Download presentation
Presentation is loading. Please wait.
Published byJudith Richardson Modified over 9 years ago
1
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, 4 2007 Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand
2
2 NECTEC-GOC CA Organization GRID CA PMA CA Manager RA Operator CA Operator » GRID CA PMA: Policy Management Authority » CA Manager: Administrates all tasks on the CA system » RA Operator: » Accepts and verifies User Application form » Checks Certificate Signing Request form » Informs CA to issue certificate » CA Operator: » Issues certificates » Manages CA and RA servers » Maintains the CA system » Manages CA private key
3
3 Update NECTEC GOC CA Status » Accredited to be in Production Level by APGrid PMA on October 2006. » Bundled with IGTF CA distribution. » Started operation on January 2007. » Web Repository » Moved form ThaiSarn to NECTEC local network for stability better.
4
4 Issued Certificate Status » None has been issues certificates. » NECTEC GOC CA issues certificates to » Collaborators related to NECTEC Grid Computing research. Computation Fluid Dynamic Grid projects. Information Grid project.
5
5 Plan » NECTEC GOC CA have plans to, » Draft the CP/CPS according to RFC 3647 on October 2007. » Internal audit after drafted the CP/CPS.
6
6 Detail report on compliance with the latest Classic Authentication profile
7
7 Identity and End-Entity certificate expiration » User and Grid Host Certificate: » Subscriber meets in-person with RA Operator » RA Operator reviews and approves Application and Certificate Request according to user’s documents [CPS 1.3.2 and 3.1.x] » RA communicate with the CA by signed emails. » NECTEC GOC CA uses the re-key certificates method.
8
8 Operation Requirements » CA Server: » Stored in a safe deposit box, which is protected by six-digit code » Not connected to network of any sort » Located in a room, which is restricted to CA Operator during its operations » CA private key: » Key length 2048 bits and life time 10 years » Protected by passpharse 15 characters. » Backup in USB drive and stored in the safe box by CA Operator.
9
9 CP/CPS Identification » Current version:1.0 (October, 2006) » Object ID: 1.3.6.1.4.1.25149.1.1.1.0 » Conform to RFC 2527 (plan for draft according to RFC 3647 on October 2007) » Managed by the NECTEC GRID PMA » Changes in contents need to be approved by the NECTEC GRID PMA
10
10 Certificate and CRL profile (1) » CA’s Certificate: » DN: C=TH,O=NECTEC,OU=GOC,CN=NECTEC GOC CA » Signature Algorithm: sha1WithRSAEncryption. » Extensions field: Basic constraints : critical –CA:TRUE Key Usage : critical –digitalSignature,crlSign,keyCertSign
11
11 Certificate and CRL profile (2) » End-Entity Certificate » Key length are 1024 bits and life time 13 months. » Extension field: basicConstraints : critical –CA:false keyUsage : critical –nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment (User Certificate) –digitalSignature, keyEncipherment, dataEncipherment (Host Certificate) PolicyIdentifier : OID (Refer CPS 1.2) CRLDistributionPoints: URI of CRL subjectAltnativeName : Email Address of User (User Certificate) subjectAltnativeName : FQDN (Host Certificate)
12
12 Certificate and CRL profile (3) » Comply with RFC 3280. » CRL profile: » Basic field: Version : 2 algorithmIdentifer : SHA1 » Extensions field: cRLNumber : integer distributionPointName : URI of the CRL
13
13 CRL » CRL validity is 30 days. » New CRL issued » 7 days before expiration of previous one. » immediately after certificate revocation. » Published in web repository.
14
14 Publication and Repository » NECTEC GOC CA repository consists: » CP/CPS. » CA’s Certificate (DER,CRT and PEM format). » CRL (DER,PEM and r0 format). » Application form, user guide and contact information. http://gridca.hpcc.nectec.or.th
15
15 END Any comment or suggestion?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.