APGrid PMA face-to-face meeting, 4/8/2008 Cindy Zheng PRAGMA Grid Coordinator Pacific Rim Application and Grid Middleware Assembly PRAGMA-UCSD CA

APGrid PMA face-to-face meeting, 4/8/2008 Overview PRAGMA PRAGMA Grid Purpose of PRAGMA-UCSD-CA PRAGMA-UCSD CA setup –(x.y.z) references the relevant CP/CPS section number

APGrid PMA face-to-face meeting, 4/8/2008 PRAGMA

APGrid PMA face-to-face meeting, 4/8/2008 Strengthen Existing and Establish New Collaborations Work with Science Teams to Advance Grid Technologies and Improve the Underlying Infrastructure In the Pacific Rim and Globally PRAGMA pragma -grid.net A Practical Collaborative Framework Strengthen Existing and Establish New Collaborations Work with Science Teams to Advance Grid Technologies and Improve the Underlying Infrastructure In the Pacific Rim and Globally PRAGMA A Practical Collaborative Framework pragma -grid.net 35 institutions 14 countries

APGrid PMA face-to-face meeting, 4/8/2008 EDUCATION GRID SOFTWARE SCIENCE PRAGMA’s Collaborative Framework Source: Philip Papadopoulos, Global Engagement GLEON (and CREON) – From Telescience WG –Global Lake Ecological Observatory Network (and Coral Reef) –Grassroots effort to understand lake dynamics Avian Flu Grid – From Biosciences WG –Integrates technologies for shared infrastructure PRIME : Pacific Rim Experiences for Undergraduates –Prepares globally-enabled workforce –Immersive: Research Apprenticeship; Cultural Experience PRIUS: Pacific Rim International UniverSity, Osaka University –Prepares global workforce –Within context of curriculum and research experience PRAGMA: Pacific Rim Application and Grid Middleware Assembly –Catalyzes collaborations –Applications drive technology developments OptIPuter: SAGE Ninf-G, Gfarm, Nimrod, SCMSWeb, CSF4, Naregi CA, Opal, MOGAS, Mgrid, Rocks, GAMA, Condor, Access Grid GEO, GEON DataTurbine, Inca

APGrid PMA face-to-face meeting, 4/8/2008 PRAGMA Grid 32 institutions in 16 countries/regions, 27 compute sites (+ 9 in preparation) UZH Switzerland NECTEC ThaiGrid Thailand UoHyd India MIMOS USM Malaysia CUHK HongKong ASGC NCHC Taiwan HCMUT HUT IOIT-HCM Vietnam AIST OsakaU UTsukuba TITech Japan BII IHPC NGO NTU Singapore MU Australia APAC QUT Australia KISTI Korea JLU China SDSC USA CICESE Mexico UNAM Mexico UChile Chile UUtah USA NCSA USA BU USA CeNAT-ITCR Costa Rica BESTGrid New Zealand CNIC GUCAS China LZU China UPRM Puerto Rico UZH Switzerland LZU China ASTI Philippines SKU UI Indonesia

APGrid PMA face-to-face meeting, 4/8/2008 PRAGMA Grid Members and Team Sites –23 sites from PRAGMA member institutions –15 sites from Non-PRAGMA member institutions –27 sites contributed compute clusters Team members –170 and growing –one management contact / site –1~3 technical support contact / site –1~4 application drivers / application –1~5/Middleware development teams

APGrid PMA face-to-face meeting, 4/8/2008 Why PRAGMA-UCSD CA? PRAGMA experimental CA –Only used within PRAGMA Grid Grid interoperation and future –Need IGTF compliant catch-all production CA Near term –Only issue production CA when needed

APGrid PMA face-to-face meeting, 4/8/2008 PRAGMA-UCSD CA Team CA – Cindy Zheng, Mason Katz (UCSD) RA – Mason Katz, Anoop Rajendra (UCSD) PMA – Yoshio Tanaka (AIST) Security Officer – Phil Papadopoulos (UCSD) reaches no more and no less than these 5

APGrid PMA face-to-face meeting, 4/8/2008 CP/CPS Structured as defined in RFC OID –Set for CP/CPS (1.2) –Set for cert policy id v3 ext –Registered with IANA –Change procedure described in 9.12

APGrid PMA face-to-face meeting, 4/8/2008 CA Systems CA server is dedicated and off-line RA server is dedicated and on-line CA software is naregi-wp5-nas

APGrid PMA face-to-face meeting, 4/8/2008 Physical Security CA and RA servers are in a lockable office –2 keys (Cindy Zheng, Karan Bhatia) CA server is in a locked cabin in the office –Only Cindy (CA) has the key Access log –logged by at – archive is included in monthly backup

APGrid PMA face-to-face meeting, 4/8/2008 CA Key and Passphrase CA key length 2048 bits (6.1.5) CP-CPS 6.4 describes CA key protection –Pass phrase >= 15 characters. –Only known by CA and RA. –In 2 sealed envelopes in 2 separate locked drawers in Cindy (CA) and Mason (RA)’s office. Only Cindy and Mason have the keys to the drawers. –The sealed envelops are kept separated from the backed up private key.

