Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

Published byBasil Tucker Modified over 8 years ago

Similar presentations

Presentation on theme: "A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay"— Presentation transcript:

1 A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay {gghinita,maltunay}@fnal.gov

2 Goals  Understand CA similarities/differences  Request, renewal, re-key, revocation, vetting  Policy and technical factors  Improve usability  Identify features that should be part of a desktop certificate management tool  Assess the feasibility and attempt to define guidelines for development of such a tool 2

3 Methodology  Sample of 10 CAs  Counted CAs with 100+ users (grid-mapfile)  Also included additional US-based CAs (NCSA)  All but one (Fermilab) issue long-lived certs  Process data collected from CPS  Disclaimer: did not go through actual process of request, vetting, etc 3

4 CAs Surveyed  Fermilab KCA  DoEGrids  CERN  GridKA  INFN  UK e-Science  Grid2-FR  GridCanada  IrisGrid  NCSA 4

5 Identity Vetting  Vast majority of CAs employ RAs  RAs are separate entities  Typical requirement: physical presence at RA  Details vary with RA (type of documents, proof of token used at cert request time)  Organization-level CA  Badged users already vetted  Organization account (plus some second “factor”)  Fermilab (SLCS), CERN, NCSA 5

6 Certificate Request  Case 1: partial client support  web interface or GUI/command-line tool available  organizational vetting: immediate issuance  RA-based  users need to figure out RA and the correct DN  certificate retrieved later, using same machine and browser  Case 2: almost no client support  Users have to master openssl/grid-cert-request  Even less support for getting the DN right  Once users get the cert, plenty of work to import it into browsers, etc. 6

7 Certificate Re-key  Most CAs accept re-key  Almost none accept renewal or modification  Some (e.g., organization-level CAs) just do a re-request  Process:  New CSR is issued, signed with both the new key as well as the old key (if existing cert still valid)  Web interface to upload CSR, otherwise e-mail  RAs only need to approve request (eligibility) 7

8 Certificate Revocation  Most CAs accept on-line revocation  Revocation request is authenticated (signed) with the key of the certificate to be revoked  The revocation request is uploaded through a secure web interface (e.g., DoEGrids) or by e-mail 8

9 Shortcomings  Need for technical expertise  PKI is not a straightforward technology  Difficulty in understanding/handling public/private key pair  Need to import CA certificate to browser, etc  Administrative details cumbersome  How to set up the DN?  Wrong DN setting delays application  Certificate Usage: basic functionality not provided  Import into/export from web browsers, e-mail clients, etc  Ensure that key is stored encrypted 9

10 Objective: Improve Usability  Tool to support multiple/most/all(!) CAs  CA-related operations  Request, rekey, revoke certificates  Client-side operations  Proxy generation  Certificate store operations (MyProxy)  Integration with client-side software  Web browsers  E-mail readers  Grid tools 10

11 Existing Tools  jGridstart (NIKHEF)  Request, renewal, assists in vetting (generates forms)  Import into web browser  Export to file (PKCS#12)  NGS Certificate Management Wizard  Proxy generation (including voms-proxy)  Upload proxy to credential store (MyProxy)  Requires certificate in the filesystem (PKCS#12) 11

12 Recommendations  CA-related Processes  Technical process identical (X509)  Parameters may differ, use config files (openssl. cnf already does this)  Config files may be shipped with middleware (e.g., VDT)  Identity attributes included in CSR very similar  Name, Organization, e-mail  Customize required input for vetting  Use configuration files for form generation – not technically challenging  Most difficult task: client-CA protocol  Currently interactive web forms  Extend to web services: hopefully re-use existing server-side code 12

13 Recommendations (2)  Client Software Integration  Web browsers: Mozilla already solved (e.g., Fermilab get-cert)  Some difficulties with more exotic browsers – but CA-independent  Proxy generation/proxy upload  NGS tool already provides this  Merging jGridstart and NGS Cert wizard represents a good start to comprehensive functionality  Supporting organization-level vetting  Some code already exists (kx509 at Fermi, NCSA scripts)  This can represent an independent branch of the code  Possibly interface with existing tools, without having to integrate within single application 13

14 Q&A 14

Download ppt "A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay"

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
PKI Implementation in the Real World

PKI Implementation in the Real World
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,

INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Similar presentations

Ads by Google