Download
uk e science certification authority n.
Skip this Video
Loading SlideShow in 5 Seconds..
UK e-Science Certification Authority PowerPoint Presentation
Download Presentation
UK e-Science Certification Authority

UK e-Science Certification Authority

9 Vues Download Presentation
Télécharger la présentation

UK e-Science Certification Authority

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. UK e-Science Certification Authority Status and Deployment Jens G Jensen, CLRC/RAL

  2. Structure of CA User Request Approved Request RA RA = Registration Authority Certificate CA = Certification Authority CA Jens G Jensen, CLRC/RAL

  3. Certificate A certificate ties together a string, a public key, some other stuff and extensions • The string is the Distinguished Name, which can be used to uniquely identify the user (i.e., the owner of the corresponding private key) • The public key correspond to the users private key (RSA) • Other stuff specifies lifetime of certificate, issuer, etc. • Extensions specify e.g. which things the certificate can be used for. Jens G Jensen, CLRC/RAL

  4. The Distinguished Name • Contains the user’s name (verified by RA) • Also identifies the RA that approved the original request • No project information in the DN • Must not authorise based on DN alone • BUT: The name establishes only reasonable identity of the user (more than one Joe Smith?) • BUT: (ideally) the name should be used for authentication only, not identification • Should be seen as a string tied to the key • Every time someone connects with this string, you can be assured it’s the same user Jens G Jensen, CLRC/RAL

  5. The Registration Authority • RAs are trusted to approve (or reject) requests from users • Therefore it was felt that RAs should be formally appointed • RAs are local to users More about RAs and appointment later. Jens G Jensen, CLRC/RAL

  6. Identification of users • Users must show photo ID to RA. • The reason for this is: • We promise to verify the name in the DN • We aim to be (are) a medium assurance CA as defined by the latest GridForum policy draft (v6) • We aim to be (are) a medium level CA according to the DFN (Deutsche Forschungsnetz) Jens G Jensen, CLRC/RAL

  7. Strong policy Harder to get certificate But easier to have certificates accepted by Relying Parties Weak policy Easy to get certificate Harder to persuade admins to accept certificate for authentication purposes External Policies and Recommendations Jens G Jensen, CLRC/RAL

  8. Status • New e-Science CA being deployed • UKHEP CA will be terminated • UKHEP certificates will be allowed to expire • UKHEP still issues certificates for users not yet covered by new CA Jens G Jensen, CLRC/RAL

  9. 25 November 2002 • 170 certificates • 10 RA managers + 15 operators • Issuing 50 certs /month • Adding 3 RAs / month • Adding 6 RA operators /month Jens G Jensen, CLRC/RAL

  10. What’s done • Software (OpenCA based) installed • Keys generated • Some RAs appointed, certificates issued • CA staff trained • Close-to-final CP/CPS issued • Physical security implemented Jens G Jensen, CLRC/RAL

  11. What’s currently being done • New RAs being appointed and trained • CP/CPS being updated to reflect proposed change in extensions • RA and CA procedures being reviewed - must ensure that they conform to CPS Jens G Jensen, CLRC/RAL

  12. What else must be done • Must issue final CP/CPS • Approval as DataGrid CA (December) • Take over RAs from UKHEP • Then - announce deployment! Jens G Jensen, CLRC/RAL

  13. Renewal • Should send email reminder to user 30 days before expiry (with instructions) • Procedure doesn’t exist yet • Easy with OpenSSL but how to do it with the web interface? • Must issue certificate with same DN as an existing certificate... Jens G Jensen, CLRC/RAL

  14. (Proposed) extensions • basicConstraints (critical): not CA • keyUsage (critical) [interpretation sometimes woolly!]: • nonRepudiation - used to verify digital signatures in repudiation services • digitalSignature - private key is used for signatures (not certificates or CRLs!!), e.g. SSL client, entity authentication • keyEncipherment - public key is used for key transport, e.g. email encryption, SSL server • keyAgreement - used to agree e.g. a symmetric key between client and server Jens G Jensen, CLRC/RAL

  15. More (proposed) extensions • certificatePolicies: policyIdentifier (OID) Jens G Jensen, CLRC/RAL

  16. RA structure = Appointment Head of Department Manager Operator Operator Department Operators verify users’ requests Jens G Jensen, CLRC/RAL

  17. RA Appointment 1 • Agree Name with CA (manager) • OU and L identify the RA, not the project OU=Institution, L=Department in which the RA is appointed Jens G Jensen, CLRC/RAL

  18. RA Appointment 2 RA Manager is appointed by Head of Department The Manager is responsible for the operations of the RA Jens G Jensen, CLRC/RAL

  19. RA Appointment 3 RA Manager appoint RA Operators. Operators approve requests for Users Operators must have certificates Jens G Jensen, CLRC/RAL

  20. RA Appointment 4 Grid Support Centre offers training courses for RA Operators RA Operators are expected to know the system and to be able to advise Users Next training course: 18th December 2002 Jens G Jensen, CLRC/RAL

  21. RA Appointment 5 RA Operators then approve requests from Users Jens G Jensen, CLRC/RAL

  22. Contacts • Web site: http://www.grid-support.ac.uk/ca/ • Training courses • Alistair Mills a.b.mills@rl.ac.uk • Setting up RAs • Alistair Mills a.b.mills@rl.ac.uk • Jens G Jensen j.jensen@rl.ac.uk • David Boyd d.r.s.boyd@rl.ac.uk • Anything else • Jens G Jensen j.jensen@rl.ac.uk • ca-manager@grid-support.ac.uk Jens G Jensen, CLRC/RAL