Скачать презентацию EUGrid PMA status and updates David Groep TAGPMA Скачать презентацию EUGrid PMA status and updates David Groep TAGPMA

52e7ff0c0f206eb146a60ae74a17d1d0.ppt

  • Количество слайдов: 23

EUGrid. PMA status and updates David Groep, TAGPMA Ottawa Summit 2006 EUGrid. PMA status and updates David Groep, TAGPMA Ottawa Summit 2006

Items · EUGrid. PMA latest overview · New CAs and issues emanating from them Items · EUGrid. PMA latest overview · New CAs and issues emanating from them · Classic AP Update proposals · Certificate Profile · Miscellaneous ‘stuff’ David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 2

Coverage of the EUGrid. PMA Green: Countries with an accredited CA · 23 of Coverage of the EUGrid. PMA Green: Countries with an accredited CA · 23 of 25 EU member states (all except LU, MT) · + AM, CH, HR, IL, IS, NO, PK, RU, TR, “SEE-catch-all” Other Accredited CAs: · · · Do. EGrids (. us) Grid. Canada (. ca) CERN find-your-CA clickable map at http: //www. eugridpma. org/members/worldmap/ David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 3

New applicants and updates New CAs: · CERN-IS · a bit special … · New applicants and updates New CAs: · CERN-IS · a bit special … · SRCE Croatia · traditional classic CA Upcoming: · Romania (ROSA) CA Modifications: · General trend: move to on-line CA with an off-line root · UKe. Science CA · Hellas. Grid CA · Austrian. Grid CA David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 4

CERN-IS CA Application · CERN-IS · successor to the current CERN CA · to CERN-IS CA Application · CERN-IS · successor to the current CERN CA · to issue long-lived certificates, but based on identity vetting that is ‘time-shifted’ with respect to the certificate issuance · certificate issuance based on authenticating to the HR database (the CERN identity management system), using two independent credentials · username/password stored in Active Directory; plus · the date of birth stored in the HR database · identity vetting for this HRDB based on periodic (2 -yearly) personal appearance in front of the RA office with a passport · same Id. M (but just the username/password auth) used to authenticate for financial transations and salary payments; so the CA issuance is marginally stronger than that by requiring a second item, the Do. B David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 5

CERN-IS Architecture · on-line CA architecture · Windows Server 2003 CA as web front-end CERN-IS Architecture · on-line CA architecture · Windows Server 2003 CA as web front-end (IIS), · HSM on different machine (also 2003 Server) connected to front-end via private, monitored, network Viewgraph: Emanuelle Ormancey, Alberto Pace, CERN-IT/IS David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 6

CERN-IS CA Accreditation discussion · The CERN-IS CA is a stretch for the Classic CERN-IS CA Accreditation discussion · The CERN-IS CA is a stretch for the Classic Profile, but with appropriate interpretation of “should”s still ‘kind-of’ fits · issues long-term certs & host certs, so does not make SLCS either · new MICS profile seems a good fit · discussion on both Id. M and technical protection have resulted in (many) proposals for profile changes · technical changes have been implemented to make the process secure and auditable · highly protected online-CA architecture was a hard requirement: · either a dedicated link between web front-end and HSM hosting system · or on the same but, but behind a two-layered firewall with a (monitored!) IDS on the segment · aim was to make sure that, in case of compromise, at least a list of ‘bad’ certs can be made in a reasonably tamper-proof way · specifics proposed in new draft of the Classic Profile · the EUGrid. PMA agreed in its F 2 F not to stall the accreditation of this particular CA while we are discussing new profiles David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 7

Proposed Changes to the Classic AP · clarify process needed for violating a ‘SHOULD’ Proposed Changes to the Classic AP · clarify process needed for violating a ‘SHOULD’ · FQDN ownership · add the need to describe how subscriber status changes are communicated to CA/RA · time-separated identity-vetting info. protection/use ** · list approve on-line CA architectures · the ‘tamper-proof log’ may be still impossible to implement, but a near-tamper proof log may be possible · refer to cert profile guidelines · clarify due-diligence for end-entities · take a string password · initiating revocation in a timely fashion see http: //www. eugridpma. org/temporary/ for the drafts David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 8

Classic AP Update: SHOULD · Latest proposed text (1 Introduction) David Groep – davidg@eugridpma. Classic AP Update: SHOULD · Latest proposed text (1 Introduction) David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 9

Classic AP Update: FQDN ownership · Latest proposed text (3. 1 Identity Vetting) · Classic AP Update: FQDN ownership · Latest proposed text (3. 1 Identity Vetting) · Move the burden of description to the CP/CPS · per-CA implementation should be reviewed for adequacy by the PMA at accreditation time David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 10

Classic AP Update: subscriber status changes · Latest proposed text (3. 1 Identity Vetting) Classic AP Update: subscriber status changes · Latest proposed text (3. 1 Identity Vetting) · Intended to address periodic (yearly) checking by the RA whether the subscriber data are still correct. In case of SLCS or MICS this is likely done anyway, but in the classic case, contact between subscriber and CA/RA may be scarce · Leave precise definition out, but require description of the process in the CP/CPS · e. g. asking the RA at the yearly re-keying time whether he/she still knows about the subscriber… David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 11

