1 / 17

Status of the Validation and Authentication service for TACAR and Grids.

Status of the Validation and Authentication service for TACAR and Grids. Summary. OCSP Requirements for Grids CertiVeR’s features OCSP Client OCSP Service Future Questions. OCSP Requirements for TACAR. Centralized OCSP service for all the hierarchies

hburks
Télécharger la présentation

Status of the Validation and Authentication service for TACAR and Grids.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Status of the Validation and Authentication service for TACAR and Grids.

  2. Summary • OCSP Requirements for Grids • CertiVeR’s features • OCSP Client • OCSP Service • Future • Questions

  3. OCSP Requirements for TACAR • Centralized OCSP service for all the hierarchies • Centralized root certificate management • The service should be able to sign the response for each CA with an authorized certificate (Authorized responder mode)

  4. OCSP Validation for Grids • Grids special requirements for OCSP services: discoverable, fault tolerant, low latency, CA interoperability, etc. • GGF´s CAOPS-WG has been working in the document “OCSP Requirements for Grids”. • Such document provides information on: • OCSP Client Requirements, • OCSP Responder Requirements, • CA/Certificate Issuer Requirements and • OCSP Service Architecture.

  5. Client current status

  6. OCSP Client requirements for Grids • Revocation source requirements: • Several sources (OCSP, CRL, AIA) and query order. • Fault-tolerant requirements: • Multiple service invocation. • Caching of OCSP Responses. • Security requirements: • Nonce usage. • OCSP Request signing. • Adoption of http and https. • Error handling (i.e. Try Later, Respond with final status, etc.) • OCSP Extension handling. • “Unknown” status code handling for Proxy and Non-Proxy Certificates.

  7. GridOCSP Client API - features • Open source code for Globus TK 4 about to be released. • Implements a XML-based OCSP Policy that supports: • The policy file used by our client allows for the definition of per-Issuer rules or a default behavior for each feature. • Each VO could place such file on a specific URI for all its clients

  8. GridOCSP Client – policy definition e.g. (I) <?xml version="1.0" ?> <ocsppolicy> <issuerdn name="AC CertiVeR" dn="C=ES,O=CertiVeR,CN=AC CertiVeR" hash="o6MjoB5y4b2cNvILPcBxWafHs7k="> <revsources> <source order=“1" type="ocsp" location="http://aai.certiver.com" trust=“trusted" timeout="3600" /> <source order=“2" type="crl" location="c://config//myrevlist.crl" signingcert="c://config//ACcertiver.crt" /> </revsources> <unknownstatus action="revoked" /> <proxycert> <unknownstatus action="good" /> </proxycert>

  9. GridOCSP Client – policy definition e.g. (II) <request> <signrequest value="true" /> <usenonce value="true" /> <protocol value="https" /> </request> <response> <cache> <status value="true" /> <size value="1000" /> <lifetime value="36000" /> </cache> </response> <errorhandler> <action order="1" type="trylater" maxretries="1" /> <action order="2" type="setfinalresponse" value="revoked" /> </errorhandler> </issuerdn> </ocsppolicy>

  10. ServerCurrent Status

  11. OCSP Responder requirements for Grids • Performance: • Scalability: To cover for growth in terms of • Client requests. • Revocation sources. • Use of cryptographic hardware. • Flexibility: • Revocation source requirements. • Support different operation modes: • Transponder mode. • Trusted Responder mode. • Authorized Responder mode. • Coverage of proxy certificates revocation is a recommended feature. • Reliability • Fault-tolerance is a recommended feature.

  12. OCSP Serviceclient scalability and reliability • Intrasite • Using balanced NAT • Extrasite • Using balanced DNS with very low persistence

  13. CA/RA LDAP OCSP Service – revocation source scalability • CertiVeR v4 can set N Updater processes in order to push DeltaCRLs from the CAs CAs ∆CRL CRL Updater Cert Status Database CRL Cert Status OCSP Responder

  14. OCSP Service – Flexibility Courtesy of CAOPS-WG

  15. New CertiVeR service available ! • A new service - CertiVeR v4 - has been implemented covering the required features for Grids. Such service has just passed the Beta tests and it is available at: • http://globus-grid.certiver.com • http://tacar.certiver.com • Current features of the new service:

  16. The next steps... • Release of client open source code • Dissemination and Validation of the service • Provision of pilots for Grid and Tacar CAs • Technical improvements • Addition of servers in order to improve scalability and fault-tolerance • Use of cryptographic hardware • Setting up of Transponder connections • DeltaCRL push mechanism to be directly provided to each CA

  17. For information about revocation services, try our demo at: http://www.certiver.com

More Related