Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, 11-13 May 2009.

Published byLeona Lindsey Modified over 8 years ago

Similar presentations

Presentation on theme: "Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, 11-13 May 2009."— Presentation transcript:

1 Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, 11-13 May 2009

2 PART I WHAT IS A CA?

3 What is an IGTF CA? Is it the institution running the issuing authority Is it the trust anchor, a certificate Is it a cert and a (sub-)namespace Is it a collection of certs and namespace Is it a person (le roi, c’est moi)

4 What is a CA? All of the above (ish) Plus the following…

5 What is a CA – Services 1.Support infrastructure (eg helpdesk) 2.Contact emails (e.g.,.info) 3.Front end – certificate request/download –Renewal and RA interface (if different) 4.Back end – signing service 5.CRL –And OCSP, if available

6 What is a CA – Services Notification service –Subscriber Issuance, renewal, rekey Revocation –RA Same, mostly –Unusual events

7 What is a CA – Services Repository –Satisfying repository obligations Publications according to local (usu country) law –Personal data

8 What is a CA – IGTF RPDNC… (see later) CA manager’s GPG key –TACAR registration paperwork Attendance record –PMA most recent presentation record –PMA most recent audit record

9 What is a CA – IGTF PMA reviewer records –Initial, re-review: mails, spreadsheets Minreq and AP implementation

10 What is a CA – Infrastructure 1.Networks – (internet/web needed for at least CRL) 2.DNS, internal 3.DNS, external 4.Machines, hardware 5.Physical protection

11 What is a CA – internals 1.(Front) database –Logging and archiving (if different) (WORM?) 2.CA operator interface 3.Signing infrastructure –HSM, if used 4.RA database –Paper and/or online

12 What is a CA – people/roles 1.CA Manager –Policy, admin 2.RA manager manager –RA managers, RA operators (variations) 3.Support 4.(Self)auditor

13 What is a CA – “Manual” Trust Photocopies (or equiv) of ids Appointment letters PINs, if used Private keys throughout PKI Passphrases

14 What is a CA – Internals High availability services –Redundancy, monitoring High integrity services –Backup, integrity checks High confidentiality services –Encryption, physical protection, release procedures DISASTER RECOVERY

15 What is a CA – W&F Audit results –Internal audits –Self audits –External audits

16 What is a CA – W&F Level of Assurance – LoA Level of Effort – LoF Level of Expertise – LoE –Level of Contribution? – LoC Making change – inertia – LoI –Dinghy vs supertanker Level of Reputation(?) – LoR

17 What is a CA – W&F Age –Catching up with changing requirements –General rule of decay and obsolescence Components, documents Procedures Age: Rule of that curvy thing

18 What is CA – exceptional Coping with special cases and errors –Usually on a case by case basis –See humans vs comps later in pres.

19 PARTS II & III POLICY AND SOFTWARE

20 Guiding Principles Redde Caesari quae sunt Caesaris –Policy To orthogonise or not –Software Jens’ Law of Humans vs Computers Jens’ Law of Complexity

21 PART II POLICY

22 Implementation Implement! in CP/CPS Template Implement! in “1”SCP Implement! in software – see next Part

23 Examples (non-exhaustive) Either describe separate dimensions –E.g. private key protection –E.g. identity vetting W&F Describe with OIDs OIDs are not ordered I.e,..1 >.2 >.3

24 Ponder Instead of “how is it implemented” –“What is the goal” How LoA is achieved How APs relate to each other in this respect –Policy mapping

25 Or not Orthogonal Usually a good thing Clean Separates things that are separate Modular Non-orthogonal Easier to interpret Single mapping to other levels (maybe) Maybe it makes sense to do both

26 Example Private key in file –Password protected –User generated Certificate personal –F2F id vetting –IGTF-rekey … “I am a Classic…” Maybe it makes sense to do both

27 PART III SOFTWARE

28 Law of Humans vs Computers Computers are good at computer things –Make computers do them! Humans are good at human things –Give human things back to humans

29 Operating Manuals Documenting existing practice Documenting special cases –Discourage too much creativity –Guidelines – good

30 Law of Complexity “Make simple things simple, complex things possible” “Make things as simple as possible, but not simpler” Complexity has to go somewhere

31 The Software Triangle Pain Simple convenience Does the right (complex) thing

32 Example – web CA FF can no longer import certs from file? Backwards DNs, IE on Vista Conversion from PKCS#12 to PEM Import/export for non-personal certs Trust web sites flag not set on cert imp?

33 Renewal Import into browser –.pem of course is OK Retaining use of private key

34 Signing Policies Implementation of RPDNC Good(ish) certs outside RPDNC

35 More software STFC will release Java clients software –Open Source licence –As soon as I get round to doing it Other Java clients STFC-licensed –Free (beer) for non-commercial

36 Concluding Remarks Soapbox

Download ppt "Jens’ N th soapbox Can’t be a PMA without a Soapbox Jens Jensen, RAL EU GridPMA, Switch, Zürich, 11-13 May 2009."

Similar presentations

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Security Awareness Norfolk State University Policies.

Security Awareness Norfolk State University Policies.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Similar presentations

Ads by Google