Classic AP Update: identity magament systems for time-shifted vetting operation ** · Latest proposed Classic AP Update: identity magament systems for time-shifted vetting operation ** · Latest proposed text (3. 1 Identity Vetting) · text may be (more!) relevant to the proposed MICS profile · key element: Id. M should be a highly trusted one at the organisation, and appropriately managed and kept up-todate EUGrid. PMA Status a reason! · David Groep – [email protected] org is there, and for. Update, TAGPMA Ottawa 2006 - 12 face-to-face requirement

Classic AP Update: CSR linkage · Latest proposed text (3. 1 Identity Vetting) · Classic AP Update: CSR linkage · Latest proposed text (3. 1 Identity Vetting) · this text might have prevent the repeated discussion regarding ‘weakly-linked’ CSRs, where no shared data links the electronic CSR to the actual identity vetting David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 13

Classic AP Update: CA Architectures · Latest proposed text (4 Operational Requirements) · distinguish Classic AP Update: CA Architectures · Latest proposed text (4 Operational Requirements) · distinguish clearly between on- and off-line CAs, and make clear that both are allowed, definition of terms · needed to then describe pre-validated on-line architectures … David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 14

Classic AP Update: on-line CAs · Latest proposed text (4 Operational Requirements) · HSM Classic AP Update: on-line CAs · Latest proposed text (4 Operational Requirements) · HSM FIPS 140 -2 level 3 operation (but certification statement accompanying the HSM may be level-2) · make clear that the highly-monitored environment must be reviewed and approved by the PMA · two pre-selected environments mentioned explicitly David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 15

Classic AP Update: on-line CA architectures · Latest proposed text (4 Operational Requirements) · Classic AP Update: on-line CA architectures · Latest proposed text (4 Operational Requirements) · Model A: HSM on a separate machine, not the (web) frontend, linked via a dedicated monitored network that only carries the signing requests (NIIF, CERN-IS) · Model B: HSM on the front-end, but the front-end isolated from the non-exclusive network by two firewalls, and the intermediate network link actively monitored with IDS capability (Do. EGrids) · or come up with a new architecture, but you have some convincing of a PMA to the coming time … David Groep – [email protected] org do for EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 16

Classic AP Update: tamper-proof log? · Latest proposed text (4 Operational Requirements) · intent Classic AP Update: tamper-proof log? · Latest proposed text (4 Operational Requirements) · intent of this proposal · there may (and likely will be) a compromise · if you log directly from the HSM to paper or WORM, at least you know which of the issued EE certs were involved in the compromise · this is also the reason for the complicated on-line architectures · (invisible) monitoring of the link between web front-end and signing system with HSM, capturing all signing requests sent across accomplished the same thing (i. e. using a fibre splitter at layer-1 and capturing all traffic) · that’s why the signing box should not be directly on a user. David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 17 accessible network

Classic AP Update: Certificate Profile · Latest proposed text (4. 3 Certificate and CRL Classic AP Update: Certificate Profile · Latest proposed text (4. 3 Certificate and CRL Profile) · as we learned more about certs and our middleware, we now know better what to do and what to avoid · making ‘useless’ EE certs · does no good to no-one · causes problems in the CA distribution · overloads the support channels for both (grid) projects and the PMAs · guidance document draft available (target audience: IGTF and CAOPS-WG)TAGPMA Ottawa 2006 - 18 David Groep – [email protected] org EUGrid. PMA Status Update,

Classic AP Update: Subscribers · Latest proposed text (9. 1 Due diligence for EE) Classic AP Update: Subscribers · Latest proposed text (9. 1 Due diligence for EE) · incorporates some text moved from 4. 4 (Revocation) · is not enforcible, but it’s also a pity to loose this guidance text David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 19

Certificate Profile · See separate presentation David Groep – davidg@eugridpma. org EUGrid. PMA Status Certificate Profile · See separate presentation David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 20

Miscellaneous Services · OID Registry for the IGTF on the web http: //www. eugridpma. Miscellaneous Services · OID Registry for the IGTF on the web http: //www. eugridpma. org/objectid/ · Find-Your-CA clickable map http: //www. eugridpma. org/members/worldmap/ · Subject Locator http: //www. eugridpma. org/showca · Member status http: //www. eugridpma. org/membersfull · CA status http: //signet-ca. ijs. si/nagios/ (user guest: guest) · Wiki https: //grid. ie/eugridpma/wiki/ (register with David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 21 David OC)

Other Items · CA monitoring · still a large number of ‘almost expiring’ CRLs Other Items · CA monitoring · still a large number of ‘almost expiring’ CRLs · Reminders get sent, but I still have to send too many … · eduroam™ interoperation · use EAP-TLS 802. 1 X authentication using your IGTF certificate · eduroam test domain “hellasgrid. gr” · as matching is on CN only (a Free. Radius limitation that is already being addressed), registration is necessary · pilot-service only · windows XP built-in 802. 1 x client violates policy · OIDs · prepare to additional policy OIDs to EE certificates, indicating, e. g. , IGTF profiles or 1 SCPs David Groep – [email protected] org EUGrid. PMA Status Update, TAGPMA Ottawa 2006 - 22

· Q? · Q?