Assuring e-Trust always www.certiver.com 1 Status of the Validation and Authentication service for TACAR and Grids.

Slides:

Advertisements

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Advertisements

Chapter 14 – Authentication Applications

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

KIERAN JACOBSEN HP Understanding PKI and Certificate Services Gold Sponsors Silver Sponsors.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Chapter 9 Deploying IIS and Active Directory Certificate Services

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Assuring e-Trust always 1 Guaranteeing Electronic Trust at all times.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

Implementing Native Mode and Internet Based Client Management.

Security Mechanisms The European DataGrid Project Team

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

UNCLASS DoD Public Key Infrastructure LCDR Tom Winnenberg DISA API1 Chief Engineer 25 April 2002.

Senior Technical Writer

Team - CA CSCI 5234 Web Security.  Collect and document information of ecommerce security mechanisms.  Using: wiki engine for collaboration.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Active Directory ® Certificate Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

PKI interoperability and policy in the wireless world.

1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

DEP350 Windows ® Rights Management (Part 1): Introduction, Concepts, And Technology Marco DeMello Group Program Manager Windows Trusted Platforms & Infrastructure.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

Bridge Certification Architecture A Brief Demo by Tim Sigmon and Yuji Shinozaki June, 2000.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

Module 9: Fundamentals of Securing Network Communication.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Online Certificate Status Protocol ‘OCSP’ Dave Hirose July Outline: What is OCSP? Digital Signatures Certificate Revocation List Technical aspects.

26 July 2007IETF 69 PKIX1 Use of WebDAV for Certificate Publishing and Revocation

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)

EGI-InSPIRE RI EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling.

Services Security A. Casajus R. Graciani. 12/12/ Overview DIRAC Security Infrastructure HSGE Transport Authentication Authorization DIRAC Authorization.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

GRID Security & DIRAC A. Casajus R. Graciani A. Tsaregorodtsev.

E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004 Stefan Kotes, Engineering Manager.

DGC Paris Spitfire A Relational DB Service for the Grid Leanne Guy Peter Z. Kunszt Gavin McCance William Bell European DataGrid Data Management.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

Revocation in WebPKI Phill Hallam-Baker Comodo. Standards intersection PKIX OTHER.

Current Globus Developments Jennifer Schopf, ANL.

eduroam-as-a-service

Document update - what has happened since GGF11

Third Party Transfers & Attribute URI ideas

Cryptography and Network Security

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

Security in ebXML Messaging

Leigh Grundhoefer Indiana University

OCSP Requirements GGF13.

Presentation transcript:

Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.

Assuring e-Trust always 2 Summary  OCSP Requirements for Grids  CertiVeR’s features –OCSP Client –OCSP Service  Future  Questions

Assuring e-Trust always 3 OCSP Requirements for TACAR  Centralized OCSP service for all the hierarchies  Centralized root certificate management  The service should be able to sign the response for each CA with an authorized certificate (Authorized responder mode)

Assuring e-Trust always 4 OCSP Validation for Grids  Grids special requirements for OCSP services: discoverable, fault tolerant, low latency, CA interoperability, etc.  GGF´s CAOPS-WG has been working in the document “OCSP Requirements for Grids”.  Such document provides information on: –OCSP Client Requirements, –OCSP Responder Requirements, –CA/Certificate Issuer Requirements and –OCSP Service Architecture.

Assuring e-Trust always 5 Client current status

Assuring e-Trust always 6 OCSP Client requirements for Grids A. Revocation source requirements: 1.Several sources (OCSP, CRL, AIA) and query order. B. Fault-tolerant requirements: 1.Multiple service invocation. 2.Caching of OCSP Responses. C. Security requirements: 1.Nonce usage. 2.OCSP Request signing. 3.Adoption of http and https. D. Error handling (i.e. Try Later, Respond with final status, etc.) E. OCSP Extension handling. F. “Unknown” status code handling for Proxy and Non-Proxy Certificates.

Assuring e-Trust always 7 GridOCSP Client API - features  Open source code for Globus TK 4 about to be released.  Implements a XML-based OCSP Policy that supports:  The policy file used by our client allows for the definition of per- Issuer rules or a default behavior for each feature.  Each VO could place such file on a specific URI for all its clients A.1 Several revocation sourcesOCSP only, others 4Q 05 A.2 Adoption of http and httpsYes B.1 Multiple service invocationYes B.2 Caching of OCSP Responses4Q 05 C.1 Nonce usageYes C.2 OCSP Request signingYes D Error handlingYes E Extension handlingYes F User proxy certificate handlingYes

Assuring e-Trust always 8 GridOCSP Client – policy definition e.g. (I)

Assuring e-Trust always 9 GridOCSP Client – policy definition e.g. (II)

Assuring e-Trust always 10 Server Current Status

Assuring e-Trust always 11 OCSP Responder requirements for Grids A. Performance: 1.Scalability: To cover for growth in terms of Client requests. Revocation sources. 2.Use of cryptographic hardware. B. Flexibility: 1.Revocation source requirements. 2.Support different operation modes: 1.Transponder mode. 2.Trusted Responder mode. 3.Authorized Responder mode. 3.Coverage of proxy certificates revocation is a recommended feature. C. Reliability 1.Fault-tolerance is a recommended feature.

Assuring e-Trust always 12 OCSP Service client scalability and reliability  Intrasite –Using balanced NAT  Extrasite –Using balanced DNS with very low persistence

Assuring e-Trust always 13 OCSP Service – revocation source scalability OCSP Responder Cert Status Database CAs ∆CRL CA/RA CRL Updater LDAP CRLCRL Cert Status  CertiVeR v4 can set N Updater processes in order to push DeltaCRLs from the CAs

Assuring e-Trust always 14 OCSP Service – Flexibility Courtesy of CAOPS-WG

Assuring e-Trust always 15 New CertiVeR service available !  A new service - CertiVeR v4 - has been implemented covering the required features for Grids. Such service has just passed the Beta tests and it is available at: – –  Current features of the new service: A.1 ScalabilityLimited during pilot A.2 Use of cryptographic hardwareNot during pilot B.1 Revocation source requirementsYes B.2 Operation mode (Trusted, Authorized and Transponder) All except Transponder mode during pilot B.3 Coverage of proxy certificatesYes B.4 Extension handlingYes C.1 Fault-toleranceNot during pilot

Assuring e-Trust always 16 The next steps...  Release of client open source code  Dissemination and Validation of the service –Provision of pilots for Grid and Tacar CAs  Technical improvements –Addition of servers in order to improve scalability and fault-tolerance –Use of cryptographic hardware –Setting up of Transponder connections –DeltaCRL push mechanism to be directly provided to each CA

Assuring e-Trust always 17 For information about revocation services, try our demo at: