Presentation is loading. Please wait.

Presentation is loading. Please wait.

EU NREN PKI Jan MeijerAARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "EU NREN PKI Jan MeijerAARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney."— Presentation transcript:

1 EU NREN PKI Jan MeijerAARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney

2 me 1998-2007: SURFnet – CERT, security, PKI, systems engineering, e-voting 2007-now: UNINETT – service development, storage, PKI

3 beautiful morning.... 22 NRENs 6 months 12573 server certs starting personal

4 PKI purpose Guarantee: Authenticity Confidentiality Integrity Non repudiation

5 ehr, no, we want others not to read our mail to know the sender is the sender that, for documents, thanks no reading of my credit card number no reading of my health information no reading of my passwords log on to my internal web site

6 if it doesn’t work it doesn’t work

7 the issue ?

8 direct trust

9 hierarchical trust

10 web of trust

11 Feb 1993, RFC 1422 Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management obsoletes RFC 1114 Mail Privacy: Key Management (1989)

12 Feb 1993, RFC 1422 The infrastructure specified in this document establishes a single root for all certification within the Internet, the Internet Policy Registration Authority (IPRA). The IPRA establishes global policies, described in this document, which apply to all certification effected under this hierarchy. Beneath IPRA root are Policy Certification Authorities (PCAs), each of which establishes and publishes (in the form of an informational RFC) its policies for registration of users or organizations. Each PCA is certified by the IPRA.

13 USA crypto exports <1996:International Traffic in Arms Regulation 1996: Export Administration Regulations (EAR) of the Department Commerce 31 Dec 1998:56 bit without license 12 January 2000:Freedom to export source: Bert-Jaap Koops’ Crypto Law Survey http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#us

14 Pretty Good Privacy Jun 5, 1991: PGP 1.0 Jan 18, 1996:Ståle Schumacher from Norway publishes PGP 2.63i…with help: Aug 1996:RFC1991, PGP Message Exchange Formats (FYI) Nov 1998:RFC2440, OpenPGP Message Format (STD)

15 1994: Netscape Navigator 1.0 1995: Internet Explorer 2.0

16 (1994) 1996:.nl electronic purse chipknip chipper

17 13 December 1999: DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

18 1995: Student Chip Card

19 qualified digital signatures!

20 1998: SURFnet PKI PGP PKI PGP keyserver pgp.surfnet.nl x.509 PKI

21 use PGP – email signing and encryption – document signing and encryption x.509 – email signing and encryption – document signing and encryption – authentication – smartcard deployments

22 requirements scalable identity vetting at university affordable server and client certificates

23 SURFnet x.509 PKI 1998: setup 1999: production

24 more levels

25 europe

26 down in the trenches

27 soon

28 ~2000 Netherlands qualified Digital Signature accreditation framework ready SURFnet PKI: test audit

29 ~2001 “SURFdiensten” GlobalSign discount deal for.nl higher ed

30 1998-2004: PKI evolves Focus on policy Focus on CA operations Plans to interlink European PKIs Separate eScience Grid PKI TACAR Experience but not large scale deployment

31 SURFnet PKI numbers New CAsPersonalServer 20001114 200114838 200234347 20031691201 2004252125course 

32 popular? SSL server certificates Personal certificates Code Signing certificates

33 biggest problem?

34 get root in browsers 2000: $250.000 x 2 2004: IE: WebTrust

35 puzzling pieces in browser root,$$ flat rate unpunished success why do I want to run my own CA?

36 TERENA

37

38 idea join forces contract commercial CA flat-rate for the TERENA community unlimited NREN becomes RA re-use existing contractual relations make it stupid to not secure your server with SSL

39 use existing relations

40 SCS timeline Jan 2005:idea written up (TF-CSIRT!) Feb 2005:presented at TF-EMC2 “the list” 20 kEUR Summer 2005:reality + procedure check September 2005:CfP January 2006:GlobalSign contract

41 16 March 2006: SCS is born

42 SCS numbers 12/2007 NRENs# issued# organisations ACONet97926 ARNES*23n/a BELNET67357 CARNet166n/a CESNET45220 CRU/RENATER1446134 GARR**10020 JANET (UK)2300212 RedIRIS107786 SUNET***48717 SURFnet193491 SWITCH1200n/a UNI-C ****1366n/a UNINETT34824 14 NRENs 12551 certificates

43 SCS numbers per 1 Aug 2008 # participating NRENs18 (14) # certificates issued19.400 (12551) # participating orgs2.225 # proxies3.800

44 2007: mission accomplished! no ssl = lame and behavioural change...

