Presentation is loading. Please wait.

Presentation is loading. Please wait.

Soapbox of Random Stuff

Published byJasmin Spencer Modified over 6 years ago

Similar presentations

Presentation on theme: "Soapbox of Random Stuff"— Presentation transcript:

1 Soapbox of Random Stuff
UK e-Science CA Sept. 2016

2 Overview Adventures in RCauth land By extension, extensions
Probably relevant since we covered RCauth at previous PMAs By extension, extensions SHA2 migration Renewals and video

3 RCauth

4 Example of using RCauth
EUDAT is investigating whether it can use RCauth instead of its own in-house CA The remainder of this section is with EUDAT-as-a-RP-hat Need to satisfy both RCauth policy and IOTA/DOGWOOD E.g. RCauth does not require traceability, but IOTA does

5 EUDAT use of RCauth RCauth policy IOTA requirement
Is the lifetime 400 days or 11 days (6.3.2) IOTA requirement “documented and verifiable relationship” B2ACCESS is only a proxy (cf. AARC MJRA1.4) External IdM External IdP B2ACCESS proxy RCauth No DaVR here except eduGAIN at best The DaVR is between B2ACCESS and RCauth as IdP and SP, resp.

6 EUDAT use of RCauth Need to check quite a few things (SIRTFI, R&S)
EUDAT claims to be SIRTFI compliant but best to check whether it is actually happening  All portals must be PKPG compliant Of course a central MyProxy service might help here but this is not in the EUDAT AARChitecture Revocations EUDAT has a doc’d account deprovisioning process but otherwise no way of detecting “loss of traceability”

7 EUDAT use of RCauth Namespace: Namespace
Can RPs disambiguate B2ACCESS-issued credentials from other-IdP-issued credentials? Accepting other credentials useful in some cases (B2STAGE), less so in others (GOCDB) Namespace Where’s the stuff required by DOGWOOD? Must be {O,CN}, but …?

8 EUDAT use of IOTA/DOGWOOD
“Traceability of the credential is provided only in a cooperative way […]” So is traceability a requirement on the proxy? Proxy can (only) say “go ask over there” Authority must be told the originator IdP? Authority must have information to trace id with originator IdP (DW3.1, DW3.2)? “the identity management system via which the identity of this person was vetted” so must be originator IdP, not the proxy (DW3.2) “name [..] must contain sufficient information s.t. utilizing only this data, an enquiry via the issuer [RCauth] to the IdM”

9 EUDAT use of Rcauth – Constructing the CSR?
Inconsistent use of O in EUDAT (user filled field… ), or does it come from FIMS? (i.e. O=B2ACCESS) Cf. Dogwood requirement (previous slide) Single CN (EUDAT has two, unique id and name/principal(?)) Risk of using non-ASCII UTF8? Originating IdP and identifier with originating IdP And the authorisation extensions, of course 

10 Interfacing and Performance
EUDAT uses its own CA (née Contrail CA but much code has been replaced ) API is OAuth controlled Authorised portals have OAuth client ids DN is issued by token, DN in CSR is ignored  CA queries authorisation attrs. Proposed use of RCauth Heavily relying on MyProxy caches?! Needs GSI delegation also to add extns. Currently EUDAT (=Shiraz) is trying to set up a test Rcauth

11 Interfacing and Performance
Options (Shiraz & Mischa) B2ACCESS as an IdP Preferred option as less work is required  However, RCauth performance not good enough  B2ACCESS as a master portal Shiraz says it requires changes in B2ACCESS  B2ACCESS as a VO

12 Extensions EUDAT needs extensions in short-lived EE certs
Authorisation attributes Unfortunately a non-standard (Globus) (But then so was VOMS, initially)

13 Extensions

14 Useful PKCS#10 extensions
subjectAltName Accept requests for xple SANs User addresses Hosts - increasingly required with Globus compliance with RFC2818 Would allow useful ext’ns in user SLCs Shorter proxy chains, too

15 Using OpenSSL … for requests And the section contains (e.g.)
(e.g.) –reqexts req_section And the section contains (e.g.) 1.3.6…1.1.12=ASN1:UTF8String:${ENV::SAML} subjectAltName=DNS:xxx,DNS:yyy … for signing copy_extensions = copyall (in CA config section) Obviously all extensions should be filtered (allowed) and verified (by RA) NB! With copyall request extensions overrule configured extensions!

16 SHA2 migration

17 Document sent to IGTF Friday (and again Monday)
Unsigned: With signature:

18 SHA2 migration for subordinate CAs
Several approaches are effective Resigning the CA certificate with SHA2 is not one of them Bad options: Resign the CA certificate with SHA2 Rekey (rollover) the CA certificate with SHA2 So-so options: Withdraw support for SHA1 signatures in mw. Better options: Rekey the root, and re-sign the subordinate

19 SHA2 signatures Suggestions
Drop 2A (online) – no certificates on it any more Rekey root, and re-sign 2B with SHA2 under new root – best way to deal with issue (see doc) A compromise to mitigate against a compromise

20 Renewals and Video verification

21 Video verification of Id (JK+JJ)
Can we have a demonstrator?!! Ideally before we approve the process  Both a genuine id and if possible a fake id (and independently, not by someone who does it for a living) Is the process recorded? Use of passport Too much information on passport (GDPR) processed Non-passport ids wouldn’t have verifiable features Giving away enough information for passport to be faked? Can people be trained in examining passports from all countries? Can the training be kept up to date? Are there so few that they have to process requests from several countries (= Chinese applying for UK cert and verified by authority in China)? … or just make it a lower LoA 

22 Video verifications (JK)
Suggest it is OK for the following: User who has previously held certificate, but all the user’s certificates are expired or revoked User applies for same DN User still holds the same id that was in the original record RA still holds the original records and can compare (Obviously the id was originally checked in-person by RA or notary public as req’d by CEDAR)

23 Host Rekey (JK) Approval of host certificate rekey is normally routine
In UK eSc CA, host certs rekey themselves “Need” for certificate usu. a given Similar risks to the 3 yr lifetime for hosts, only with slightly less risk Risks are not so much at issuance (processes deal OK with issuance), more down the road Proposal to auto-approve and notify RA instead of waiting for approval

24 View from a hard working CA 
One CA operator’s card (used frequently) CA manager’s card (used less frq.)

Download ppt "Soapbox of Random Stuff"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/

Robots Jens Jensen, STFC RAL GridNet2/ UK e-Science CA /NGS/GridPP/
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.

On Robots J Jensen STFC Rutherford Appleton Lab OGF 20, Manchester, May 2007.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park 20-21 October 2015

AAI Developments AAI for e-infrastructures UK T0 workshop, Milton Hill Park October 2015

Similar presentations

Ads by Google