CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept. 2013.

Slides:



Advertisements
Similar presentations
GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
Advertisements

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Contrail and Federated Identity Management
MyProxy: A Multi-Purpose Grid Authentication Service
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Technology on the NGS Pete Oliver NGS Operations Manager.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
WebFTS as a first WLCG/HEP FIM pilot
CA Key 1 Created OCSP Cert 1 Client Cert 1 Client Cert 2 OCSP Cert 2 CA Key 2 Created CA Key 1 Expiration OCSP Cert 3 Client Cert.
1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.
Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
NGS Portal.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.
Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.
A community-based CA: The (slow) rise of the house of Usher (The CA former known as CREN)
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Security Solutions Rachana Ananthakrishnan University of Chicago.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
A New UK CA Portal David Meredith Jens Jensen John Kewley.
OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.
PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.
OSG PKI Transition Mine Altunay OSG Security Officer
A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
UK e-Science Certification Authority Self Audit Jens Jensen EUGridPMA meeting, Berlin.
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
UK eScience CA and JANET Certificate Service David Kelsey & Jens Jensen STFC-RAL EUGridPMA Poznan, 9 Sep 2014.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
Jens Jensen EU Grid PMA, Berlin Jan 2015
P-p-pick up a Pathfinder
Shibboleth Roadmap
J Jensen, STFC hepsysman, June 2017
UK e-Science CA Update J Jensen, STFC 31 Jan 2017.
AAAI Pathfinder J Jensen, STFC 031 Oct,
Jens Jensen, STFC Sep EUGridPMA Manchester
NAREGI-CA Development of NAREGI-CA NAREGI-CA Software CP/CPS Audit
Tweaking the Certificate Lifecycle for the UK eScience CA
Jens Jensen, STFC 15 Sep GridPP39, Lancaster
Update on EDG Security (VOMS)
UK e-Science CA and JCS Migration Status
The Case for HLCA Revisited
Use of MyProxy for the FusionGrid
Presentation transcript:

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept. 2013

Current Stuff Rather more shoestring without NGS –Implications for DR/BC and innovations Still pretty large, still alive, still running

People Jens Jensen – CA manager Dave Kelsey – ambassador extraordinary John Kewley – Support Suleman Tariq – admin Dave Meredith – CW code people doing day-to-day signing + the TAG

CertWizard Stuff Dave Meredith (code) Aims to replace browsers –Browsers are fickle in their X.509 support –Latest HTML5 might help, eventually –Needs Java. Macs not good at Java? Implementing bulk requests, RA ops

2013 so far Retired the old (2007) CA Certificate –Surprisingly complicated process… Perl scripts to CW –update by Robert Frank - full release soon –Imperial (Adam) Shib-2 compatible release of SARoNGS 12/04/2013GridPP 31 Imperial College5

2013 so far (ctd) New CA website: 12/04/2013GridPP 31 Imperial College6

12/04/2013GridPP 31 Imperial College7 New CA Portal with new RA interface, currently in use by many of our RAs so far (ctd)

2013/14 TODO Update client tools for SHA-2 (jglobus2) –MyProxyUploader part of CertWizard –GSI-SSHTERM Bulk requests (perl CLI script / CA REST server) Sign all certificates (user and host) with SHA2 from 1 Dec New CA Portal updates: certificate requests and renewals from browser 12/04/2013GridPP 31 Imperial College8

Roadmap Stuff Finalise “new” policy (unified) Multi-LoA: IOTA profile (< Classic) for SARoNGS and InCommon SHA2 Moonshot integration (pos via MyProxy) –Initially non-prod Redo DR/BC, cheaper

Roadmap Stuff – LoA Federated identities and other ext’l Background is JSPG portal policy Federation policies and VO agreements “strengthen” user’s credential –Towards a “cloud” login (on-demand)

Roadmap Stuff (potential) Key management service (a la MyProxy) Online signing? Moonshot: production service (expected) –More credential-with-LoA+AuZ than X.509+VOMS –Offer X.509 via conversion –Vision: may not need User CA –And at least not RAs, and paperwork Still need to support host certs (gateway?)

Roadmap Stuff (potential) Renewal of recently expired certificates –Protocol goes to great lengths to allow this If intermediate CA certs need SHA2: –Re-sign intermediate CA certificates (2A and 2B) – same DNs, same keys, different serials –No changes to EE certs –No change to Root cert

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.