1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

Slides:

Advertisements

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Advertisements

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Deploying and Managing Active Directory Certificate Services

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Report on Attribute Certificates By Ganesh Godavari.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Configuring Active Directory Certificate Services Lesson 13.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Brazilian Grid Certification Authority.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

UNLP CA (Argentina) Universidad Nacional de La Plata Was created as a national university in 1905 Is the 3rd largest.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

KFKI CA József Kadlecsik KFKI RMKI

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.

PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.

Egypt Certification Authority Dr. Ayman Bahaa-Eldin EUN Director 8 May th EuGridPMA meeting, Germany.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

20-21 January 2005 Athens, January 2005 HellasGrid CA & euGridPMA EGEE 3rd Parties Advanced Induction Course January, NTUA, Athens Kanellopoulos.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

UGRID CA Sergii Stirenko, Oleg Alienin

MaGrid CA Self audit and update

NATIONAL CENTRE FOR PHYSICS PK-Grid-CA

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

KISTI CA Report Status & Self-Audit

BG.ACAD CA Self-audit report 2018

Presentation transcript:

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA

2 REUNA Certificate Authority CP/CPS reviewers: Bob Cowles : Scott Rea :

3 REUNA Certificate Authority REUNA Red Universitaria Nacional REUNA, Red Universitaria Nacional is a non-profit private corporation initially formed by 14 Chilean universities and the National Commission for Scientific and Technological Research (CONICYT). It is an initiative of the university collaboration that counts on the only technological infrastructure of advanced networks of academic nature, dedicated to research and development in Chile. PROVIDE PKI SERVICES TO ALL CHILEAN RESEARCH AND EDUCATION COMMUNITY (members and not members, conditions: Network req., agreements.)

4 REUNA Certificate Authority CA structure 1.CA: manager, Operators 2.RAs RAs will be setup to as needed. Deploy in the institutions. Chief department or the host administrator CA RA Inst. 1Inst. 2Inst. 3Inst. 4

5 REUNA Certificate Authority Certificate Authority REUNA CA provides PKI services for the users of the Chilean Research and Education community Issued certificates to all the correctly authenticated EE. Audit the RA and CA personnel Revoke certificate properly authenticated (CRL) Archive all the information: request and certs Issued, revocations requests, CRL issued, Logs signing machine

6 REUNA Certificate Authority Register authority The RA must be the chief department or the Host Administrator with a declaration signed by the Dean of the faculty that he can do the job of the RA and he has his support. The RA is in charge to authenticate and to collect all the information about the EE and the organization. (Photo-id, address, phone numbers, , etc.) Archive all the data of the EE and also the CSR, confirmation and revocation request. Must use signed or other secure way to communicate with CA and EE.

7 REUNA Certificate Authority Publication and repository Repository (pending) The REUNA CA’s certificate, All publicly accessible certificates issued by this CA, The CRL (Certificate Revocation L ist), All past and current officials versions of the CP/CPS. Information about the existents RAs, Other relevant information about the REUNA CA service. A link to the TAGPMA trust anchor repository where the CA root of trust has been previously published. The CRL shall have a lifetime of 30 days at most, the REUNA CA must issue a new CRL at least 7 days before the expiration date or immediately after having a revocation. A new CRL must be published immediately after its issuance. The repository will be available in a month from now (testing)

8 REUNA Certificate Authority Naming Distinguished Name: For a person: C=CL, O=REUNACA, O = Organization, OU = Department-Unit, CN = Full username For a server: C=CL, O=REUNACA, O = Organization, OU = Department-Unit, CN = host/FQDN For a service: C=CL, O=REUNACA, O=Organization, OU=Department-Unit, CN=service/FQDN

9 REUNA Certificate Authority Certificate operational requirements Certificate application prcessing: Users must present an application form to the appropriate RA (in the repository). The RA must meet the user in person and authenticate the EE identity by checking Chilean national identity card or passport. If the application is approved, then the RA will inform the REUNA CA that the request has been approved using signed or another secure way, also the csr must be transmitted by a secure way. In case of a server or service the request can only be submitted by the administrator responsible for the particular host. RA Institution 1 CA REUNA Dept. Chief 1 Generate Key Pair 2 Send CSR 3 Issue Certificate 4 Get Certificate

10 REUNA Certificate Authority Certificate operational requirements Subscribers: Read and adhere to the procedures described in this document; Provide true and accurate information to REUNA CA and RA Generate a key pair (at least 1024bits) using a trustworthy method; Selecting a strong pass phrase of a minimum recommended 12 characters; Protecting the pass phrase from others; Never sharing the private key with other users; Notify the REUNA CA “immediately” in case of private key loss or compromise; Use the certificates for the permitted uses only.

11 REUNA Certificate Authority Certificate operational requirements Certificate issuance: An offline computer who holds the private key of the CA is used to sign the certificates. The notification is made by with the URL (repository) to download the issued certificate, and also an acknowledgement of the issuance is sent to the appropriate RA. The subscriber must notify the REUNA CA and the appropriate RA of the acceptance of the issued certificate.

12 REUNA Certificate Authority Certificate operational requirements Certificate Renewal: Use the same key pair. The renewal process must be done before the certificate expires, so the new certificate and the old certificate will have an overlap time. The information contained in the certificate must be without change or modification. The process to get a renewal is just like when a new certificate is issued, but a face to face meeting is not necessary. Certificate ReKey: Use a new key pair.

13 REUNA Certificate Authority Certificate operational requirements Certificate Revocation: A certificate revocation can be requested by : The subscriber who owns the certificate. The REUNA CA or any RA that has proof of a private key compromise. The RA which authenticates the subscriber who owns the certificate. Any person presenting proof of knowledge that the subscriber’s private key has been compromise or the subscriber’s data have changed. After authenticate the revocation request, the certificate must be revoked as soon is possible (new CRL)

14 REUNA Certificate Authority Certificate operational requirements Certificate lifetime Root certificate: 10 years (2048bits) EE certificate: 1 year & 1 month (1024bits) CRL: 30 days The CRL shall have a lifetime of 30 days at most, the REUNA CA must issue a new CRL at least 7 days before the expiration date or immediately after having a revocation. A new CRL must be published immediately after its issuance.

15 REUNA Certificate Authority Security 2 different safe to backup the private key and the pass phrase. The Private Key and the pass phrase shall never be in a online media. The machines are kept in the computer center of REUNA managed by the network operator where the access is controled

16 REUNA Certificate Authority Incomplete topics Time issues, “as soon as possible”, 10 minutes, next working day? Minimal extensions for the CA To specify better the duties of the RA OID, IANA or IGTF