IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani Institute for Studies in Theoretical Physics and Mathematics (IPM), Niavaran square., Niavaran Bldg. Tehran, Iran, P. O. Box Tel: Fax: Webpage:
13th EUgridPMA Meeting Copenhagen May IRAN-GRID CA Current Status Historical status of IRAN-GRID CA Comments form reviewers(Asli, Arsen) CP/CPS and repository changes Summary
13th EUgridPMA Meeting Copenhagen May CP/CPS and online repository update history CP/CPS-1.0(draft) 6 Jan 2008 Update repository CP/CPS-1.0(draft) 6 Jan 2008 Update repository Reviewers :Asli, Arsen Arsen 18 Feb st Asli 20 Feb2008 1st Reviewers :Asli, Arsen Arsen 18 Feb st Asli 20 Feb2008 1st Presented in 12th EUgridPMA 16 Jan CP/CPS April 2008 Update repository CP/CPS April 2008 Update repository Reviewer: Arsen 2nd 29 April 2008 Reviewer: Arsen 2nd 29 April 2008 CP/CPS May 2008 Update repository CP/CPS May 2008 Update repository Presenting in 13th EUgridPMA 28 May 2008 May 2007 Request for membership CP/CPS-0.0(old) May 2007 Request for membership CP/CPS-0.0(old) Confirmed by Arsen: 23 May 2008 Asli: 26 May 2008 Confirmed by Arsen: 23 May 2008 Asli: 26 May 2008
ReviewerMajor MinorCP/CPS (total) OperationalTotal Asli set Asli set 200 Arsen set Arsen set 2306 Mike( short comment) th EUgridPMA Meeting Copenhagen May Comments form reviewers
comments categorized by : Technical Incompleteness, discrepancy, vagueness Operational Grammatical, fonts, … Comments form reviewers 5 13th EUgridPMA Meeting Copenhagen May 2008
CP/CPS changes CP/CPS and repository changed based on : Comments by Asli and Arsen RFC 2527 RFC 3280 Grid-Cert-Profile-v-19.pdf (from OGF) IGTF-AP-Classic-4-1.pdf Complete historical changes can be found here: 13th EUgridPMA Meeting Copenhagen May
CP/CPS changes POLICY IDENTIFICATION(1.2) Document OID: th EUgridPMA Meeting Copenhagen May IGTF IRAN-GRID CA Institute for Studies in Theoretical Physics and Mathematics cal (IPM).7 CP/CPS.1 Major Version.1 Minor Version.2
CP/CPS changes Frequency of Entity Compliance Audit (2.7.1) No Stipulation IRAN-GRID CA performs operational audits of the CA and RA staff at least once per year. A list of CA and RA personnel maintained and verified at least once per year. 13th EUgridPMA Meeting Copenhagen May
9 Physical Access : Physical access to the IRAN-GRID CA’s repository and CA/RA computers are restricted to authorized personnel Fire Prevention and Protection The on-line computers are in a room equipped by fire protection systems. And the off-line computer is in fire-safe box. Media Storage The IRAN-GRID CA key and Back-up copies of IRAN-GRID CA related information is kept in several removable storage media. CP/CPS changes PHYSICAL SECURITY – ACCESS CONTROLS (5.1)
CP/CPS changes Name Forms (7.1.4) Distinguished Names for : Issuer: C=IR, O=IPM,O=IRAN-GRID, OU=IPM-GRID, CN=IRAN- GRID CA, Subject (Persons): C=IR, O=IRAN- GRID,O=,OU=, CN=, = Subject (Hosts):C=IR, O=IRAN-GRID,O= OU=, CN=, = Subject (services):C=IR,O=IRAN-GRID, O=,OU=, CN= 13th EUgridPMA Meeting Copenhagen May
CP/CPS changes Name Meanings (3.1.2) Each entity has a clear and unique Distinguished Name (DN) in the certificate subject field. Any name under this CP/CPS will have “C=IR, O=IRAN-GRID”. For a user certificate the common name (CN) must be the full name of the subscriber. In case the subscriber belongs to the host the CN must be the FQDN of the server: Illustration of a full subject distinguished name for a user: C=IR, O=IRAN-GRID, O=Sharif University of Technology,OU=Physics Dept., CN= Shahin Rouhani (Full Name) Illustration of a full subject distinguished name for a host: C=IR, O=IRAN-GRID, O= Sharif University of Technology, OU= Physics Dept., CN=grid02.sharif.ac.ir Illustration of a full subject distinguished name for a service: C=IR, O=IRAN-GRID,O=Sharif University of Technology, OU= Physics Dept, CN=ldap/grid02.sharif.ac.ir 13th EUgridPMA Meeting Copenhagen May
13th EUgridPMA Meeting Copenhagen May Applicant Read CP/CPS Visiting the website Visiting the website Completing the application form and fax to the local RA Examining the application by RA operator Eligible? Examining the application by RA operator Eligible? An appointment will be made by RA operator for interview Interview with RA operator, providing all necessary documents Approved? Contact the applicant and explain Inform applicant and asking to submit CSR RA operator informs and sends the approved documents to IRAN-GRID CA Applicant already submitted CSR via website? Remind the applicant CA manager issues the approved certificate request Issue by: IRAN-GRID CA Issued to: user/host Issue by: IRAN-GRID CA Issued to: user/host Publish the certificate on the website and inform user by sending an IRAN - GRID NO yes NO yes NO Applicant Imports the certificate and exports to a file
