Presentation is loading. Please wait.

Presentation is loading. Please wait.

26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL.

Published byAshlyn Janis Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL."— Presentation transcript:

1 26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL

2 26-28 January 2009 – Nicosia, EUGridPMA Outline Accreditation process; CP/CPS changes (last review); –Minor; –Medium; –Major (discussion topics).

3 26-28 January 2009 – Nicosia, EUGridPMA Accreditation process

4 26-28 January 2009 – Nicosia, EUGridPMA When did it all start? Latvian Grid project (August 2006) Discussions started Introduction presentation (2008) CP/CPS review (Hardi and Jens) CP/CPS presentation (2008) CP/CPS review

5 26-28 January 2009 – Nicosia, EUGridPMA CP/CPS updates after the last review (20.01.2009)

6 26-28 January 2009 – Nicosia, EUGridPMA CP/CPS version 6.0 Major : 4 Medium : 8 Minor : 8 Nitpick : 15

7 26-28 January 2009 – Nicosia, EUGridPMA Minor(1) follows 2527 not 3647; different repository; public certificate; “servicename/" should probably not be interpreted literally. –Common Name MUST include the "servicename/" prefix, followed by the server DNS name (FQDN). –Organisational Unit MUST include the organization domain name.

8 26-28 January 2009 – Nicosia, EUGridPMA Minor(2) 3.1.8 - “CALG does not issue certificates to organisations.” -> “The relation between the subscriber and the organization or organizational unit mentioned in the subject name must be proved during the authentication process (face-to-face meeting), see section 3.1.9.”; CA root cert. doesn’t mention issuers domain name; Are service names authenticated by the RA? Can anyone have any service? –Requests MUST be signed by the personal certificate of the corresponding system administrator issued by CALG.

9 26-28 January 2009 – Nicosia, EUGridPMA Medium(1) Document date; 2.7.1-6. "No stipulation." ; 3.1.1. - permit server certificates to have CN=fqdn. –Common Name MUST have one of the two following forms - include the "host/" prefix, followed by the server DNS name (FQDN) or plain FQDN without any additional prefixes or postfixes. –Organizational Unit MUST include the organization domain name.

10 26-28 January 2009 – Nicosia, EUGridPMA Medium(3) 3.1.1 - services which the CA can sign should be restricted in any way; 3.1.7 - relies entirely on humans, too error prone?; –CALG verifies the possession of the private key relating to certificate requests at the time of identity verification by RA, who compares the requestor's printed certificate request with the electronically received request. 3.4 - "accepting" a request is not the same as "accepting it for revocation". –CALG MUST accept as a revocation request a message digitally signed with a not expired and not previously revoked user certificate issued under this policy.

11 26-28 January 2009 – Nicosia, EUGridPMA Medium(4) The CA certificate can generate digital signatures.

12 26-28 January 2009 – Nicosia, EUGridPMA Major(1) Check the possession of the private key. (3.1.7) 3.1.9. - post office certificate? –certification service provider accredited according to Electronic Document Law of Latvia The CA's DN does not correspond to the CP/CPS. –DC=LV, DC=latgrid, CN=Certification Authority for Latvian Grid

13 26-28 January 2009 – Nicosia, EUGridPMA Major(2) In certificates the first two components, are encoded as IA5String: –167:d=5 hl=2 l= 10 prim: OBJECT :DomainComponent –179:d=5 hl=2 l= 2 prim: IA5STRING :LV –187:d=5 hl=2 l= 10 prim: OBJECT :DomainComponent –199:d=5 hl=2 l= 7 prim: IA5STRING :latgrid –212:d=5 hl=2 l= 3 prim: OBJECT :OrganizationalUnitName –217:d=5 hl=2 l= 8 prim: PRINTABLESTRING :lumii.lv –231:d=5 hl=2 l= 3 prim: OBJECT :commonName –236:d=5 hl=2 l= 12 prim: PRINTABLESTRING :Edgars Znots

14 26-28 January 2009 – Nicosia, EUGridPMA RFC 2247 and 3280 (http://www.ietf.org/rfc/rfc2247.txt) 4. Attribute Type Definition The DC (short for domainComponent) attribute type is defined as follows: ( 0.9.2342.19200300.100.1.25 NAME 'dc' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) The value of this attribute is a string holding one component of a domain name. The encoding of IA5String for use in LDAP is simply the characters of the string itself. The equality matching rule is case insensitive, as is today's DNS.

15 26-28 January 2009 – Nicosia, EUGridPMA Thank you! Questions?

Download ppt "26-28 January 2009 – Nicosia, EUGridPMA CALG CP/CPS updates Dana Ludviga LatGrid CA, SigmaNet, IMCS UL."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.

National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.

NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

Similar presentations

Ads by Google