Presentation is loading. Please wait.

Presentation is loading. Please wait.

EUGridPMA Status and Current Trends and some IGTF topics March 2015 Taipei, TW David Groep, Nikhef & EUGridPMA.

Published byStella Fay Poole Modified over 8 years ago

Similar presentations

Presentation on theme: "EUGridPMA Status and Current Trends and some IGTF topics March 2015 Taipei, TW David Groep, Nikhef & EUGridPMA."— Presentation transcript:

1 EUGridPMA Status and Current Trends and some IGTF topics March 2015 Taipei, TW David Groep, Nikhef & EUGridPMA

2 IGTF AHM Taipei 2015 meeting – 2 David Groep – davidg@eugridpma.org Geographical coverage of the EUGridPMA  26 of 28 EU member states (all except LU, MT)  +AM, CH, DZ, EG, GE, IL, IR, IS, JO, MA, MD, ME, MK, NO, PK, RS, RU, SY, TR, UA, CERN (int) + TCS (EU) Pending or in progress  ZA, KE, TZ, AE

3 IGTF AHM Taipei 2015 meeting – 3 David Groep – davidg@eugridpma.org EUGridPMA Topics  EUGridPMA (membership) status  New and updated CAs  IPv6 readiness and fetch-crl  Private Key Protection Guidelines v2.0  On-line CA Architectures Guideline document  Wildcard naming Also see the Berlin summary at https://www.eugridpma.org/meetings/2015-01/

4 IGTF AHM Taipei 2015 meeting – 4 David Groep – davidg@eugridpma.org Membership and other changes  Responsiveness challenges for some members  JUNET CA – suspended  HIAST CA – temporarily withdrawn for operational reasons  Identity providers: reduction and growth  New CA in Georgia (Tblisi) accredited  New “G3” Trusted Certificate Service by the GÉANT Ass. operated by DigiCert of Lehi, Utah.  Self-audit review  Cosmin Nistor replaced Kaspars as review process coordinator  Self-audits progressing on schedule for most CAs

5 IGTF AHM Taipei 2015 meeting – 5 David Groep – davidg@eugridpma.org New CAs in the 1.62 release I: NIIF Graphic: Tamas Maray, NIIF, Hungary

6 IGTF AHM Taipei 2015 meeting – 6 David Groep – davidg@eugridpma.org Gemalto token: FIPS-140 L3 But even if you have a L3 token, doing a documented key generation ceremony outside the token is still good to prevent vendor lock-in Graphic: Tamas Maray, NIIF, Hungary

7 IGTF AHM Taipei 2015 meeting – 7 David Groep – davidg@eugridpma.org Now we have also documented Guidance  The on-line CA guidelines document available at https://wiki.eugridpma.org/Main/GuidelinesForOnLineCAs  Codifies current requirements from Classic AP and current best practice – and permits more explicitly the key generation ceremony  Follows AP structure: Operational requirements Network controls Key generation Key storage Key Activation Key Deactivation Key End of Life Procedural Controls Site Security Publication and repository responsibilities Audits Compromise and disaster recovery Operational requirements Network controls Key generation Key storage Key Activation Key Deactivation Key End of Life Procedural Controls Site Security Publication and repository responsibilities Audits Compromise and disaster recovery

8 IGTF AHM Taipei 2015 meeting – 8 David Groep – davidg@eugridpma.org Which one to pick if you want it ‘just done’ On-line CA architectures must ensure that only legitimate traffic related to certificate issuing operations will ever reach the on- line CA issuing system. This can be ensured in various ways:  (A) an authentication/request server, suitably protected and connected to the public network, and a separate signing system, connected to the front-end via a private link, that only processes approved signing requests and logs all certificate issuance;  (B) an authentication/request server containing also the HSM hardware, connected to a dedicated network that only carries traffic destined for the CA and is actively monitored for intrusions and is protected via a packet-inspecting stateful firewall; where it is noted that model A type designs are more readily secured and usually need less components and effort to maintain and operate and therefore preferred.

