Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Case for HLCA Revisited

Published byPeter Clausen Modified over 6 years ago

Similar presentations

Presentation on theme: "The Case for HLCA Revisited"— Presentation transcript:

1 The Case for HLCA Revisited
Jens Jensen EUPMA May 2015 København

2 Reminder: why HLCA HLCA IGTF CA EE What is a HLCA?
CAs that issue certificates to EE-issuing CAs Include self signed IGTF requirements on HLCA Policy requirements Practical requirements Why is this interesting? Commercial CA issuing CA certificates to IGTF E.g. DigiCert, QuoVadis, Comodo, GlobalSign Make it easier to add new IGTF CA Predefine policies Why is this interesting Commercial hosting of CA Make it easier to run a CA HLCA IGTF CA EE Talk Title Goes Here 29/12/2018

3 Reminder: Why HLCA Can run online CA 2x membership profile
(Bad practice to have CA cert of online CA self signed) 2x membership profile Accredited: member, shows up at meetings, can vote Trusted: is in distribution, but doesn’t show up at meetings, no vote Standard support model EE issuing CA is Accredited Its issuer is Trusted (e.g. a commercial CA) Not a rigid model A HLCA can be Accredited Or could attend meetings, have limited voting rights, etc. HLCA 29/12/2018

4 Background: Why HLCA? Implicit vs Explicit: And of course the basics
Strong policy: All issued CA certificates are “IGTF ready” (subject to IdM) Open namespaces file Weaker policy: Only some issued CA certificates are “IGTF ready” Restrictive namespaces file And of course the basics Must have CP/CPS (which are published) Must issue CRLs consistent with GFD.225, RFC 5280 HLCA 29/12/2018

5 Policy “Inheritance” example
IGTF MICS CA1 CA2 IOTA CAn Other HLCA 29/12/2018

6 Hierarchy Discussion Lots of CA certificates get introduced
Which is bad, software tends to break More stuff to introduce, more stuff can go wrong Probably better to do it by “paper” Trust vs control Trust = paper, control = certificates HLCA 29/12/2018

7 Original UK eScience Certificate Hierarchy
Dev CA* Training CA Root 2007 CA CA 2A (online) CA 2B (offline) SLCS Toplevel SARoNGS Climate CAs RIGroup Meeting 29/12/2018

8 In Practice JCS joining (to be joining) EUPMA Signed by QuoVadis
QV had already been reviewed for SWITCH HLCA 29/12/2018

9 What’s in HLCA? Started waaaay back in 2006
Birth of IGTF SHOULD ? Last version 0.11 as of May 2012 Talk Title Goes Here 29/12/2018

10 Conclusion HLCA: make sure that “intermediate” (and self signed) comply with basic IGTF friendly requirements Most of it is motherhood and apple pie Make it easier to get new EE CAs into IGTF HLCA 29/12/2018

Download ppt "The Case for HLCA Revisited"

Similar presentations

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.

A Profile for Trust Anchor Material for the Resource Certificate PKI Geoff Huston SIDR WG IETF 74.
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp://www.apgridpma.org/meetings/index.html Call for note takers!

4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
Using InCommon Client Certs for eduroam Jeff Hagley and Ryan Martin October 3 rd, 2011 Internet2 Fall Member Meeting.

Using InCommon Client Certs for eduroam Jeff Hagley and Ryan Martin October 3 rd, 2011 Internet2 Fall Member Meeting.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept. 2013.

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
CAOPS-IGTF Session An Update from the TAGPMA Vinod Rebello given by Scott Rea OGF 25, Catania, Italy March 2, 2009 The Americas Grid Policy Management.

CAOPS-IGTF Session An Update from the TAGPMA Vinod Rebello given by Scott Rea OGF 25, Catania, Italy March 2, 2009 The Americas Grid Policy Management.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.

EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.

Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.

CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.

Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2.

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.

Similar presentations

Ads by Google