45 SCS: lessons learned vested interests, existing services, strong opinions, policy devil.... browser popup was the problem certain level of control good do what matters good enough = good enough!

46 2007 contract renewal with GlobalSign start preliminary work with new CfP

47 new CfP, lessons learned 1.root coverage: browsers *and* other platforms 2.validity on contract end 3.ensuring future root coverage 4.end user interfaces 5.interface response times 6.describe certificate request processing 7.profiles 8.subjectAltName 9.multiple valid certificates 10.internationalisation 11.support 12.auditing 13.training 14.certificate lifetime

48 more lessons...optional reqs 1.alternative lifetimes 2.end user interface for renewal 3.per NREN branding 4.additional profiles 5.eScience Grid certificate support 6.API 7.wildcard certificates 8.OCSP 9.extensive reporting

49 interesting CfP

50 TERENA Certificate Service

51 crucial lesson GlobalSign SCS certificates revoked 3 months after contract expiry

52 CfP failure Plan B?

53 New TCS! 5 TERENA CAs – Server – Code signing – Personal – eScience Server – eScience Personal own CPS own front-ends Comodo backend + roots

54 TCS numbers Jan. 2010 RENATER2758 SURFnet2499 UNI-C1643 JANET(UK)1289 SUNET1088 CESNET1069 ACOnet733 UNINETT599 BELNET383 PSNC140 GRNET116 FCCN61 CARNet56 HUNGARNET35 GARR22 LITNET21 RedIRIS21 HEAnet11 ARNES7 CSC6 AMRES2 UoM0 # issued12573 # NRENs22

55 TCS is

56 TCS organisation TERENA – contractual party, financial clearing house, contact conduit to Comodo TCS PMA, club of 5 – CPS responsibility TCS Representatives – 1 per NREN, formal decisions TCS RAs – day to day operations

57 TCS Members CountryNRENServerCodePersonal AustriaACOnetXXX BelgiumBELNETXXX CroatiaCARnetX Czech RepublicCESNETXX DenmarkUNI-CX FinlandCSCXX FranceRENATERXX GreeceGRNETXX HungaryHUNGARNETX IrelandHEAnetXX LithuaniaLITNETXX MaltaUoMX NetherlandsSURFnetXXX NorwayUNINETTXXX PolandPSNCXXX PortugalFCCNX SerbiaAMRESXX SloveniaARNESX SpainRedIRISXXX SwedenSUNETXXX UKJANETX 22714

58 how? SCS Guido Aben, Jan Meijer, Teun Nijssen (SURFnet), Kaspar Brandt (SWITCH), Licia Florio, Karel Vietsch (TERENA), Milan Sova (CESNET), and more... TCS Kent Engstrøm (SUNET), Licia Florio, Jan Meijer, Kevin Meynell, Teun Nijssen, Milan Sova, Karel Vietsch, Henrik Austad, and more... TCS Tender Committee Kurt Bøge (UNI-C), Daniel Garcia (RedIRIS), Licia Florio, Dominique Launay (RENATER), Jan Meijer, Damien Shaw (JANET), Milan Sova, Karel Vietsch

59 PKI landscape Europe 2010 TCS DFN-PKI SWITCH-PKI Grid PKI Geant3 PKI activity

60 obituaries chipknip: dead chipper: dead studenten chipkaart:dead SURFnet PGP PKI:dead SURFnet x.509 PKI:dead

61 alive and kicking TERENA Certificate Service PGP: FIRST, 209 teams, 47 countries Grid PKI Personal certificates?

62 purpose

Download ppt "EU NREN PKI Jan MeijerAARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney."

Similar presentations

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer

Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs.

TNC 2006, Catania TERENA Server Certificate Service SCS Towards the large-scale use of affordable popup-free server certificates for the European NRENs.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.

SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
PKI Implementation in the Real World

PKI Implementation in the Real World
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
A Grid certificate in 5 minutes large scale federated automated issuing of grid certificates Jan MeijerEGEE’09 21-25 Sept 2009 Barcelona.

A Grid certificate in 5 minutes large scale federated automated issuing of grid certificates Jan MeijerEGEE’ Sept 2009 Barcelona.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
1 SURFnet PKI efforts TERENA PKI-COORD meeting 6 December 2000 Ton Verschuren – Innovation Manager - SURFnet.

1 SURFnet PKI efforts TERENA PKI-COORD meeting 6 December 2000 Ton Verschuren – Innovation Manager - SURFnet.
EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

Similar presentations

Ads by Google