Status of the Validation and Authentication service for

Status of the Validation and Authentication service for TACAR and Grids. www. certiver. com Assuring e-Trust always 1

Summary ¨OCSP Requirements for Grids ¨Certi. Ve. R’s features – OCSP Client – OCSP Service ¨Future ¨Questions www. certiver. com Assuring e-Trust always 2

OCSP Requirements for TACAR ¨ Centralized OCSP service for all the hierarchies ¨ Centralized root certificate management ¨ The service should be able to sign the response for each CA with an authorized certificate (Authorized responder mode) www. certiver. com Assuring e-Trust always 3

OCSP Validation for Grids ¨ Grids special requirements for OCSP services: discoverable, fault tolerant, low latency, CA interoperability, etc. ¨ GGF´s CAOPS-WG has been working in the document “OCSP Requirements for Grids”. ¨ Such document provides information on: – – OCSP Client Requirements, OCSP Responder Requirements, CA/Certificate Issuer Requirements and OCSP Service Architecture. www. certiver. com Assuring e-Trust always 4

Client current status www. certiver. com Assuring e-Trust always 5

OCSP Client requirements for Grids A. Revocation source requirements: 1. B. Fault-tolerant requirements: 1. 2. C. E. F. Multiple service invocation. Caching of OCSP Responses. Security requirements: 1. 2. 3. D. Several sources (OCSP, CRL, AIA) and query order. Nonce usage. OCSP Request signing. Adoption of http and https. Error handling (i. e. Try Later, Respond with final status, etc. ) OCSP Extension handling. “Unknown” status code handling for Proxy and Non-Proxy Certificates. www. certiver. com Assuring e-Trust always 6

Grid. OCSP Client API - features ¨ ¨ Open source code for Globus TK 4 about to be released. Implements a XML-based OCSP Policy that supports: A. 1 Several revocation sources OCSP only , others 4 Q 05 A. 2 Adoption of http and https Yes B. 1 Multiple service invocation Yes B. 2 Caching of OCSP Responses 4 Q 05 C. 1 Nonce usage Yes C. 2 OCSP Request signing Yes D Error handling Yes E Extension handling Yes F User proxy certificate handling Yes ¨ ¨ The policy file used by our client allows for the definition of per. Issuer rules or a default behavior for each feature. Each VO could place such file on a specific URI for all its clients www. certiver. com Assuring e-Trust always 7

Grid. OCSP Client – policy definition e. g. (I) www. certiver. com Assuring e-Trust always 8

Grid. OCSP Client – policy definition e. g. (II) www. certiver. com Assuring e-Trust always 9

Server Current Status www. certiver. com Assuring e-Trust always 10

OCSP Responder requirements for Grids A. Performance: 1. Scalability: To cover for growth in terms of • • 2. B. Use of cryptographic hardware. Flexibility: 1. 2. Revocation source requirements. Support different operation modes: 1. 2. 3. C. Client requests. Revocation sources. Transponder mode. Trusted Responder mode. Authorized Responder mode. Coverage of proxy certificates revocation is a recommended feature. Reliability 1. Fault-tolerance is a recommended feature. www. certiver. com Assuring e-Trust always 11

OCSP Service client scalability and reliability ¨ Intrasite – Using balanced NAT ¨ Extrasite – Using balanced DNS with very low persistence www. certiver. com Assuring e-Trust always 12

OCSP Service – revocation source scalability ¨ Certi. Ve. R v 4 can set N Updater processes in order to push Delta. CRLs from the CAs ∆CRL Cert Status Database CRL Updater C R L Cert Status LDAP OCSP Responder www. certiver. com CA/RA Assuring e-Trust always 13

OCSP Service – Flexibility Courtesy of CAOPS-WG www. certiver. com Assuring e-Trust always 14

New Certi. Ve. R service available ! ¨ A new service - Certi. Ve. R v 4 - has been implemented covering the required features for Grids. Such service has just passed the Beta tests and it is available at: – http: //globus-grid. certiver. com – http: //tacar. certiver. com ¨ Current features of the new service: A. 1 Scalability Limited during pilot A. 2 Use of cryptographic hardware Not during pilot B. 1 Revocation source requirements Yes B. 2 Operation mode (Trusted, Authorized and Transponder) All except Transponder mode during pilot B. 3 Coverage of proxy certificates Yes B. 4 Extension handling Yes C. 1 Fault-tolerance www. certiver. com Not during pilot Assuring e-Trust always 15

The next steps. . . ¨ Release of client open source code ¨ Dissemination and Validation of the service – Provision of pilots for Grid and Tacar CAs ¨ Technical improvements – Addition of servers in order to improve scalability and fault-tolerance – Use of cryptographic hardware – Setting up of Transponder connections – Delta. CRL push mechanism to be directly provided to each CA www. certiver. com Assuring e-Trust always 16

For information about revocation services, try our demo at: http: //www. certiver. com Assuring e-Trust always 17