Presentation is loading. Please wait.

Presentation is loading. Please wait.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Published byConstance Bailey Modified over 9 years ago

Similar presentations

Presentation on theme: "NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand."— Presentation transcript:

1 NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand

2 2 Introduction » NECTEC:National Electronics and Computer Technology Center » Government research institute under Ministry of Science » For electronics, telecommunication, computer and information technologies including Grid Computing » NECTEC GOC CA:NECTEC GRID Operation Center Certificate Authority » NECTEC GRID PMA » Large Scale Simulation Research Laboratory, » Network Technology Laboratory » Thai Computer Emergency Response Team

3 3 CP/CPS » Current version:1.0 (October, 2006) » Object ID: 1.3.6.1.4.1.25149.1.1.1.0 » Conform to RFC 2527 » Managed by the NECTEC GRID PMA » Changes in contents need to be approved by the NECTEC GRID PMA

4 4 NECTEC-GOC CA Organization GRID CA PMA CA Manager RA Operator CA Operator Remove CP/CPS 2.2.5 Table 1-2 Organization... » GRID CA PMA: Policy Management Authority » CA Manager: Administrates all tasks on the CA system » RA Operator: » Accepts and verifies User Application form » Checks Certificate Signing Request form » Informs CA to issue certificate » CA Operator: » Issues certificates » Manages CA and RA servers » Maintains the CA system » Manages CA private key

5 5 End Entity » NECTEC-GOC CA issues certificates for the following subjects: » Users of NECTEC. » Users of domestic Grid-based applications or projects. » Collaborators related to NECTEC Grid Computing research.

6 6 Certificate Type » User Certificate: C=TH,O=NECTEC,OU=GOC,CN=Sornthep Vannarat/ emailAddress=sornthep@nectec.or.th » Grid Host Certificate: C=TH,O=NECTEC,OU=GOC, CN=host/grid64.hpcc.nectec.or.th

7 7 Identification and Authentication » User and Grid Host Certificate: » Subscriber meet in-person with RA Operator » RA Operator review and approve Application and Certificate Request according to user’s documents [CPS 1.3.2 and 3.1.x]

8 8 Certificate Restrictions » Certificate Lifetime: » 13 months for End Entity certificate. » 10 years for CA certificate.

9 9 Issuing Certificates » End entities request certificates » Each generate keypair by itself » Submit Applications and Certificate Signing Request forms » RA Operator checks the Requests » RA Operator uses secure communication method e.g. signed and encrypted email

10 10 » RA Operator transfers the Request to CA Operator » RA Operator tar ball the CSRs and copy to USB drive » CA Operator copy tar ball from USB drive to CA machine Issuing Certificates (cont’d)

11 11 » CA Operator checks CSRs and issues certificates » CA Operator transfers certificates to RA Operator » CA Operator tar ball certificates to USB drive » RA Operator copy tar ball into RA server » RA Operator publishes certificates to website and informs users by emails Issuing Certificates (cont’d)

12 12 Certificate Revocation » Certificates are revoked when » User private key compromised » Inaccurate user information suspected » User Obligation violated (CPS 2.1.4) » CA private key compromised » User leaves his/her organization

13 13 Revocation Request Procedure » Revocation Requests can be submitted through web interface » OR to CA Manager

14 14 CRL » CRL validity is 30 days. » New CRL issued » 7 days before expiration of previous one » immediately after certificate revocation

15 15 Physical Security » CA Server: » Stored in a safe deposit box, which is protected by six-digit code » Not connected to network of any sort » Located in a room, which is restricted to CA Operator during its operations » CA private key: » Protected by passpharse 15 characters. » Backup in USB drive and stored in the safe box by CA Operator.

16 16 CA Room & Equipments (1) » CA Room

17 17 CA Room & Equipments (2) » CA Machine » UPS » RA Server

18 18 CA Room & Equipments (3) » Safe box

19 19 Records Archival » Types of archive data: » All issued certificates and CRLs » All enrollment requests and notifications between the NECTEC-GOC CA and users. » Operation history of the CA key » Events of interest, as described in CP/CPS section 4.7.1 » The retention period is 3 years. » Archived files are stored in CD or DVD located at NECTEC server room’s safe box.

20 20 Key Pair » CA private key generated by CA operator using OpenCA » User and Grid Host key pair generated by User using e.g. grid-cert-req » Key Length: » CA Certificate 2048 bits » End Entity Certificate: 1024 bits

21 21 Contact Information Sornthep Vannarat and Suriya U-ruekolan National Electronics and Computer Technology Center Grid Operation Center 112 Paholyotin Road, Klong 1, Klong Luang, Pathumthani 12120 Thailand Tel: (662) 564-6900 ext 2278 Fax: (662) 564-6772 Email: camanager@hpcc.nectec.or.th

Download ppt "NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.

APGrid PMA Face-to-Face Meeting NCHC CA Weicheng Huang National Center for High-performance Computing April 8, 2008.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.

CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka

National Institute of Advanced Industrial Science and Technology Auditing, auditing template and experiences on being audited Yoshio Tanaka
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.

Computing Research Center, High Energy Accelerator Organization (KEK) KEK Grid CA Go Iwai The 2 nd APGrid PMA Meeting at Osaka Univ.
UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.

UNAMgrid CA Juan Carlos Guel UNAM, México. Alejandro Núñez UNAM, México. Israel Becerril UNAM, México. DGSCA UNAM 31/08/06.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.

DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.

Similar presentations

Ads by Google