TF-EMC 2 Meeting Loughborough, UK 6 -7 May, 2009 Licia Florio, TERENA florio@terena. org Community PKIs Initiatives Updates
Aim of the work item › Overseeing the patterns of usage and emerging technologies that might be relevant to support NRENs services; › Proposing enhancements for the current PKI services; › Promoting the current PKI services to other communities Slide 2 <lastname@terena. org>
PKI Initiatives › SCS service: › Soon to be knows as TCS; › TERENA MICS/SLCS Pilot Service Project › TACAR Slide 3
TERENA Certificates Service Slide 4
SCS TCS › Current SCS: › › Provided by Global. Sign BV; Only SSL server certs; More than 20. 000 certs issued; Operating till March 2010; › New SCS service: › Comodo CA; › Expected to start in May 2009; › Model: › Yearly flat fee per NREN; › TERENA contractual party; › A dedicated TERENA sub-CA; › NRENs participating can also buy client certificates and code-sign certificates: › Upon an extra flat fee; › TCS: TERENA Certificate Services Slide 5
Who is in SCS › Participants: › Switzerland out; › Greece and Finland will now participate. Slide 6
What has been done › Lots of working spend on certificate profiles: › Finally ready since last Friday; › Profiles also for e. Science server and client certs; › Test CA to be expected in 10 days; › To testing certificates and interfaces; › Writing CPS for the TERENA sub-CA: › First version of the CPS will only cover SSL server certs; › Later client and code signing cert procedures will be addressed. Slide 7
What’s next › Test phase: › Two weeks period for the test; › Launching the SSL server certs: › Available for all NRENs participating; › More work on the API: › The current prototype does not cover client and code signing certs; › Accreditation with the Eu. Grid. PMA Slide 8
A new PKI Service Slide 9
TERENA MICS/SLCS Pilot Service Project › Aim: › Establish a shared SLCS/MICS pilot service for the (European) e. Science Grid community, under the TERENA umbrella. › SLCS/MICS CA serving all countries participating; › Eu. Grid. PMA Accreditation; › Allow for scalability; › The service will issue x. 509 cert to persons › No hosts Slide
Grid CAs Managements › Grid uses x. 509 certs as auth. N credential; › Three types of certs are possible: › Classic › Short Lived Credential Service (SLCS) › Member Integrated Credential Service (MICS) › Grid CAs have to accredited by the IGTF: › Eu. Gri. PMA (Europe) › TAGPMA (Americas) › APGrid. PMA (Asia-Pacific) Slide
What are SLCS/MICS certs? › Vetting process and cert lifetime different: › Classic: › Face to Face verification of end-entities needed › Manual process @ RA level › Cert validity: 13 months, but renewal of certs possible without new face-to-face validation. › SLCS/MICS: › Vetting process relays on existing AAI framework; › User authenticates to the CA using an existing electronic identity › This identity is mapped into a Grid cert › SLCS certs are 10 days valid; › MICS certs are 13 months valid; Slide
Benefit of EU SLCS/MICS Service › How many SLCS-CAs does Europe need ; ) › Share operational cost and effort (!) › Continued operational PKI skills only needed at one place; › For countries with limited resources very attractive; Slide
More about the service › Use specific federation attribute to decide on SLCS or MICS eligibility › According to the rules defined by the Eu. Grid. PMA SLCS/MICS profiles Slide
Who is involved? › UNINETT › Jan Meijer, project management: Project Description, CPS › Henrik Austad: Confusa development › SURFnet › Teun Nijssen, Tilburg University › CA + SLCS/MICS server ops, CPS, eu. Grid. PMA accreditation maintenance › Sunet › Leif Johanssen: Federation issues › TERENA › Licia Florio: Contractual party › Denmark, Finland, the Netherlands, Norway and Sweden: › Until Dec 2009 › From Jan 2010 other countries/NRENs may join Slide
Status › Project description almost ready: › Financial model not fully defined yet; › Work on the CPS: › Presentation at the next Eu. Grid. PMA in May › Start operations in June: › Quite optimistic ; -) Slide
TACAR Slide
New Developments › TACAR will be also used to host GN 3 root Cas: › So far only a couple; › But more is expected in the future; › TACAR still being used as IGTF official repository; › Working with Massimiliano Pala: › To use TACAR for the PKI Resources Query Protocol (PRQP): › to provide standardised way to query PKI repositories to gather info on CAs; › New UI: › Different way to update info; › Different policy; Slide
Скачать презентацию TF-EMC 2 Meeting Loughborough UK 6 -7 May
8bac4880827558d25fa5396450caa449.ppt