APGrid PMA face-to-face meeting, 4/8/2008 Encrypted Private Key Backup On offline media – USB drives Kept in a locked cabinet Only Anoop (RA) has the key

APGrid PMA face-to-face meeting, 4/8/2008 CA Certificate Lifetime 10 years (6.3.2) End entity lifetime 1 year BasicConstraints (7.1.2) –marked as critical –Set as CA:TRUE KeyUsage (7.1.2) –Marked as critical –Value include keyCertSign, cRLSign

APGrid PMA face-to-face meeting, 4/8/2008 Certificate Revocation Can be requested by –Subscribers –CA, RA –Others can prove compromise or exposure of a private key. (4.9.2) An end entity must request revocation as soon as possible, but within one working day after detection of –he/she lost or compromised the private key pertaining to the certificate, –the data in the certificate are no longer valid. (4.9.1) Authenticate the request (4.9.3) –Verify requestor identity by phone, VTC or face-to-face –Verify reason and evidence CA must react as soon as possible, but within one working day, to any revocation request received. (4.9.5)

APGrid PMA face-to-face meeting, 4/8/2008 CRL Lifetime is 30 days Issued –Every 3 weeks –Or immediately after a revocation (4.9.7) certs/baec778c.r0http://goc.pragma-grid.net/ca/ca- certs/baec778c.r0 Version: x509 v2 Message digest algorithm: SHA-1

APGrid PMA face-to-face meeting, 4/8/2008 User or Host/service Certificates Key >=1024 bit (6.1.5) Life time 1 year (6.3.2) User certificate –should not shared (4.5.1) End entity passphrase (6.2.8) –12 characters or more (enforced by Naregi-ca client software)

APGrid PMA face-to-face meeting, 4/8/2008 Issue Certificates Described in 4.1, 4.2: –User fill and application form –RA reply Ask for photo id (fax or in person) arrange interview (in person or VTC) –RA Interview user with A copy of user application A copy of user photo id Fill a RA check list –Upon approval, RA sign the check list and hand all to CA –RA user an encrypted license id and user guide url –RA deliver the password to user (fax or in person) –User install Naregi-ca client software, create certificate request and acceptID to pragma-ucsd-ca list –CA generate new certificate and user for retrieval –CA/RA file all documents

APGrid PMA face-to-face meeting, 4/8/2008 Names Meaningful names (3.1.2) –Reasonable association to end entity –CN is FQDN Name uniqueness (3.1.5) –List of issued certificates –Prefix and suffix Verify host owner/administrator (3.2.2, 3.2.3) –Known organization in PRAGMA community –Verify with known contact of host organization

APGrid PMA face-to-face meeting, 4/8/2008 End Entity Certificates x509 format Extensions (7.1) –Policy Identifier contain an OID only: –CRLDistributionPoints: URI://goc.pragma- grid.net/secure/certificates/baec778c.r0 –keyUsage marked as critical –basicConstraints set to ‘CA: false’ and marked as critical –Host certificate, a FQDN is included as a dnsName in the SubjectAlternativeName

APGrid PMA face-to-face meeting, 4/8/2008 Rekey, Renew and Modification Certificate rekey is described in 4.7: –Reason for rekey: certificate revoked or expired Revoked – re-enroll Expired – re-apply 1 month before expire – request new public key –Process same as initial enrollment and If within 5 years of initial enrolment, face to face interview is not required No certificate renew (4.6) No certificate modification (4.8)

APGrid PMA face-to-face meeting, 4/8/2008 Records Archive Records archived (5.5.1) –Forms, s etc. in enrollment process –Private keys, password –Monthly backup includes CA and RA server backup Mailing list archive Retention period (5.5.2) –General: minimum 3 years –Certificates, CRLs: at least 2 years –User identity info: 5 years

APGrid PMA face-to-face meeting, 4/8/2008 Audit Described in section 8: –Accept external audit –By APGrid PMA –Self-audit of CA/RA and operation once a year Verify CA contact list once a year

APGrid PMA face-to-face meeting, 4/8/2008 Web Repository Public accessible –CA root certificates –Certificates issued –CRL –CP/CPS –Contact info Grant APGrid PMA and IGTF unlimited re-distribution Internal only –Operation manuals –Canned s –Forms –Check list –CA profiles Only CA staff and auditors allowed access

APGrid PMA face-to-face meeting, 4/8/2008 Privacy and Confidentiality Defined in 9.3 and 9.4 –No confidential info collection –Do not provide personal info to other organizations CA-RA communication –Secure methods (4.1, 4.2) Face to face, signed , skype –Inform/log changes by to

APGrid PMA face-to-face meeting, 4/8/2008 Disaster Recovery Described in 5.7 –Hardware, software, data corruption Recover with backup asap –CA key compromise Notify subscribers, RAs, relying parties Revoke all issued certificates Stop certificate/CRL distribution service Create new key pair and rebuild the CA system

APGrid PMA face-to-face meeting, 4/8/2008 Special Thanks to Yoshio Tanaka and AIST CA team Naregi-CA developer, Takuto Okuno For helping setup PRAGMA-UCSD CA APGrid PMA reviewer, Sangwan Kim APGrid PMA reviewer, Alex Wu APGrid PMA reviewer, Suriya U-ruekolan For helping review PRAGMA-UCSD CA CP/CPS