NECTEC-GOC CA The 3 rd APGrid PMA face-to-face

NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, 4 2007 Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand

NECTEC-GOC CA Organization » GRID CA PMA: Policy Management Authority » CA Manager: Administrates all tasks on the CA » system RA Operator: » Accepts and verifies User Application form » Checks Certificate Signing Request form » Informs CA to issue certificate » CA Operator: » » Issues certificates Manages CA and RA servers Maintains the CA system Manages CA private key GRID CA PMA CA Manager RA Operator CA Operator 2

Update NECTEC GOC CA Status » Accredited to be in Production Level by APGrid PMA on October 2006. » Bundled with IGTF CA distribution. » Started operation on January 2007. » Web Repository » Moved form Thai. Sarn to NECTEC local network for stability better. 3

Issued Certificate Status » None has been issues certificates. » NECTEC GOC CA issues certificates to » Collaborators related to NECTEC Grid Computing research. § Computation Fluid Dynamic Grid projects. § Information Grid project. 4

Plan » NECTEC GOC CA have plans to, » Draft the CP/CPS according to RFC 3647 on October 2007. » Internal audit after drafted the CP/CPS. 5

Detail report on compliance with the latest Classic Authentication profile 6

Identity and End-Entity certificate expiration » User and Grid Host Certificate: » Subscriber meets in-person with RA Operator » RA Operator reviews and approves Application and Certificate Request according to user’s documents [CPS 1. 3. 2 and 3. 1. x] » RA communicate with the CA by signed emails. » NECTEC GOC CA uses the re-key certificates method. 7

Operation Requirements » CA Server: » Stored in a safe deposit box, which is protected by six-digit code » Not connected to network of any sort » Located in a room, which is restricted to CA Operator during its operations » CA private key: » Key length 2048 bits and life time 10 years » Protected by passpharse 15 characters. » Backup in USB drive and stored in the safe box by CA Operator. 8

CP/CPS Identification » Current version: 1. 0 (October, 2006) » Object ID: 1. 3. 6. 1. 4. 1. 25149. 1. 1. 1. 0 » Conform to RFC 2527 (plan for draft according to RFC 3647 on October 2007) » Managed by the NECTEC GRID PMA » Changes in contents need to be approved by the NECTEC GRID PMA 9

Certificate and CRL profile (1) » CA’s Certificate: » DN: C=TH, O=NECTEC, OU=GOC, CN=NECTEC GOC CA » Signature Algorithm: sha 1 With. RSAEncryption. » Extensions field: § Basic constraints : critical – CA: TRUE § Key Usage : critical – digital. Signature, crl. Sign, key. Cert. Sign 10

Certificate and CRL profile (2) » End-Entity Certificate » Key length are 1024 bits and life time 13 months. » Extension field: § basic. Constraints : critical – CA: false § key. Usage : critical – non. Repudiation, digital. Signature, key. Encipherment, data. Encipherment (User Certificate) – digital. Signature, key. Encipherment, data. Encipherment (Host Certificate) § § Policy. Identifier : OID (Refer CPS 1. 2) CRLDistribution. Points: URI of CRL subject. Altnative. Name : Email Address of User (User Certificate) subject. Altnative. Name : FQDN (Host Certificate) 11

Certificate and CRL profile (3) » Comply with RFC 3280. » CRL profile: » Basic field: § Version : 2 § algorithm. Identifer : SHA 1 » Extensions field: § c. RLNumber : integer § distribution. Point. Name : URI of the CRL 12

CRL » CRL validity is 30 days. » New CRL issued » 7 days before expiration of previous one. » immediately after certificate revocation. » Published in web repository. 13

Publication and Repository » NECTEC GOC CA repository consists: » CP/CPS. » CA’s Certificate (DER, CRT and PEM format). » CRL (DER, PEM and r 0 format). » Application form, user guide and contact information. http: //gridca. hpcc. nectec. or. th 14

END Any comment or suggestion? 15