Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

Slides:

Advertisements

Similar presentations

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Advertisements

Functional component terminology - thoughts C. Tilton.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.

Report on Attribute Certificates By Ganesh Godavari.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

DESIGNING A PUBLIC KEY INFRASTRUCTURE

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

On Robots J Jensen STFC Rutherford Appleton Lab Banff, July 2007.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, May 2009.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

Zeepkist Jens Jensen STFC SurfNet, Utrecht, Jan 2011.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

Seifenkasten Jens Jensen Berlin PMA, Jan Jens Jensen, STFC/RAL CA processes – overview Key generation and storage (qv) Receiving requests (CSR,

26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL.

Identity and Access Management

Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.

Jens Jensen EU Grid PMA, Berlin Jan 2015

J Jensen, STFC Chief Soapbox Officer 23 May 2017

Public Key Infrastructure (PKI)

OGF PGI – EDGI Security Use Case and Requirements

AEGIS Certification Authority

UGRID CA Sergii Stirenko, Oleg Alienin

HellasGrid CA & euGridPMA

Virtual Face to Face Meetings for ID-check

Tweaking the Certificate Lifecycle for the UK eScience CA

Organized by governmental sector (National Institute　of information )

Public Key Infrastructure (PKI)

Chris Wendt, David Hancock (Comcast)

WAP Public Key Infrastructure

NAAS 2.0 Features and Enhancements

APNIC Trial of Certification of IP Addresses and ASes

Grid Security M. Jouvin / C. Loomis (LAL-Orsay)

جايگاه گواهی ديجيتالی در ايران

UK e-Science CA and JCS Migration Status

Chapter 4 Cryptography / Encryption

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

Appropriate Access InCommon Identity Assurance Profiles

WEQ-012 PKI Overview March 19, 2019

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

KISTI CA Report Status & Self-Audit

Update on BRSKI-AE – Support for asynchronous enrollment

Presentation transcript:

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC

I&A Identification - The process of establishing the identity of an individual or organization, i.e., to show that an individual or organization is a specific individual or organization. In the context of a PKI, identification refers to two processes: (1) establishing that a given name of an individual or organization corresponds to a real-world identity of an individual or organization, and (2) establishing that an individual or organization applying for or seeking access to something under that name is, in fact, the named individual or organization. A person seeking identification may be a certificate applicant, an applicant for employment in a trusted position within a PKI participant, or a person seeking access to a network or software application, such as a CA administrator seeking access to CA systems.

Dramatis Personae Subscriber: responsible for certificate – Creation, handover to Subject, renewal/rekey Subject: using the certificate – according to permitted purposes RA (operator): verifying Subject info E.g. personal: Subject == Subscriber; Host or robot: Subject != Subscriber. RFC3647 is wrong: – Subscriber - A subject of a certificate who is issued a certificate.

Managed Keys Policy Subscriber (= key repository) – Generates and protects keys – Ensures that only Subject can use key Who generates the CSR? – Repository signs stuff, eg. proxy certs – A CSR needs signing, too – 1: Generate CSR with key, ignore the name in the CSR? User01, User02,... – 2: Let users create their own CSRs

Managed Keys Policy Use of repository for: – Key generation – hand over to Subject – Key generation and key archiving – Archiving and signing service (e.g. proxies) – Signing, and escrow? A repository can be many things – Will it not be best to assume: – Generation, storage, signing-at-user’s-req.

Certificate Validation Name of Subject represented in DN – (Using printableString encoding) Subscriber is in possession of private key Request originates from Subscriber Subject is entitled to a certificate (of given type) Certificate profile reflects the purpose Lifetime is right

OID in Cert CA must know how key was generated and protected Key is subject to CA policies... how does it know? An RA must assert it...

Look at RA processes... Bearing in mind: – Users, hosts, and users-with-managed-keys Bearing in mind: – The differences between MICS, SLCS, and Classic Bearing in mind: – Subject, Subscriber, RA are already different roles

RA Process Multistage process: – Identification of Subject – Recording audit trail of identification (maybe) – Recording association of identification with request – Checking Subject entitlement – Authentication of Subscriber – Association of Subscriber with request – Subscriber possessing private key – Checking protection of private key (maybe) – Collecting “private questions” (MICS) And – Revoking key (cert) when necessary – Authorising renewals and rekeys

RA Processes Some processes already delegated – E.g. MICS – Delegation: loss of auditability Some processes can be automated

Kirkhoff’s Law

RA Process Features Throughput Redundancy/availability Skills Data Protection compliance Integrity Compare DutchGrid’s “dumb” RAs And UK’s split RAs

What is this about... To make progress, we need to – Understand the processes of Subscriber – Understand the processes of RA Enable splitting roles, e.g., – Multiperson processes on validation Either split roles, or two-person validation – Record the steps... In an auditable form (for some steps) – Enable automating roles? Delegating? Understanding the consequences of linking steps

Issuance Can continue: look at all the services of the CA E.g. “outsourcing” the certificate issuance – TCS, SWITCH – National CAs still carry on with hosts Outsourcing the identity management... – MICS, SLCS Where is the CA...? – The CA is a PMA – Note about responsibility, e.g. for data protection

IdM If we link IdM to identity processes... – What are the implications of linking IdM to repository? – Federated identity management – home id generates (or at least activates) credential; MICS – “Entities possess and control their key data”