1 / 15

Utrecht, 6 October 2006

SURFnet PKI activities. per October 2006. Jan Meijer. Utrecht, 6 October 2006. Reasons for our PKI activities. The Internet always has been, is and is likely to stay an unsafe place. trust code trust machines & services trust people

bryar-kidd
Télécharger la présentation

Utrecht, 6 October 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SURFnet PKI activities per October 2006 Jan Meijer Utrecht, 6 October 2006

  2. Reasons for our PKI activities The Internet always has been, is and is likely to stay an unsafe place. • trust code • trust machines & services • trust people • protect information from prying eyes and manipulative fingers

  3. PKI demand • Do SSL with websites • Deploy AA middleware • ‘Do grid’ • e-Learning • webservices • VPN • sign & encrypt email • PKI as enabler for other services • PKI delivers service • no-one does ‘PKI’

  4. SURFnet PKI roots • Open standards: OpenPGP and x.509 • Public PGP keyserver for > 11 years • PGP PKI, *1998, †2004, decentralized PCA-CA model • X.509 PKI, *1999, decentralized PCA-CA model • GlobalSign SSL server certificates with discount through SURFdiensten • PKI smartcard pilots in 2001/2002 • PKI token research in 2004/2005 • PKI linking research in 2004/2005 • Student smartcard (1994/2002) • …

  5. Reshaping our PKI portfolio Started in 2005 • Server certificates 4all: SURFnet SCS • Personal certificates 4all@Grid: SLCS project in 2007 with Dutch Grid community cooperating with Tsjech (and others?) • Personal certificates 4others: revisit issue in 2007 • Codesigning certificates: revisit issue in 2007

  6. Server certificates4all • Popup-free, affordable, server certificates • Technical flexibility: certificate profiles • Leverage existing contractual relations to provide a streamlined service *and* to push down cost • Joined forces with other NRENs through TERENA to get what we could not get alone: shared European service

  7. SCS Deployment • Premise: MUST be available for constituency ASAP after launch of TERENA SCS • Not yet fully featured but effective for current need • Launched in March 2006 for small pilot group • Open for all constituents in April 2006

  8. Using SURFnet SCS: Initial formalities • Organisation appoints min. two proxies (!!!!) authorized to request SCS certificates on behalf of that organisation • SURFnet verifies organisation exists (formal document!) • SURFnet verifies organisation is customer • Paper trail!!

  9. Using SURFnet SCS: per certificate • check admin contact = tech contact (!!!!!) • check admin contact is authorized • authenticate admin contact (signed fax) • check institute is participant • check domain is owned by institute • paper trail!

  10. SURFnet SCS after 2006 • Now: ~5 minutes/certificate • Move away from fax to digitally signed email • Further streamline verification process to bring down time • dedicated printer • let script pre-print request documents to trusted printer • script signature verification • paper trail!!

  11. SCS participation of constituency Note: all but a few of the big institutions are participating

  12. SCS participation growth

  13. SCS usage #certs issued (30 sep 2006): 424 #certs denied (30 sep 2006): 89

  14. Personal certificates 4all@Grid • Short Lived Certificate Service project in 2007 • Issue personal certificates using the SURFnet Federation for authentication of Grid user • Attribute in SURFnet Federation indicates strong identity verification took place • Use (student) administration for strong identity verification • Use telco’s, banks as external identify providers doing strong identity verification • Offer service to other NRENs through EduGain?

  15. A little musing • With SCS we finally have synchronised RA procedures • With EduGain we will have a European AAI • With USB we finally have a unified physical interface • With grid we have cross-organisation storage • email/document signing and encryption should be within our grasp

More Related