Presentation is loading. Please wait.

Presentation is loading. Please wait.

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

Published byShanna McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "Soapbox (S-Series) Certificate Validation Jens Jensen, STFC."— Presentation transcript:

1 Soapbox (S-Series) Certificate Validation Jens Jensen, STFC

2 I&A Identification - The process of establishing the identity of an individual or organization, i.e., to show that an individual or organization is a specific individual or organization. In the context of a PKI, identification refers to two processes: (1) establishing that a given name of an individual or organization corresponds to a real-world identity of an individual or organization, and (2) establishing that an individual or organization applying for or seeking access to something under that name is, in fact, the named individual or organization. A person seeking identification may be a certificate applicant, an applicant for employment in a trusted position within a PKI participant, or a person seeking access to a network or software application, such as a CA administrator seeking access to CA systems.

3 Dramatis Personae Subscriber: responsible for certificate – Creation, handover to Subject, renewal/rekey Subject: using the certificate – according to permitted purposes RA (operator): verifying Subject info E.g. personal: Subject == Subscriber; Host or robot: Subject != Subscriber. RFC3647 is wrong: – Subscriber - A subject of a certificate who is issued a certificate.

4 Managed Keys Policy Subscriber (= key repository) – Generates and protects keys – Ensures that only Subject can use key Who generates the CSR? – Repository signs stuff, eg. proxy certs – A CSR needs signing, too – 1: Generate CSR with key, ignore the name in the CSR? User01, User02,... – 2: Let users create their own CSRs

5 Managed Keys Policy Use of repository for: – Key generation – hand over to Subject – Key generation and key archiving – Archiving and signing service (e.g. proxies) – Signing, and escrow? A repository can be many things – Will it not be best to assume: – Generation, storage, signing-at-user’s-req.

6 Certificate Validation Name of Subject represented in DN – (Using printableString encoding) Subscriber is in possession of private key Request originates from Subscriber Subject is entitled to a certificate (of given type) Certificate profile reflects the purpose Lifetime is right

7 OID in Cert CA must know how key was generated and protected Key is subject to CA policies... how does it know? An RA must assert it...

8 Look at RA processes... Bearing in mind: – Users, hosts, and users-with-managed-keys Bearing in mind: – The differences between MICS, SLCS, and Classic Bearing in mind: – Subject, Subscriber, RA are already different roles

9 RA Process Multistage process: – Identification of Subject – Recording audit trail of identification (maybe) – Recording association of identification with request – Checking Subject entitlement – Authentication of Subscriber – Association of Subscriber with request – Subscriber possessing private key – Checking protection of private key (maybe) – Collecting “private questions” (MICS) And – Revoking key (cert) when necessary – Authorising renewals and rekeys

10 RA Processes Some processes already delegated – E.g. MICS – Delegation: loss of auditability Some processes can be automated

11 Kirkhoff’s Law

12 RA Process Features Throughput Redundancy/availability Skills Data Protection compliance Integrity Compare DutchGrid’s “dumb” RAs And UK’s split RAs

13 What is this about... To make progress, we need to – Understand the processes of Subscriber – Understand the processes of RA Enable splitting roles, e.g., – Multiperson processes on validation Either split roles, or two-person validation – Record the steps... In an auditable form (for some steps) – Enable automating roles? Delegating? Understanding the consequences of linking steps

14 Issuance Can continue: look at all the services of the CA E.g. “outsourcing” the certificate issuance – TCS, SWITCH – National CAs still carry on with hosts Outsourcing the identity management... – MICS, SLCS Where is the CA...? – The CA is a PMA – Note about responsibility, e.g. for data protection

15 IdM If we link IdM to identity processes... – What are the implications of linking IdM to repository? – Federated identity management – home id generates (or at least activates) credential; MICS – “Entities possess and control their key data”

Download ppt "Soapbox (S-Series) Certificate Validation Jens Jensen, STFC."

Similar presentations

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft 0.010 David L.

David L. Wasley Office of the President University of California A PKI Certificate Policy for Higher Education A Work in Progress Draft David L.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.

On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
+1 (801) 877-2100 Standards for Registration Practices Statements IGTF Considerations.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

Similar presentations

Ads by Google