26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL.

Slides:

Advertisements

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Advertisements

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Report on Attribute Certificates By Ganesh Godavari.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Electronic signature Validity Model 1. Shell model Certificate 1 Certificate 2 Certificate 3 Signed document Generate valid signature validCheck invalidCheck.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

1 Certification Issue : how do we confidently know the public key of a given user? Authentication : a process for confirming or refuting a claim of identity.

0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

GRID-FR French CA Alice de Bignicourt.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

H I A S T HIAST GRID CA 21 th EUGridPMA meeting Utrecht, January, 2011 Ghassan SABA Houssam ABED

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

IRAN-GRID Certificate Authority 13 th EUgridPMA Meeting Copenhagen May 2008 Majid Arabgol Hessamdding Arfaei Shahin Rouhani

 Introduction  History  What is Digital Signature  Why Digital Signature  Basic Requirements  How the Technology Works  Approaches.

Public Key Infrastructure. A PKI: 1. binds public keys to entities 2. enables other entities to verify public key bindings 3. provides services for management.

PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.

Public Key Infrastructure (PKI)

Unit 3 Section 6.4: Internet Security

AEGIS Certification Authority

IT443 – Network Security Administration Instructor: Bo Sheng

UGRID CA Sergii Stirenko, Oleg Alienin

Cryptography and Network Security

HellasGrid CA & euGridPMA

Tweaking the Certificate Lifecycle for the UK eScience CA

Grid Security Jinny Chien Academia Sinica Grid Computing.

Digital Signature.

APNIC Trial of Certification of IP Addresses and ASes

زير ساخت كليد عمومي و گواهي هويت

Public-Key Certificates

APNIC Trial of Certification of IP Addresses and ASes

جايگاه گواهی ديجيتالی در ايران

Digital Certificates and X.509

Certificates An increasingly popular form of authentication

MaGrid CA Self audit and update

PKI (Public Key Infrastructure)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

HKU Grid Certificate Authority (HKU Grid CA) CP/CPS Reviewer’s Comments Bill Yau

Presentation transcript:

26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL

26-28 January 2009 – Nicosia, EUGridPMA Outline Accreditation process; CP/CPS changes (last review); –Minor; –Medium; –Major (discussion topics).

26-28 January 2009 – Nicosia, EUGridPMA Accreditation process

26-28 January 2009 – Nicosia, EUGridPMA When did it all start? Latvian Grid project (August 2006) Discussions started Introduction presentation (2008) CP/CPS review (Hardi and Jens) CP/CPS presentation (2008) CP/CPS review

26-28 January 2009 – Nicosia, EUGridPMA CP/CPS updates after the last review ( )

26-28 January 2009 – Nicosia, EUGridPMA CP/CPS version 6.0 Major : 4 Medium : 8 Minor : 8 Nitpick : 15

26-28 January 2009 – Nicosia, EUGridPMA Minor(1) follows 2527 not 3647; different repository; public certificate; “servicename/" should probably not be interpreted literally. –Common Name MUST include the "servicename/" prefix, followed by the server DNS name (FQDN). –Organisational Unit MUST include the organization domain name.

26-28 January 2009 – Nicosia, EUGridPMA Minor(2) “CALG does not issue certificates to organisations.” -> “The relation between the subscriber and the organization or organizational unit mentioned in the subject name must be proved during the authentication process (face-to-face meeting), see section ”; CA root cert. doesn’t mention issuers domain name; Are service names authenticated by the RA? Can anyone have any service? –Requests MUST be signed by the personal certificate of the corresponding system administrator issued by CALG.

26-28 January 2009 – Nicosia, EUGridPMA Medium(1) Document date; "No stipulation." ; permit server certificates to have CN=fqdn. –Common Name MUST have one of the two following forms - include the "host/" prefix, followed by the server DNS name (FQDN) or plain FQDN without any additional prefixes or postfixes. –Organizational Unit MUST include the organization domain name.

26-28 January 2009 – Nicosia, EUGridPMA Medium(3) services which the CA can sign should be restricted in any way; relies entirely on humans, too error prone?; –CALG verifies the possession of the private key relating to certificate requests at the time of identity verification by RA, who compares the requestor's printed certificate request with the electronically received request "accepting" a request is not the same as "accepting it for revocation". –CALG MUST accept as a revocation request a message digitally signed with a not expired and not previously revoked user certificate issued under this policy.

26-28 January 2009 – Nicosia, EUGridPMA Medium(4) The CA certificate can generate digital signatures.

26-28 January 2009 – Nicosia, EUGridPMA Major(1) Check the possession of the private key. (3.1.7) post office certificate? –certification service provider accredited according to Electronic Document Law of Latvia The CA's DN does not correspond to the CP/CPS. –DC=LV, DC=latgrid, CN=Certification Authority for Latvian Grid

26-28 January 2009 – Nicosia, EUGridPMA Major(2) In certificates the first two components, are encoded as IA5String: –167:d=5 hl=2 l= 10 prim: OBJECT :DomainComponent –179:d=5 hl=2 l= 2 prim: IA5STRING :LV –187:d=5 hl=2 l= 10 prim: OBJECT :DomainComponent –199:d=5 hl=2 l= 7 prim: IA5STRING :latgrid –212:d=5 hl=2 l= 3 prim: OBJECT :OrganizationalUnitName –217:d=5 hl=2 l= 8 prim: PRINTABLESTRING :lumii.lv –231:d=5 hl=2 l= 3 prim: OBJECT :commonName –236:d=5 hl=2 l= 12 prim: PRINTABLESTRING :Edgars Znots

26-28 January 2009 – Nicosia, EUGridPMA RFC 2247 and 3280 ( 4. Attribute Type Definition The DC (short for domainComponent) attribute type is defined as follows: ( NAME 'dc' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX SINGLE-VALUE ) The value of this attribute is a string holding one component of a domain name. The encoding of IA5String for use in LDAP is simply the characters of the string itself. The equality matching rule is case insensitive, as is today's DNS.

26-28 January 2009 – Nicosia, EUGridPMA Thank you! Questions?