UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin.

Slides:



Advertisements
Similar presentations
Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Advertisements

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
A responsibility based model EDG CA Managers Meeting June 13, 2003.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Configuring Directory Certificate Services Lesson 13.
Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.
KFKI CA József Kadlecsik KFKI RMKI
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
IHEP Grid CA Status Report Gongxing Sun 5 th F2F Meeting 16 Sep Computer Center, IHEP,CAS,China.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien April 20, th APGridPMA in Taipei.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
A New UK CA Portal David Meredith Jens Jensen John Kewley.
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.
Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.
PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.
Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, May 2009.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
IGTF Risk Assessment Team 5/11/091.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
Self-Audit & Status Report for KEK GRID CA Hiroyuki Matsunaga KEK (High Energy Accelerator Research Organization), Computing Research Center APGridPMA.
PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.
Jens Jensen EU Grid PMA, Berlin Jan 2015
AEGIS Certification Authority
UGRID CA Sergii Stirenko, Oleg Alienin
Jens Jensen, STFC Sep EUGridPMA Manchester
Tweaking the Certificate Lifecycle for the UK eScience CA
UK e-Science CA and JCS Migration Status
MaGrid CA Self audit and update
Emir Imamagić University Computing Centre (Srce)
KISTI CA Report Status & Self-Audit
National Trust Platform
Presentation transcript:

UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin

UK e-Science Operated by the National Grid Service For UK e-Science activities

Status >= certificates issued over lifetime of CA – Not counting robots and other exceptions distinct 4820 currently valid, 3752 distinct – 2328 distinct hosts, 1424 distinct users – Does not include robot certs which are signed separately By 94%.ac.uk, 1%.co.uk, 5%.com

Status 75 RAs – Each RA has one manager and one or more operators – A few “Roaming” 197 RA staff in database; – Not including CA staff – 19 “inactive” CA operators – More than one complete turnover  – Some extremely good sysadmins

Self Audit Results Using doc of – There is a later one but only a few days

Bs (6) RFC 3647: using 2527 (16) Tamper protected log: could be improved – Does it mean tamper proof or tamper evident? (31) CRL issuance – Fairly frequent but no code to ensure weekly issuance – Relies on users requesting revocation – Which they do

Bs cont’d (46) Rekey, not renew, software keys – In exceptional cases, software keys can been renewed – Not routine though – requires CA manager intervention – Doesn’t even work for key tokens atm  (51) Destruction of personal data doesn’t work – Needs support in software

Bs cont’d (53) RA audit – RAs are being audited but we cannot guarantee to audit every RA every year – Logistical problem: expensive, needs staff trained to audit, time consuming (travel) (54) List of CA/RA personnel – Exists but could be improved (58) Redistribution of CP/CPS – Is certainly OK, but is it explicitly mentioned?

Bs cont’d (62) Disaster recovery – Processes exist but can be improved (6) Name linked to single entity – Actually OK but operator documentation needs improving for oddball cases – Again software problems: code is there to list prior certs with same DN but has a few bugs

Cs (4) Host/svc authorised by owner of DNS or resp. admin – Local processes inadequate? (soapbox?) – IT support, delegated, (44) Cert profile – EE using nsCertType instead of EKU – Hysterical raisins – Has been tested by training CAs in the wild

Ds (34)-(35) CRL is v1 – Easy-ish to fix so made it D – Requires change to CP/CPS though (36) CRL uses MD5 – Should be fixed (48) Max 5 rekey – Code to support this doesn’t work: needs support in software AND updated RA procedures

Limiting rekey Database doesn’t know about key protection – (But robots are signed outside main DB) Database gets confused about – Scheduled vs unscheduled rekey – Following the renewal trail – All the data is there but is cumbersome to extract – Database schema not optimal for how we use it What to do about Roaming RAs

As (interesting ones) (39) “No shared certificates” – Users sharing private keys – Long lived proxies (61) Data protection regulation – Six pages (Appendix B) of legalese “Ownership” of host certs and how it’s checked

But All of this is not really the point – Well, it is, but it isn’t CA is showing signs of age, creaking, trying to cope with growth Software support MUST improve – Signing software is unforgiving of CA operator error – And operator staff have turned over completely – Software must support IGTF req’d processes – Better automated checks of requests Procedure documents need updating

CRL D/L failure Since you asked… Tier1/NGS main machine room cooling failed – Twice in three days, during August Temperature rose to 45 deg – Service emergency shutdown – Not supposed to be single point of failure Temporary CDP brought up – Not sure how well it worked

Overall Plan 1.Stay with current version of hacked OpenCA – Make even more changes 2.Update to latest version of OpenCA – Make even more than even more changes 3.Start from scratch but import old stuff 4.Replace browser support with Java clients and simpler online interface Outcome depends partly on available staff effort

The TAG Introduced a TAG – Technical Advisory Group – Being made part of NGS 3 – Stakeholder representation (mostly RPs): WLCG, OSG (/TG), GridPP, NGS, OMII-UK, … – Advisory, no direct policy remit – (overdue for a meeting early Sep) – Closed, confidential by default – Met twice already – No adequate infrastructure for secure comms

Current TODO list Tracking CA-side actions of revoked certs Better logging, notifications Support “new” certs (digsig?, objsign, robots) Separation of roles and duties Maybe making some things less specific – Avoid changing CP/CPS when stuff changes – More process into RA and CA op docs

Current TODO list Other security/usability improvements Take signing key wholly online? – Provided it fits into current env…? Move CDP Improve disaster recovery processes Shorten EE passphrase to 12? Better? Fix CP/CPS, corporate identity, modernise? – How to minimise duplications? More Xrefs?

Current TODO list Fully integrate other CAs into hierarchy – E.g. training CA, Shib CA, SSO CAs – Update Root CP/CPS, now out of date in some respects

Timescales Easy Ds: one month Harder fixes: one year – Require following plan, step 1, 2, 3, or 4. – Interim hacks delay proper solution

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.