CP/CPS changes Life-cycle and certificates issuance(4.2) 13th EUgridPMA Meeting Copenhagen May One year Expiration warning for rekey and renew Expiation revoking auth(3.1.6 ) Rekey The maximum validity period for a certificate must be 1 year plus one month 30d ays IRAN-GRID CA don’t rekey after revocation or expiration
CP/CPS changes Procedure of Revocation Request (4.2) The revocation of a user, host or service certificate issued by IRAN-GRID CA is as follows: Subscriber of the user certificate can request certificate revocation either by: Sending to IRAN-GRID CA an signed by her/his private key corresponding to his valid personal certificate issued by IRAN-GRID CA upon successful verification of digital signature on , the certificate will be revoked immediately and the subscriber will be informed about revocation by signed from IRAN-GRID CA staff. Contacting IRAN-GRID CA staff personally. The subscriber must be authenticated as described in section of this policy, and if it is successful, the certificate will be revoked immediately. 13th EUgridPMA Meeting Copenhagen May
CP/CPS changes Procedure of Revocation Request (4.2) Subscriber of the host or service certificate: can request the revocation of the host or service certificate by sending to IRAN-GRID CA an signed by her/his private key corresponding to his valid personal certificate issued by IRAN-GRID CA. If by the time of the revocation request she/he has no valid personal certificate issued by IRAN-GRID CA, she/he must follow the initial authentication procedure, described in section of this policy. 13th EUgridPMA Meeting Copenhagen May
CP/CPS changes Procedure of Revocation Request (4.2) RA can request revocation of a certificate by sending , signed by private key of RA staff member, corresponding to her/his valid personal certificate issued by IRAN-GRID CA. Upon successful verification of the digital signature and verification of the fact that the sender is indeed a member of the RA staff, the certificate will be revoked immediately and the certificate subject will be informed about revocation by signed from IRAN-GRID CA staff. IRAN-GRID CA staff can request revocation of any issued certificate if any condition of those listed in section is satisfied. The certificate subject will be informed about revocation by signed from IRAN-GRID CA staff. 13th EUgridPMA Meeting Copenhagen May
CP/CPS changes Procedure of Revocation Request (4.2) Any person other than subscriber, RA or CA staff, possessing proof of knowledge of private key compromise or modification of data in a certificate issued by IRAN-GRID CA, can request certificate revocation by contacting personally IRAN-GRID CA staff and presenting that knowledge. The procedure of the initial authentication described in section of this document will apply. Upon checking the correctness of the knowledge presented and successful authentication of revocation requester, the certificate will be revoked and the subject of the certificate will be informed about revocation by signed from IRAN-GRID CA staff IRAN-GRID CA will react as soon as possible, but within one day, to any revocation request received. 13th EUgridPMA Meeting Copenhagen May
CP/CPS changes Types of Records Archived (4.6.1 ) Boots, re-boots and shutdowns of CA signing machine. Log-ins and log-outs to CA signing machine. Certificate signing requests. Certificate revocation requests. Issued certificates. Issued CRLs. messages sent and received by IRAN-GRID CA. 13th EUgridPMA Meeting Copenhagen May
CP/CPS changes Certificate Extensions (7.1.2) For natural person certificates: Basic Constraints: critical, ca: false Subject Key Identifier: hash Authority Key Identifier: keyid, issuer:always Key Usage: critical, digitalSignature, keyEncipherment, dataEncipherment Extended Key Usage :clientAuth, Protection Netscape Comment: STRING CRL Distribution Points: URI Subject alternative name: Subscriber’s address Certificate policies :OID 13th EUgridPMA Meeting Copenhagen May
