Скачать презентацию UK e-Science Certification Authority Status and Deployment Скачать презентацию UK e-Science Certification Authority Status and Deployment

960dffbf5b27c19f9ec994fd3bf8b0b4.ppt

  • Количество слайдов: 22

UK e-Science Certification Authority Status and Deployment UK e-Science Certification Authority Status and Deployment

Structure of CA User Request RA Approved Request RA = Registration Authority Certificate CA Structure of CA User Request RA Approved Request RA = Registration Authority Certificate CA = Certification Authority CA HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

Certificate A certificate ties together a string, a public key, some other stuff and Certificate A certificate ties together a string, a public key, some other stuff and extensions • The string is the Distinguished Name, which can be used to uniquely identify the user (i. e. , the owner of the corresponding private key) • The public key correspond to the users private key (RSA) • Other stuff specifies lifetime of certificate, issuer, etc. • Extensions specify e. g. which things the certificate can be used for. HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

The Distinguished Name • Contains the user’s name (verified by RA) • Also identifies The Distinguished Name • Contains the user’s name (verified by RA) • Also identifies the RA that approved the original request • No project information in the DN – Must not authorise based on DN alone • BUT: The name establishes only reasonable identity of the user (more than one Joe Smith? ) • BUT: (ideally) the name should be used for authentication only, not identification – Should be seen as a string tied to the key – Every time someone connects with this string, you can be assured it’s the same user HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

The Registration Authority • RAs are trusted to approve (or reject) requests from users The Registration Authority • RAs are trusted to approve (or reject) requests from users • Therefore it was felt that RAs should be formally appointed • RAs are local to users More about RAs and appointment later. HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

Identification of users • Users must show photo ID to RA. • The reason Identification of users • Users must show photo ID to RA. • The reason for this is: – We promise to verify the name in the DN – We aim to be (are) a medium assurance CA as defined by the latest Grid. Forum policy draft (v 6) – We aim to be (are) a medium level CA according to the DFN (Deutsche Forschungsnetz) HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

External Policies and Recommendations Strong policy • Harder to get certificate • But easier External Policies and Recommendations Strong policy • Harder to get certificate • But easier to have certificates accepted by Relying Parties HEPSYSMAN UCL, 26 Nov 2002 Weak policy • Easy to get certificate • Harder to persuade admins to accept certificate for authentication purposes Jens G Jensen, CLRC/RAL

Status • New e-Science CA being deployed • UKHEP CA will be terminated • Status • New e-Science CA being deployed • UKHEP CA will be terminated • UKHEP certificates will be allowed to expire • UKHEP still issues certificates for users not yet covered by new CA HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

25 November 2002 • • • 170 certificates 10 RA managers + 15 operators 25 November 2002 • • • 170 certificates 10 RA managers + 15 operators Issuing 50 certs /month Adding 3 RAs / month Adding 6 RA operators /month HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

What’s done • • • Software (Open. CA based) installed Keys generated Some RAs What’s done • • • Software (Open. CA based) installed Keys generated Some RAs appointed, certificates issued CA staff trained Close-to-final CP/CPS issued Physical security implemented HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

What’s currently being done • New RAs being appointed and trained • CP/CPS being What’s currently being done • New RAs being appointed and trained • CP/CPS being updated to reflect proposed change in extensions • RA and CA procedures being reviewed must ensure that they conform to CPS HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

What else must be done • Must issue final CP/CPS • Approval as Data. What else must be done • Must issue final CP/CPS • Approval as Data. Grid CA (December) • Take over RAs from UKHEP • Then - announce deployment! HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

Renewal • Should send email reminder to user 30 days before expiry (with instructions) Renewal • Should send email reminder to user 30 days before expiry (with instructions) • Procedure doesn’t exist yet • Easy with Open. SSL but how to do it with the web interface? • Must issue certificate with same DN as an existing certificate. . . HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

(Proposed) extensions • basic. Constraints (critical): not CA • key. Usage (critical) [interpretation sometimes (Proposed) extensions • basic. Constraints (critical): not CA • key. Usage (critical) [interpretation sometimes woolly!]: – non. Repudiation - used to verify digital signatures in repudiation services – digital. Signature - private key is used for signatures (not certificates or CRLs!!), e. g. SSL client, entity authentication – key. Encipherment - public key is used for key transport, e. g. email encryption, SSL server – key. Agreement - used to agree e. g. a symmetric key between client and server HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

More (proposed) extensions • certificate. Policies: policy. Identifier (OID) HEPSYSMAN UCL, 26 Nov 2002 More (proposed) extensions • certificate. Policies: policy. Identifier (OID) HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

RA structure Head of Department = Appointment Manager Operator Department Operators verify users’ requests RA structure Head of Department = Appointment Manager Operator Department Operators verify users’ requests HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

RA Appointment 1 • Agree Name with CA (manager) • OU and L identify RA Appointment 1 • Agree Name with CA (manager) • OU and L identify the RA, not the project OU=Institution, L=Department in which the RA is appointed HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

RA Appointment 2 RA Manager is appointed by Head of Department The Manager is RA Appointment 2 RA Manager is appointed by Head of Department The Manager is responsible for the operations of the RA HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

RA Appointment 3 RA Manager appoint RA Operators approve requests for Users Operators must RA Appointment 3 RA Manager appoint RA Operators approve requests for Users Operators must have certificates HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

RA Appointment 4 Grid Support Centre offers training courses for RA Operators are expected RA Appointment 4 Grid Support Centre offers training courses for RA Operators are expected to know the system and to be able to advise Users Next training course: 18 th December 2002 HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

RA Appointment 5 RA Operators then approve requests from Users HEPSYSMAN UCL, 26 Nov RA Appointment 5 RA Operators then approve requests from Users HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL

Contacts • Web site: http: //www. grid-support. ac. uk/ca/ • Training courses – Alistair Contacts • Web site: http: //www. grid-support. ac. uk/ca/ • Training courses – Alistair Mills a. b. [email protected] ac. uk • Setting up RAs – Alistair Mills a. b. [email protected] ac. uk – Jens G Jensen j. [email protected] ac. uk – David Boyd d. r. s. [email protected] ac. uk • Anything else – Jens G Jensen j. [email protected] ac. uk – [email protected] ac. uk HEPSYSMAN UCL, 26 Nov 2002 Jens G Jensen, CLRC/RAL