NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Slides:

Advertisements

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

KFKI CA József Kadlecsik KFKI RMKI

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

UNAMgrid Alejandro Núñez Sandoval Rio de Janeiro, Brazil, 03/27/06 F2F meeting, TAGPMA.

KISTI Grid CA Status Report Korea Institute of Science and Technology Information Sangwan Kim Jae-Hyuck Kwan

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.

IST E-infrastructure shared between Europe and Latin America ULAGrid Certification Authority Vanessa Hamar Universidad de Los.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Grid Canada Certificate Authority Darcy Quesnel

Creating and Managing Digital Certificates Chapter Eleven.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Academia Sinica Computing Centre.

KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.

APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.

Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

GRID-FR French CA Alice de Bignicourt.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

NECTEC-GOC CA A Brief Status Report 13 th APGrid PMA Face-to-Face meeting March 24 th, 2014 Large-Scale Simulation Research Laboratory Information Communications.

UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.

HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.

Armenian e-Science Foundation Certification Authority Ara A. Grigoryan 1,2, Artem Harutyunyan 1,2,3, Arsen Hayrapetyan 1,2,4 1 Armenian e-Science Foundation;

TNGrid CA 24 th EUGridPMA meeting Ljubljana, Slovenia, January, 2012 Heithem ABBES Mohamed JEMNI

IRAN-GRID CA Self Audit IRAN-GRID CA Self Audit Report Shahin Rouhani IRAN-GRID Tehran Iran Shahin Rouhani Grid Computation Group IPM, Tehran, Iran May.

UGRID CA Sergii Stirenko, Oleg Alienin

Guidelines for auditing Grid CAs

جايگاه گواهی ديجيتالی در ايران

MaGrid CA Self audit and update

NATIONAL CENTRE FOR PHYSICS PK-Grid-CA

Emir Imamagić University Computing Centre (Srce)

Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau

MyIFAM CA Self-Audit Report APGridPMA F2F Meeting 1/4/2019

National Trust Platform

Presentation transcript:

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand

2 Introduction » NECTEC:National Electronics and Computer Technology Center » Government research institute under Ministry of Science » For electronics, telecommunication, computer and information technologies including Grid Computing » NECTEC GOC CA:NECTEC GRID Operation Center Certificate Authority » NECTEC GRID PMA » Large Scale Simulation Research Laboratory, » Network Technology Laboratory » Thai Computer Emergency Response Team

3 CP/CPS » Current version:1.0 (October, 2006) » Object ID: » Conform to RFC 2527 » Managed by the NECTEC GRID PMA » Changes in contents need to be approved by the NECTEC GRID PMA

4 NECTEC-GOC CA Organization GRID CA PMA CA Manager RA Operator CA Operator Remove CP/CPS Table 1-2 Organization... » GRID CA PMA: Policy Management Authority » CA Manager: Administrates all tasks on the CA system » RA Operator: » Accepts and verifies User Application form » Checks Certificate Signing Request form » Informs CA to issue certificate » CA Operator: » Issues certificates » Manages CA and RA servers » Maintains the CA system » Manages CA private key

5 End Entity » NECTEC-GOC CA issues certificates for the following subjects: » Users of NECTEC. » Users of domestic Grid-based applications or projects. » Collaborators related to NECTEC Grid Computing research.

6 Certificate Type » User Certificate: C=TH,O=NECTEC,OU=GOC,CN=Sornthep Vannarat/ » Grid Host Certificate: C=TH,O=NECTEC,OU=GOC, CN=host/grid64.hpcc.nectec.or.th

7 Identification and Authentication » User and Grid Host Certificate: » Subscriber meet in-person with RA Operator » RA Operator review and approve Application and Certificate Request according to user’s documents [CPS and 3.1.x]

8 Certificate Restrictions » Certificate Lifetime: » 13 months for End Entity certificate. » 10 years for CA certificate.

9 Issuing Certificates » End entities request certificates » Each generate keypair by itself » Submit Applications and Certificate Signing Request forms » RA Operator checks the Requests » RA Operator uses secure communication method e.g. signed and encrypted

10 » RA Operator transfers the Request to CA Operator » RA Operator tar ball the CSRs and copy to USB drive » CA Operator copy tar ball from USB drive to CA machine Issuing Certificates (cont’d)

11 » CA Operator checks CSRs and issues certificates » CA Operator transfers certificates to RA Operator » CA Operator tar ball certificates to USB drive » RA Operator copy tar ball into RA server » RA Operator publishes certificates to website and informs users by s Issuing Certificates (cont’d)

12 Certificate Revocation » Certificates are revoked when » User private key compromised » Inaccurate user information suspected » User Obligation violated (CPS 2.1.4) » CA private key compromised » User leaves his/her organization

13 Revocation Request Procedure » Revocation Requests can be submitted through web interface » OR to CA Manager

14 CRL » CRL validity is 30 days. » New CRL issued » 7 days before expiration of previous one » immediately after certificate revocation

15 Physical Security » CA Server: » Stored in a safe deposit box, which is protected by six-digit code » Not connected to network of any sort » Located in a room, which is restricted to CA Operator during its operations » CA private key: » Protected by passpharse 15 characters. » Backup in USB drive and stored in the safe box by CA Operator.

16 CA Room & Equipments (1) » CA Room

17 CA Room & Equipments (2) » CA Machine » UPS » RA Server

18 CA Room & Equipments (3) » Safe box

19 Records Archival » Types of archive data: » All issued certificates and CRLs » All enrollment requests and notifications between the NECTEC-GOC CA and users. » Operation history of the CA key » Events of interest, as described in CP/CPS section » The retention period is 3 years. » Archived files are stored in CD or DVD located at NECTEC server room’s safe box.

20 Key Pair » CA private key generated by CA operator using OpenCA » User and Grid Host key pair generated by User using e.g. grid-cert-req » Key Length: » CA Certificate 2048 bits » End Entity Certificate: 1024 bits

21 Contact Information Sornthep Vannarat and Suriya U-ruekolan National Electronics and Computer Technology Center Grid Operation Center 112 Paholyotin Road, Klong 1, Klong Luang, Pathumthani Thailand Tel: (662) ext 2278 Fax: (662)