Скачать презентацию TERENA Server Certificate Service Towards the large-scale use Скачать презентацию TERENA Server Certificate Service Towards the large-scale use

028989d41dbdbfc1e02c4209b673dc1f.ppt

  • Количество слайдов: 19

TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European NRENs Licia Florio TERENA Euro. CAMP 3 -5 April, Ljubljana

Topics n n n 3/18/2018 PKI and X. 509 certificates Motivation for the TERENA Topics n n n 3/18/2018 PKI and X. 509 certificates Motivation for the TERENA Server Certificate Project What is the project Service Characteristics Why joining Euro. CAMP 3 -5 April, Ljubljana

PKI in short n Public key cryptography - public key (encryption, signature verification) - PKI in short n Public key cryptography - public key (encryption, signature verification) - private key (decryption, signing) Diego’s priv key Diego’s pub key Dear I’ve arrived in Slovenia. . Dear I’ ve arrived in Slovenia. . Encryption Licia Euro. CAMP, 3 -5 April Ljubljana Dear I’ve arrived in Slovenia. . Decryption Diego [email protected] nl

Problems n n Public Key distribution Building trust Scalability Solution: create a hierarchical trust Problems n n Public Key distribution Building trust Scalability Solution: create a hierarchical trust fabric: X. 509 PKI Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

X. 509 PKI Infrastructure n What are the elements - Certification Authority (CA) * X. 509 PKI Infrastructure n What are the elements - Certification Authority (CA) * Certificates issuer (trusted 3 d party) - X. 509 Certificates * Bind the pub key to the holder - Registration Authority (RA) * Identity verification - End Entity * Private key holder (machine, end-user) - Relying parties * Users Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

Real X. 509 Certificate Usage Today n Grid (closed community) - Use both server Real X. 509 Certificate Usage Today n Grid (closed community) - Use both server and user certs n Web servers - Only server certificates - In many case with pop-up problem Large scale user certificate use: nowhere ! Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

The Famous Pop-up: PKI Problem#1 n Due to the fact that the issuer of The Famous Pop-up: PKI Problem#1 n Due to the fact that the issuer of the certificate is not trusted by the browsers Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

TERENA Server Certificate Service n What is it about? – - Service…of course ; TERENA Server Certificate Service n What is it about? – - Service…of course ; -) in short SCS n To issue server certificates - popup free - unlimited number - Very low price (price is not per certificate) n For whom? – For the National Research and Education Network community in Europe Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

When SCS started n n Project started in june 2004 European NREN PKIs around When SCS started n n Project started in june 2004 European NREN PKIs around for ~7 years - But still not really deployed n Anticipated growth in need: - AAI middleware services - Web-based ‘stuff’ (mail, e-learning, webservices etc. ) - VPN, email - eduroam n Community needs more server certificates Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

PKI Growth Problems n Pop-up Problem#1 - Typically for NRENs CA - Defeats the PKI Growth Problems n Pop-up Problem#1 - Typically for NRENs CA - Defeats the security purpose of the certificate n Costs Problem#2 - For a large number of server certificates costs can become a problem Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

Solution 1 n Fixing the pop-up problem - Get root certificate in root repositories Solution 1 n Fixing the pop-up problem - Get root certificate in root repositories - Requires webtrust audit - Expensive for an individual NREN PKI (~25. 000 first time, annual ~25. 000 for the audits, plus all the costs to follow guidelines) --> CA hierarchy adds to cost! n Running a CA – Is that so interesting? Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

Solution 2 n Fixing the costs - Try to contract a CA already in Solution 2 n Fixing the costs - Try to contract a CA already in the browser - Flexibility in the certificates profiles definitions - Tailored RA procedures - Not per certificate costs Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

Solution 2: the way forward n n n 8 NRENs + TERENA combined forces Solution 2: the way forward n n n 8 NRENs + TERENA combined forces (proposal launched feb. 2005) Investigated market Investigated EU tender guidelines Ran a light-weight tender (start Sep 2005) Signed a contract (Jan 2006) First certificate issued on 16 March 2006 ! Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

Who is involved n n n n n ACOnet (. at), CARnet (. hr), Who is involved n n n n n ACOnet (. at), CARnet (. hr), CESnet (. cz), Red. IRIS (. es), RENATER (. fr), SURFnet (. nl), SWITCH (. ch) UNI-C (. dk), TERENA signing party Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

Service Structure n TERENA contracts with supplier - For an initial one year - Service Structure n TERENA contracts with supplier - For an initial one year - Possibility to extend the contract n n NRENs contract with TERENA (liability!) NRENs are ‘delegated RA’ for the supplier TERENA appoints delegated RAs NRENs are responsible for delivering RA services and technical support Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

Service Features n n n Re-use existing RA organisation Certificate profile flexibility (Grids!) Electronic Service Features n n n Re-use existing RA organisation Certificate profile flexibility (Grids!) Electronic RA procedures (under implementation) Easy server certificate delivery NREN-specific branding! Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

Benefits for the Universities n n Need server certificates to enable SSL/TLS channels Very Benefits for the Universities n n Need server certificates to enable SSL/TLS channels Very low costs upon agreement with your NRENs Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

How to join n n Your NREN has to join After June 06 we How to join n n Your NREN has to join After June 06 we can open to service to new NRENs – Some NRENs are already waiting n There is fee to pay to join Euro. CAMP, 3 -5 April Ljubljana [email protected] nl

Conclusion n To make security tools a normal habit, they need to be easy Conclusion n To make security tools a normal habit, they need to be easy to use – Scs is easy n SCS proves how a ‘federated’ approach has solved a big problem We got a cool service n http: //www. terena. nl/activities/tf-emc 2/scs. html n Euro. CAMP, 3 -5 April Ljubljana [email protected] nl