9 IGTF AHM Taipei 2015 meeting – 9 David Groep – davidg@eugridpma.org Best practice now documented  “To further protect the issuing CA and permit revocation thereof, it is strongly advised that all on-line issuing CAs be a subordinate of an off-line root or higher-level CA, where the off-line root may have a long-lived (one year or longer) CRL.”  “Any on-line CA shall have a disaster recovery and business continuity plan. For CAs where the key material has been generated inside the HSM, this plan should include regular tests of the capability to recover the key in the HSM from archival material.”  And a bit more, just read the doc …

10 IGTF AHM Taipei 2015 meeting – 10 David Groep – davidg@eugridpma.org NEW GEANT TCS TRUSTED CERTIFICATE SERVICE

11 IGTF AHM Taipei 2015 meeting – 11 David Groep – davidg@eugridpma.org A long (but rather successful) road IDEACfPcontract signed with GlobalSign Start of SCSContract renewed 2 nd CfP contract signed with Comodo Start of TCSStart TCS eScience End of SCS Contract renewed 3 rd CfP DigiCert selected as TCS partner Start of new TCS End of Comodo TCS service

12 IGTF AHM Taipei 2015 meeting – 12 David Groep – davidg@eugridpma.org The TCS structure  GEANT Ass. (TERENA) is the ‘owner’ of the certificate services, which is procures on behalf of the participating NRENs (members)  It sources the issuing service from a commercial CA service provider and sets the requirements  Via the tender/RfP requirements  Via updates to the CP/CPS  NRENs then act as the user-facing end of the service  They may co-brand the service  They can (or could) define some of the processes  All have to agree to the same CP/CPS and contract(s)  The TCS PMA controlling the CP/CPS is comprised of experts from across the community

13 IGTF AHM Taipei 2015 meeting – 13 David Groep – davidg@eugridpma.org Interesting elements  By its intention, the TCS CAs should  Be publicly trusted in all major (mobile) systems  Use mechanisms that scale to the European R&E community  Don’t burden the subscribers (institutions) too much – in particular for auditing  Preserve under GEANT’s control key elements that ensure continuity (no vendor lock-in) – for eScience, this means e.g. the subject namespace  but of course not everything is under our control  Changes to baseline requirements affect us  The way the CA interprets those changes affects us even more – which is how we ‘lost’ usable OV certs  Server certs are more tightly controlled than personal

14 IGTF AHM Taipei 2015 meeting – 14 David Groep – davidg@eugridpma.org TCS G3 – 10 years of TCS  Selected DigiCert, Inc. of Lehi, Utah, USA in August 2014  Signed contract in November 2014  Already TAGPMA accredited with ‘general- purpose’ grid CAs  GEANT TCS service uses (6) dedicated ICAs  Of which 2 are IGTF accredited  Others: regular OV SSL, regular Client, EV, and CS

15 IGTF AHM Taipei 2015 meeting – 15 David Groep – davidg@eugridpma.org Built using contracts scales well to large numbers of organisations and users assurance requirements on subscribers ensure quality ID bound through legal contracts listed in specific document and in the CPS

16 IGTF AHM Taipei 2015 meeting – 16 David Groep – davidg@eugridpma.org Document set  Leverage largely as much existing accreditation  Instead of a single CPS, we have  DigiCert CP  DigiCert CPS  GEANT TCS CPS  Subscriber Agreement (“Terms of Use”)  Consolidated Required Contractual Terms (CRCT)  Only GEANT TCS CPS and CRCT are TCS specific  Describe authentication, vetting, uniqueness, etc.  Refer back to upstream CPS and CP for everything else

17 IGTF AHM Taipei 2015 meeting – 17 David Groep – davidg@eugridpma.org Linking federations to Grid AuthN  Use your federation ID ... to authenticate to a service ... that issues a certificate ... recognised by the Grid today Graphic from: Jan Meijer, UNINETT

18 IGTF AHM Taipei 2015 meeting – 18 David Groep – davidg@eugridpma.org Introduction of the TCS G3 in IGTF  New CP/CPS  Attempted to leverage existing TAGPMA accreditation  Mixed result: it seemed easier to write the CPS, but then the reviewer still read all documents, and cross- dependencies were complex to track  Self-audit as per GDF.169  Had been overdue for some time  The new CPS implementing any recommendations was ready at the same time  Review of new CPS and self-audit combined – reviewers: Reimer Karlsen-Masur ( DFN-CERT ), Dave Kelsey ( RAL & w LCG ), Jules Wolfrat ( SURF sara & PRACE ), and Urpo Kaila ( CSC, EUDAT )

19 IGTF AHM Taipei 2015 meeting – 19 David Groep – davidg@eugridpma.org The new ‘G3’ TCS  Roll-out via staged pilots  Phase I: expert testing and debugging (almost done)  Phase II: NREN-level testing and customization options  Phase III: Customer (Subscriber) testing and roll-out  Deployed in IGTF 1.62 on Feb 23  Federation integration pending (so now mostly server-only)  Full production everywhere before June 2015 

20 IGTF AHM Taipei 2015 meeting – 20 David Groep – davidg@eugridpma.org The RPS model (as first introduced by Scott in TAGPMA)  The RPS outlines the procedures that the community members follow to comply with the CA Profile. It allows communications with a defined set of registration practices to move between issuing CAs.  worked on by both TAGPMA and EUGridPMA, and evolved and refined in Berlin, with particular attention to sections 1, 3, and 9.  latest version can be found at https://wiki.eugridpma.org/Main/RPS The concept of the RPS very much aligns with the new TCSG3 CPS, although in that specific case the precedence is reversed (there TCS managed its own CPS with details the same elements as the RPS would, but then incorporates the CA Operators CPS by references, whereas the RPS model would do that the other way round).

