Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 IGTF EUGridPMA status update SHA-2, OCSP, and more David.

Slides:



Advertisements
Similar presentations
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Advertisements

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Survey Results Rick Andrews 6 March 2014, IETF 89 London.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
FileSecure Implementation Training Patch Management Version 1.1.
Status Update for Algorithm Transition for the RPKI (draft-ietf-sidr-algorithm-agility) Steve Kent Roque Gagliano Sean Turner.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Unified Middleware Distribution (UMD): SW provisioning to EGI Mario David.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI Towards Differentiated Identity Assurance as a collaborative.
Updates from the EUGridPMA David Groep, July 16 st, 2007.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Configuration Management and Change Control Change is inevitable! So it has to be planned for and managed.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.
Creating and Managing Digital Certificates Chapter Eleven.
EGI-InSPIRE RI EGI.eu European Grid Infrastructure EGI-InSPIRE RI Credential Validation Middleware Requests compiling.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Service Operations Security Policy the new generalised site operations security policy.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.
PKI for improved cybersecurity in NATO Partner countries Software Arsen Hayrapetyan, ArmeSFo CA.
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GLUE 2: Deployment and Validation Stephen Burke egi.eu EGI OMB March 26 th.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Introduction of SHA-2 in the EGI Infrastructure David Groep, EGI-IGTF Liaison.
Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Regional tools use cases overview Peter Solagna – EGI.eu On behalf of the.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )
IGTF Risk Assessment Team 5/11/091.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI APEL Regional Accounting Alison Packer (STFC) Iván Díaz Álvarez (CESGA) APEL.
IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI SA1.2 Plans 2013 Security Operations David Kelsey (STFC) 26/02/2013 Operations.
Document update - what has happened since GGF11
Classic X.509 AP updates (v4.1)
EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI.
Tweaking the Certificate Lifecycle for the UK eScience CA
Thursday pilot session: 7-minutes
SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam
AuthN Middleware Requests
and the SHA-1 depreciation time line and status
BG.ACAD CA Self-audit report 2018
OCSP Requirements GGF13.
Presentation transcript:

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David Groep, Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2 and SA1.2 orcid.org/

EGI-InSPIRE RI IGTF ongoing work From Recent IGTF meetings (AP: March, TAG&EU: May) Slightly revised SHA-2 time line Update to OCSP deployment planning and review of IPv6 deployment IGTF ‘Test Suite’ for software providers Guidelines on operation trusted credential stores (draft) Progress on move towards differentiated ID assurance IGTF Summary OMB May 2013

EGI-InSPIRE RI SHA-2 time line agreed Now –CA certificates in the IGTF distribution and CRLs at official distribution points should use SHA-1 –CAs should issue SHA-1 end entity certificates by default –CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs 1 st October 2013 –CAs should begin to phase out issuance of SHA-1 end entity certificates –CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default 1 st April 2014 –New CA certificates should use SHA-2 (SHA-512) –Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-512) –Existing root CA certificates may continue to use SHA-1 1 st October 2014 –CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points. 1 st December 2014 (‘sunset date’) –All issued SHA-1 end entity certificates should be expired or revoked. In case of new SHA-1 vulnerabilities, the above schedule may be revised IGTF Summary OMB May 2013

EGI-InSPIRE RI SHA-2 readiness For SHA-2 there are still a few CAs not ready a few can do either SHA-2 OR SHA-1 but not both –so they need to wait for software to be SHA-2-ready and then change everything at once A select few can do SHA-2 but their time line is not driven solely by us (i.e. some commercials) –Their time line is driven by the largest customer base –All can do SHA-2 already – some do on request (since non-grid customers do request SHA-2-only PKIs) –it is because of these that RPs have to be ready, because when directives come from CABF they will change, and do it quite irrespective of our time table! Keep in mind issues for HSMs (robot tokens) IGTF Summary OMB May 2013

EGI-InSPIRE RI A forward look: sudden end of MD5? Some software stacks (Mozilla NSS distributed as part of e.g. RHEL6U4) are now disabling the MD5 hash for crypto May create a nice mess, with several large CA roots still MD5 (even in EL6U4) Don’t want that to happen prematurely with SHA-1 when still in active use … IGTF Summary OMB May 2013

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI OCSP, IPv6, test suite, new guideline (profile) docs IGTF Summary OMB May 2013

EGI-InSPIRE RI OCSP status Some CAs provice OCSP services –RFC5019 lightweight: public trust CAs, CESNET –RFC2560 full: MSCA, few OpenCA onces Most don’t advertise yet, since operational impact is uncertain: –Which software components will use OCSP? –What is the expected load? –Have RPs installed their HTTP caching services correctly? –Has software implemented caching correctly? IGTF Summary OMB May 2013

EGI-InSPIRE RI OCSP time line (contd) Planning Given the current pressure and focus on SHA- 2, it is decided not to actively push for OCSP as long as the SHA-2 campaign is running Questions will inclusion of relevant AIA extensions automatically result in the use of OCSP? Is this software configurable? Does it cache? Are RPs (EGI: RC) setups expecting this? Have caches been deployed? Should we wait for TLS OCSP stapling RFC 6066 to be configured and used widely? IGTF Summary OMB May 2013

EGI-InSPIRE RI Other work items IPv6 deployment –expect RPs with v6-only systems to setup 6-to-4 NAT/proxy IGTF ‘Test Suite’ for software providers Guidelines on operation trusted credential stores (draft) –matches with the Private Key Protection guidelines –guidance for MyProxy setups, portals, credential mngt systems –intended to be ‘good advice’ for RPs – things to consider Progress on move towards differentiated ID assurance –provides only unique opaque identifier: no identity, no tracability –needs tuning of LoA with our RPs, current version may be too much XSEDE and does not even work yet for PRACE-T1s… IGTF Summary OMB May 2013

EGI-InSPIRE RI Summary Review detailed summary at Questions? IGTF Summary OMB May 2013