CP/CPS changes Certificate Extensions (7.1.2) For host/services certificates: Basic Constraints: critical, ca: false Subject Key Identifier: hash Authority Key Identifier: keyid, issuer:always Key Usage: critical, digitalSignature, keyEncipherment,dataEncipherment Extended Key Usage :serverAuth, clientAuth Netscape Cert Type: server, objsign Netscape Comment: STRING Netscape CA Revocation Url: URL CRL Distribution Points: URI Subject alternative name: DNS :FQDN certificate policies :OID 13th EUgridPMA Meeting Copenhagen May
CP/CPS changes Certificate Extensions (7.1.2) For CA certificate: Basic Constraints: critical, ca: true Subject Key Identifier: hash Authority Key Identifier: keyid Key Usage: critical, KeyCertSign, cRLSign Subject Alternative Name: 13th EUgridPMA Meeting Copenhagen May
CP/CPS changes CRL and CRL entry Extensions (7.2.2) No Stipulation The following CRL extensions are used: –Authority Key Identifier –CRL Number 13th EUgridPMA Meeting Copenhagen May
Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=IRAN-GRID CA,O=IRAN-GRID,O=IPM,C=IR Validity Not Before: May 15 18:23: GMT Not After : May 14 18:23: GMT Subject: CN=IRAN-GRID CA,O=IRAN-GRID,O=IPM,C=IR Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c0:f0:d1:da:72:e6:39:a5:94:59:52:35:89:56: aa:01:bf:3f:4a:5c:f1:3a:c7:b5:da:7d:b9:8f:fa:. 13th EUgridPMA Meeting Copenhagen May PKI structure changes CA certificate (1)
X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: CC:C2:87:06:9D:19:EF:B5:B7:76:83:D6:DF:1D:16:68:B9:28:73:70 X509v3 Authority Key Identifier: keyid:CC:C2:87:06:9D:19:EF:B5:B7:76:83:D6:DF:1D:16:68:B9:28:73:70 X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Alternative Name: Signature Algorithm: sha1WithRSAEncryption 4a:fb:55:00:b3:95:8f:69:bc:fa:f2:c4:4b:78:15:eb:6c:8f: ba:1a:c5:a1:06:8b:a0:1e:0e:7f:5a:51:77:96:d2:75:6e:98: b2:d0:eb:9e:4c:af:db:ed:c8:00:4f:29:ae:17:8a:47:52:fa: 13th EUgridPMA Meeting Copenhagen May PKI structure changes CA certificate (2)
Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=IRAN-GRID CA,O=IRAN-GRID,O=IPM,C=IR Validity Not Before: May 15 18:30: GMT Not After : Jun 14 18:30: GMT Subject: CN=cagrid.ipm.ac.ir,OU=GCG,O=IPM,O=IRAN-GRID,C=IR Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cb:58:b5:e9:99:f3:f6:e1:34:9e:d3:8e:16:62: 88:3f:70:bf:60:99:68:a7:57:40:92:b7:7a:1f:73: 13th EUgridPMA Meeting Copenhagen May PKI structure changes Host certificate (1)
X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: 37:11:39:2F:8E:18:7E:88:EC:79:38:57:A2:17:EE:FE:9C:5B:A3:53 X509v3 Authority Key Identifier: keyid:CC:C2:87:06:9D:19:EF:B5:B7:76:83:D6:DF:1D:16:68:B9:28:73:70 X509v3 Subject Alternative Name: DNS:cagrid.ipm.ac.ir X509v3 Certificate Policies: Policy: X509v3 CRL Distribution Points: URI: 13th EUgridPMA Meeting Copenhagen May PKI structure changes Host certificate (2)
Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x3) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=IRAN-GRID CA,O=IRAN-GRID,O=IPM,C=IR Validity Not Before: May 15 18:26: GMT Not After : Jun 14 18:26: GMT Subject: CN=Majid Arabgol,OU=GCG,O=IPM,O=IRAN-GRID,C=IR Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ec:07:5d:97:38:dc:e9:dd:0b:af:00:68:73:1a: 13th EUgridPMA Meeting Copenhagen May PKI structure changes User certificate (1)
X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, Protection X509v3 Subject Key Identifier: 58:2B:22:71:71:A7:7C:10:6C:97:4B:57:A0:38:96:63:EA:36:DF:65 X509v3 Authority Key Identifier: keyid:CC:C2:87:06:9D:19:EF:B5:B7:76:83:D6:DF:1D:16:68:B9:28:73:70 X509v3 Subject Alternative Name: X509v3 Certificate Policies: Policy: X509v3 CRL Distribution Points: URI: 13th EUgridPMA Meeting Copenhagen May PKI structure changes User certificate (2)
13th EUgridPMA Meeting Copenhagen May IRAN-GRID CA got an arc from IGTF (Thanks to David) 2.We followed up the comments of reviewers ( Asli and Arsen) many thanks for their sharp look and their comments. 3.IRAN-GRID CP/CPS is based on RFC 2527, we would upgrade to RFC 3647 asap. 4.All comments by reviewers successfully implemented and Asli and Arsen confirmed that the current status is compliant with requirements of EUgridPMA IRAN-GRID CA Status Summary
13th EUgridPMA Meeting Copenhagen May I should thank : 1)Ian Neilson CERN CA 2)David Groep Head of EUgridPMA 3)Asli Zengin TK-Grid CA 4)Arsen Hayrapetyan ArmeSFo CA 5)Usman Ahmad Malik PK-Grid-Ca 6)Sajjad Asghar PK-Grid-Ca 7)Nuno Dias LIPCA 8) Openca group IRAN-GRID CA Status Appreciation
Thanks for your attention Questions? 13th EUgridPMA Meeting Copenhagen May