used to support both the BrGrid CA and LACa CA simultaneously. Given the similarities, aim to focus on the development of the BrGrid CA and implement the differences. Objective: fully operational and ready for “complete” accreditation by the next F2F TAGPMA meeting in July Current Status