21 IGTF AHM Taipei 2015 meeting – 21 David Groep – davidg@eugridpma.org MISCELLANEOUS TOPICS IPv6 Private Key Protection Guidelines v2.0 On-line CA Architectures Guideline document

22 IGTF AHM Taipei 2015 meeting – 22 David Groep – davidg@eugridpma.org IPv6 status  FZU runs a continuous v6 CRL monitor http://www.particle.cz/farm/admin/IPv6EuGridPMACrlChecker/  23 CAs offer working v6 CRL  but there are also 4 CAs that give an AAAA record but where the GET fails …  Still 71 endpoints to go (but they go in bulk)  dist.eugridpma.info can act as v6 source-of-last-resort  fetch-crlv3 v3.0.10+ has an explicit mode to force- enable IPv6 also for older perl versions  Added option "--inet6glue" and "inet6glue" config setting to load the Net::INET6Glue perl module (if it is available) to use IPv6 connections in LWP to download CRLs

23 IGTF AHM Taipei 2015 meeting – 23 David Groep – davidg@eugridpma.org http://www.particle.cz/farm/admin/IPv6EuGridPMACrlChecker/

24 IGTF AHM Taipei 2015 meeting – 24 David Groep – davidg@eugridpma.org Private Key Protection Life Cycle  The (last) final changes were made to the private key protection guidelines document http://wiki.eugridpma.org/Main/PrivateKeyProtectionLifeCycle  It supports all the use cases currently permitted under the PKP guidelines version 1.1, but it is better reflecting the key life cycles and clarifies the roles of the participants.

25 IGTF AHM Taipei 2015 meeting – 25 David Groep – davidg@eugridpma.org Wildcard naming  Although some TLS RFCs have defined a syntax for including wild cards in the subject (and subject alternative) names, only a few syntaxes actually work  CABforum guidance also limits what clients should consider acceptable EUGridPMA Guidance on WIldcard naming  a single "*" wildcard character is allowed, only in the left- most subdomain element of an FQDN  each node (systems) must have its own key pair, although the same (wildcard) name may be associated with multiple certs based on those distinct key pairs  it is recommended to have a specific subdomain to which a responsible person is assigned

26 IGTF AHM Taipei 2015 meeting – 26 David Groep – davidg@eugridpma.org Naming and authority There are also conceptual issues in validation (determining 'ownership‘ of the names)  This means that for e.g. a set of web load balancers, a subdomain "web.example.org" is created and a responsible person assigned thereto.  wild card certificates *.web.example.org" are then controlled by said responsible.  guidance on the permissible location of the "*" character should be added to GFD.225 (in progress)

27 IGTF AHM Taipei 2015 meeting – 27 David Groep – davidg@eugridpma.org UPCOMING MEETINGS

28 IGTF AHM Taipei 2015 meeting – 28 David Groep – davidg@eugridpma.org EUGridPMA Agenda  34 th PMA meeting 11-13 May 2015 in Copenhagen, DK  EGI Engage conference: May 18-22, Lisbon, PT  REFEDS + TNC2015: June 14-18, Porto, PT  35 th PMA meeting open to co-hosting with AARC otherwise: likely 7-9 September 2015 place tbd

Download ppt "EUGridPMA Status and Current Trends and some IGTF topics March 2015 Taipei, TW David Groep, Nikhef & EUGridPMA."

Similar presentations

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.

Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
The CA Distribution Process David Groep, July 2007.

The CA Distribution Process David Groep, July 2007.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
TERENA TF-EMC2 Workshop David Groep, 2004.11.04

TERENA TF-EMC2 Workshop David Groep,
Updates from the EUGridPMA David Groep, July 16 st, 2007.

Updates from the EUGridPMA David Groep, July 16 st, 2007.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.

EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa 2006 - 2 David Groep – Items  EUGridPMA.

EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.
KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.

KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.
European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.

European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.
SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.

SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.

EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.

IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
Updates from the EUGridPMA David Groep, May 9 st, 2007.

Updates from the EUGridPMA David Groep, May 9 st, 2007.

Similar presentations

Ads by Google