Presentation is loading. Please wait.

Presentation is loading. Please wait.

Large-scale issuing of host certs in a member-integrated or institutional CA environment.

Similar presentations


Presentation on theme: "Large-scale issuing of host certs in a member-integrated or institutional CA environment."— Presentation transcript:

1 Large-scale issuing of host certs in a member-integrated or institutional CA environment

2 21 st EUGridPMA Utrecht meeting – Jan 2011 - 2 David Groep – davidg@eugridpma.org Initial use case  Centrally managed Large data centres  Example: CERN >> 10 000 systems  Institutional properties  operating (as an EIRO) an institutionally-embedded CA but could also be an automated RA for an external CA...  managed hosts in physically controlled environment  fully centralised configuration management Aim: provision host certs in a scalable and secure way

3 21 st EUGridPMA Utrecht meeting – Jan 2011 - 3 David Groep – davidg@eugridpma.org Simplified request flow

4 21 st EUGridPMA Utrecht meeting – Jan 2011 - 4 David Groep – davidg@eugridpma.org Workflow 1.New servers that are put into production in the CERN Computer Center will communicate with the Configuration Manager Servers and will signal that they require a host certificate. 2.After the validation of the requester Configuration Manager Servers will be able to request host certificates of the new template on behalf of the servers from step 1. Only those Configuration Manager Server possessing a valid Robot certificate will be able to do that. Robot certificates will be installed on them manually and following the standard through- the-website procedure. 3.The requests from step 2 will be securely sent to CERN CA using a special web service (not a website) 4.The reply from CERN CA will be sent to the Server from step 1.

5 21 st EUGridPMA Utrecht meeting – Jan 2011 - 5 David Groep – davidg@eugridpma.org Obvious pros and cons  With O(1000) requests, humans cannot accurately check them all for correctness: automated process reduces number of errors  Close integration with CA request process reduces number of points between admin  RA  CA  Automated processes can make errors as well, and very fast indeed  Identification of ‘new’ computer hardware is non-trivial  Humans are good at identifying oddities, making some attack modes harder to exploit

6 21 st EUGridPMA Utrecht meeting – Jan 2011 - 6 David Groep – davidg@eugridpma.org Proposal  Full discussion in January (Ljubljana)  extended description will be given by Alexey (CERN)  assess risks and opportunities  Needs description in CP/CPS  address attacks on CM servers (referring to the attacks on automated CAs recently, like Comodo, DigiNotar,...)  heuristics to mitigate risk (correlation with installments, domain checks, time-of-day, etc.)  identification of requesting machines? How can that be done? TPM, MAC, network,...  Case should be supported – scaling really needed!


Download ppt "Large-scale issuing of host certs in a member-integrated or institutional CA environment."

Similar presentations


Ads by Google