Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, 11-13 May 2009.

Slides:

Advertisements

Similar presentations

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.

Report on Attribute Certificates By Ganesh Godavari.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Security Awareness Norfolk State University Policies.

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

PKI Activities at Virginia September 2000 Jim Jokl

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.

Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

On Robots J Jensen STFC Rutherford Appleton Lab Banff, July 2007.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.

PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin.

Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Soapbox (S Series) Who, what, where, why, how Rome Soapbox, Jan 2013 Jens Jensen, Chief Soapbox Officer.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

Key management issues in PGP

J Jensen, STFC Chief Soapbox Officer 23 May 2017

AEGIS Certification Authority

UGRID CA Sergii Stirenko, Oleg Alienin

MaGrid CA Self audit and update

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

KISTI CA Report Status & Self-Audit

BG.ACAD CA Self-audit report 2018

Presentation transcript:

Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, May 2009

PART I WHAT IS A CA?

What is an IGTF CA? Is it the institution running the issuing authority Is it the trust anchor, a certificate Is it a cert and a (sub-)namespace Is it a collection of certs and namespace Is it a person (le roi, c’est moi)

What is a CA? All of the above (ish) Plus the following…

What is a CA – Services 1.Support infrastructure (eg helpdesk) 2.Contact s (e.g.,.info) 3.Front end – certificate request/download –Renewal and RA interface (if different) 4.Back end – signing service 5.CRL –And OCSP, if available

What is a CA – Services Notification service –Subscriber Issuance, renewal, rekey Revocation –RA Same, mostly –Unusual events

What is a CA – Services Repository –Satisfying repository obligations Publications according to local (usu country) law –Personal data

What is a CA – IGTF RPDNC… (see later) CA manager’s GPG key –TACAR registration paperwork Attendance record –PMA most recent presentation record –PMA most recent audit record

What is a CA – IGTF PMA reviewer records –Initial, re-review: mails, spreadsheets Minreq and AP implementation

What is a CA – Infrastructure 1.Networks – (internet/web needed for at least CRL) 2.DNS, internal 3.DNS, external 4.Machines, hardware 5.Physical protection

What is a CA – internals 1.(Front) database –Logging and archiving (if different) (WORM?) 2.CA operator interface 3.Signing infrastructure –HSM, if used 4.RA database –Paper and/or online

What is a CA – people/roles 1.CA Manager –Policy, admin 2.RA manager manager –RA managers, RA operators (variations) 3.Support 4.(Self)auditor

What is a CA – “Manual” Trust Photocopies (or equiv) of ids Appointment letters PINs, if used Private keys throughout PKI Passphrases

What is a CA – Internals High availability services –Redundancy, monitoring High integrity services –Backup, integrity checks High confidentiality services –Encryption, physical protection, release procedures DISASTER RECOVERY

What is a CA – W&F Audit results –Internal audits –Self audits –External audits

What is a CA – W&F Level of Assurance – LoA Level of Effort – LoF Level of Expertise – LoE –Level of Contribution? – LoC Making change – inertia – LoI –Dinghy vs supertanker Level of Reputation(?) – LoR

What is a CA – W&F Age –Catching up with changing requirements –General rule of decay and obsolescence Components, documents Procedures Age: Rule of that curvy thing

What is CA – exceptional Coping with special cases and errors –Usually on a case by case basis –See humans vs comps later in pres.

PARTS II & III POLICY AND SOFTWARE

Guiding Principles Redde Caesari quae sunt Caesaris –Policy To orthogonise or not –Software Jens’ Law of Humans vs Computers Jens’ Law of Complexity

PART II POLICY

Implementation Implement! in CP/CPS Template Implement! in “1”SCP Implement! in software – see next Part

Examples (non-exhaustive) Either describe separate dimensions –E.g. private key protection –E.g. identity vetting W&F Describe with OIDs OIDs are not ordered I.e,..1 >.2 >.3

Ponder Instead of “how is it implemented” –“What is the goal” How LoA is achieved How APs relate to each other in this respect –Policy mapping

Or not Orthogonal Usually a good thing Clean Separates things that are separate Modular Non-orthogonal Easier to interpret Single mapping to other levels (maybe) Maybe it makes sense to do both

Example Private key in file –Password protected –User generated Certificate personal –F2F id vetting –IGTF-rekey … “I am a Classic…” Maybe it makes sense to do both

PART III SOFTWARE

Law of Humans vs Computers Computers are good at computer things –Make computers do them! Humans are good at human things –Give human things back to humans

Operating Manuals Documenting existing practice Documenting special cases –Discourage too much creativity –Guidelines – good

Law of Complexity “Make simple things simple, complex things possible” “Make things as simple as possible, but not simpler” Complexity has to go somewhere

The Software Triangle Pain Simple convenience Does the right (complex) thing

Example – web CA FF can no longer import certs from file? Backwards DNs, IE on Vista Conversion from PKCS#12 to PEM Import/export for non-personal certs Trust web sites flag not set on cert imp?

Renewal Import into browser –.pem of course is OK Retaining use of private key

Signing Policies Implementation of RPDNC Good(ish) certs outside RPDNC

More software STFC will release Java clients software –Open Source licence –As soon as I get round to doing it Other Java clients STFC-licensed –Free (beer) for non-commercial

Concluding Remarks Soapbox