Presentation is loading. Please wait.

Presentation is loading. Please wait.

Communications IGTF RAT Comms Challenge 3 Fall 2015

Published bySamuel Hausler Modified over 6 years ago

Similar presentations

Presentation on theme: "Communications IGTF RAT Comms Challenge 3 Fall 2015"— Presentation transcript:

1 Communications IGTF RAT Comms Challenge 3 Fall 2015
All work by Ursula Epting, SCC-KIT Work by: Ursula Epting, SCC-KIT Karlsruhe, DE

2 Interacting with the IGTF ID providers
Today Every 1-6 hours: CRL retrieval Every 24 hours: CRL Availability/Reliability check Every ~2 years: RAT Communications challenge Did we progress between 2013 and 2015 in response? Can we answer some basic status questions as well? 29 November November 2018 Interoperable Global Trust Federation

3 RAT challenge results from 2013
In a strict interpretation we can say that ~30 % missed out on the requirement to react within one business day – only 70% were compliant .. and 13% did not reply at all – and the rechallenge only marginally improved it  Results communication test 2013: 76 % fullfilled the requirement % failed. 29 November November 2018 Interoperable Global Trust Federation Data: Ursula Epting, KIT

4 Suspension guidance IGTF 2015 All Hands meeting (Taipei) consensus:
"Sustained engagement of accredited authorities and timely response to policy and operational issues is essential to maintain the trust fabric. Consistent and long-term lack of communications, or persistent long-term operational issues, may lead to automatic or reviewed suspension and subsequent withdrawal of the trust anchor(s) of the authority from the IGTF trust anchor distribution. An authority may be suspended without further review for operational reasons if after 30 days of commencement of an operational failure condition the issue cannot be resolved, and no remediation has been communicated to the PMA within this period. An authority may be suspended without further review when failing to respond to a designated Communications Challenge for more than 30 days. An authority may be suspended subject to peer review in case of policy compliance issues. At any time an authority suffering compliance issues may communicate with the PMA, provide a remediation plan addressing the issues, and request the suspension to be reviewed, deferred, or annulled. Such communication shall in itself cause automatic suspension to be deferred.“

5 Interoperable Global Trust Federation 2005 - 2015
Results of the communications challenge 3 Results on the SHA-1 to SHA-2 migration questionnaire RATCC3 – Fall 2013 29 November November 2018 Interoperable Global Trust Federation

6 Interoperable Global Trust Federation 2005 - 2015
The intention of the test was to check whether the registered addresses of accredited IGTF-CA's are correct and how good communication works. correct addresses are the basis for all communication effective communication is essential in an infrastructure providing elementary security, like the IGTF PKI Why should we care? In case of a security incident or compromised certificate it is very important that a CA quickly processes revocation requests, i.e. revoke a certificate and issue a new CRL – which uses the registered address of the CA in the distribution Interoperable Global Trust Federation

7 Comms Challenge 3 description
The test started with the announcement that a communication test will be executed within the next 3 weeks. This information went to all accredited CA's, included in the IGTF-Release These CA's then received an and have been requested to answer within one business day. If no replies arrived reminders were sent to that CA's. Additionally they were asked two questions which could be answered within one week. (Part two of this talk) The number of CA's in the IGTF-release at the time of testing: 96 Notice: 'A CA' refers again to one CA-certificate. If there is a hierarchical structure with e.g. root-, server-, user-CA this will count as three CA's while in fact it is only one CA-structure. 29 November November 2018 Interoperable Global Trust Federation

8 Interoperable Global Trust Federation 2005 - 2015
Time line 6th November, Announcement of the test 25th November, h, Start of the test 26th November, h, Reminder for non-replying CAs 27th November, h, 2nd Reminder 28th November, End of the test Notice 1: The specified test times refer to UTC/GMT +2, CEST +1 Notice 2: no reminders were sent for the two additional questions 29 November November 2018 Interoperable Global Trust Federation

9 Interoperable Global Trust Federation 2005 - 2015
Time measurement As the test victims are spread all over the world and therefore live in different time zones, the target response time 'within one business day' was interpreted as 24 h referring to the location of the test sender. Response times were also measured in this sense. All s received by the test sender within 1 hour after the start of the test, count for 'CA replied within 1 hour' regardless of the timezone of the CA. 29 November November 2018 Interoperable Global Trust Federation

10 Interoperable Global Trust Federation 2005 - 2015
Detailed time view 42 % of the CA's have replied within the first hour (last time 30%), which shows that there was again a very high motivation to contribute to a successful test result! IGTF communication challenge Nov 2015 number of responses received → hours after challenge start → 29 November November 2018 Interoperable Global Trust Federation

11 Results cumulative view
So answers from 100 % of all CA's has not been reached, but 88 % (hard) or 92 % (soft) or 95 % (very soft) have been responsive. 29 November November 2018 Interoperable Global Trust Federation

12 Results complete view (2015 & 2013)
The big majority of 88 % replied within 24 hours/one business day. Additionally 4% replied within 48 hours and 3 % replied later 5 % did not reply at all. Notice: automatic replies of e.g. ticket systems were not counted 29 November November 2018 Interoperable Global Trust Federation

13 Interoperable Global Trust Federation 2005 - 2015
Interpretation In a strict interpretation we can say that 88 % (76 % in 2013) fullfilled the requirement to react within one business day - while 12 % (24 % in 2013) failed. So we did better this time! But is it good enough? In a softer interpretation we can say that 95 % (83 % in 2013) are responsive while 5 % (17 % in 2013) are not. So we have won 12 % ;) How to deal with the last 5 %? 29 November November 2018 Interoperable Global Trust Federation

14 Interoperable Global Trust Federation 2005 - 2015
Specific cases Challenge identified mail configuration issues (as usual) Really troublesome ones will be contacted again via Chairs 29 November November 2018 Interoperable Global Trust Federation

15 Interoperable Global Trust Federation 2005 - 2015
Part 2: on SHA-1, -2, and so on Do you issue sha2 signed certificates by default? When is the last sha1 signed certificate going to expire? 29 November November 2018 Interoperable Global Trust Federation

16 Interoperable Global Trust Federation 2005 - 2015
73 CA's did kindly answer the questions (76 %) 5 of them still issue sha1-signed certificates, the other 68 issue sha2 (sha256/sha512) by default 23 CA's did not sent answers (24 %) 29 November November 2018 Interoperable Global Trust Federation

17 The SHA-1 CAs response summary
29 November November 2018 Interoperable Global Trust Federation

18 Interoperable Global Trust Federation 2005 - 2015
Why to stick to SHA-1? Several CA's have some sha1-signed certs which will all expire within 2016 In Germany we have a special community for climate research which is not able to use sha2 and whishes to ‘use sha1 forever’… 29 November November 2018 Interoperable Global Trust Federation

19 Building a global trust fabric
Questions? Building a global trust fabric Interoperable Global Trust Federation

Download ppt "Communications IGTF RAT Comms Challenge 3 Fall 2015"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
CVE-2008-0166, lessons learned and actions David Groep, Nov 7 nd, 2008.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.

Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Distribution Lists Management 13 March 2012, ICT Service.

Distribution Lists Management 13 March 2012, ICT Service.
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.

Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.

Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Similar presentations

Ads by Google