Community PKIs Initiatives Updates
TF-EMC2 MeetingLoughborough, UK6-7 May, 2009
Licia Florio, [email protected]
Slide 2
Aim of the work item
› Overseeing the patterns of usage and emerging technologies that might be relevant to support NRENs services;
› Proposing enhancements for the current PKI services;
› Promoting the current PKI services to other communities
PKI Initiatives
› SCS service:› Soon to be knows as TCS;
› TERENA MICS/SLCS Pilot Service Project › TACAR
Slide 3
TERENA Certificates Service
Slide 4
SCS TCS
› Current SCS:› Provided by GlobalSign BV;› Only SSL server certs;› More than 20.000 certs issued;› Operating till March 2010;
› New SCS service:› Comodo CA;› Expected to start in May 2009;
› Model:› Yearly flat fee per NREN;› TERENA contractual party;› A dedicated TERENA sub-CA;
› NRENs participating can also buy client certificates and code-sign certificates:› Upon an extra flat fee;› TCS: TERENA Certificate Services
Slide 5
Who is in SCS
› Participants:› Switzerland out;› Greece and
Finland will now participate.
Slide 6
What has been done
› Lots of working spend on certificate profiles:› Finally ready since last Friday;› Profiles also for eScience server and client certs;
› Test CA to be expected in 10 days;› To testing certificates and interfaces;
› Writing CPS for the TERENA sub-CA:› First version of the CPS will only cover SSL server
certs;› Later client and code signing cert procedures will be
addressed.
Slide 7
What’s next
› Test phase:› Two weeks period for the test;
› Launching the SSL server certs:› Available for all NRENs participating;
› More work on the API:› The current prototype does not cover client and
code signing certs;› Accreditation with the EuGridPMA
Slide 8
A new PKI Service
Slide 9
TERENA MICS/SLCS Pilot Service Project
› Aim:› Establish a shared SLCS/MICS pilot service for the
(European) eScience Grid community, under the TERENA umbrella. › SLCS/MICS CA serving all countries participating;› EuGridPMA Accreditation;› Allow for scalability;
› The service will issue x.509 cert to persons› No hosts
Slide 10
Grid CAs Managements
› Grid uses x.509 certs as authN credential;› Three types of certs are possible:
› Classic› Short Lived Credential Service (SLCS)› Member Integrated Credential Service (MICS)
› Grid CAs have to accredited by the IGTF:› EuGriPMA (Europe)› TAGPMA (Americas)› APGridPMA (Asia-Pacific)
Slide 11
What are SLCS/MICS certs?
› Vetting process and cert lifetime different:› Classic:
› Face to Face verification of end-entities needed› Manual process @ RA level
› Cert validity: 13 months, but renewal of certs possible without new face-to-face validation.
› SLCS/MICS:› Vetting process relays on existing AAI framework;› User authenticates to the CA using an existing electronic
identity› This identity is mapped into a Grid cert
› SLCS certs are 10 days valid;› MICS certs are 13 months valid;
Slide 12
Benefit of EU SLCS/MICS Service
› How many SLCS-CAs does Europe need ;)
› Share operational cost and effort (!)› Continued operational PKI skills only needed at
one place;› For countries with limited resources very attractive;
Slide 13
More about the service› Use specific federation attribute to decide on SLCS or
MICS eligibility› According to the rules defined by the EuGridPMA
SLCS/MICS profiles
Slide 14
Who is involved?
› UNINETT› Jan Meijer, project management: Project Description,
CPS› Henrik Austad: Confusa development
› SURFnet› Teun Nijssen, Tilburg University
› CA + SLCS/MICS server ops, CPS, euGridPMA accreditation maintenance
› Sunet› Leif Johanssen: Federation issues
› TERENA› Licia Florio: Contractual party
› Denmark, Finland, the Netherlands, Norway and Sweden:› Until Dec 2009
› From Jan 2010 other countries/NRENs may join Slide 15
Status
› Project description almost ready:› Financial model not fully defined yet;
› Work on the CPS: › Presentation at the next EuGridPMA in May
› Start operations in June:› Quite optimistic ;-)
Slide 16
TACAR
Slide 17
New Developments
› TACAR will be also used to host GN3 root Cas:› So far only a couple;› But more is expected in the future;
› TACAR still being used as IGTF official repository;› Working with Massimiliano Pala:
› To use TACAR for the PKI Resources Query Protocol (PRQP):› to provide standardised way to query PKI
repositories to gather info on CAs;› New UI:
› Different way to update info;› Different policy;
Slide 18