march 27, 2006tagpma - rio de janeiro1 short lived credential services profile tony j. genovese the...
TRANSCRIPT
March 27, 2006 TAGPMA - Rio de Janeiro 1
Short Lived Short Lived Credential Services Credential Services
ProfileProfile
Tony J. GenoveseTony J. GenoveseThe Americas Grid PMAThe Americas Grid PMA
DOEGridsDOEGridsATF/ESnet/LBNLATF/ESnet/LBNL
March 27, 2006 TAGPMA - Rio de Janeiro 2
SLCS ProfileSLCS Profile
The Authentication Profile is The Authentication Profile is managed by the TAGPMAmanaged by the TAGPMA
Derived from EUGridPMA GuidelinesDerived from EUGridPMA Guidelines Minimum Requirements version 4.0Minimum Requirements version 4.0
Reviewed and approved by TAGPMA:Reviewed and approved by TAGPMA: 15 November 200515 November 2005
March 27, 2006 TAGPMA - Rio de Janeiro 3
What is SLCSWhat is SLCS Short-Term certificate has a life cycle less then 1 million Short-Term certificate has a life cycle less then 1 million
seconds (~11 days)seconds (~11 days) A translation of a local site’s native Identity to a Grid A translation of a local site’s native Identity to a Grid
Identity.Identity. A KCA can translate a local Kerberos Identity to A KCA can translate a local Kerberos Identity to
a Grid Identity. a Grid Identity. MyProxy can be integrated to some sitesMyProxy can be integrated to some sites
Active credential repositories – different AuthN Active credential repositories – different AuthN profile.profile.
Identity is validated by site security officeIdentity is validated by site security office Leverages Site help desk and customer supportLeverages Site help desk and customer support Possible local site service candidates:Possible local site service candidates:
Kerberos, Windows Domain, LDAP, One Time Kerberos, Windows Domain, LDAP, One Time Password and Long term Certs.Password and Long term Certs.
March 27, 2006 TAGPMA - Rio de Janeiro 4
Document IdentificationDocument Identification
Document title: Profile for Short Lived Credential Services X.509 Public Key Certification Authorities with secured infrastructure
Document vers: 1.1
Document date: November 15, 2005.
OID: 1.2.840.113612.5 = IGTF
OID: IGTF.Policies.Authentication Profiles.SLCS.version
Document OID: 1.2.840.113612.5.2.3.1.1
Location: http://www.tagpma.org/files/IGTF-AP-SLCS-20051115-1-1.pdf
March 27, 2006 TAGPMA - Rio de Janeiro 5
SLIC General ArchitectureSLIC General Architecture
LDAPAuthN
KerberosAuthN
RADIUS AuthN
SecureIDAuthN(RADIUS)
slic
slicslic
slic
slic slic
Certificate Authority
Sources of Identity Grid Identity Mint
Local Site AuthN infrastructure
Short lived Grid Identity/Proxy/Attribute Certificates
March 27, 2006 TAGPMA - Rio de Janeiro 6
IdentityIdentity
Every DN in a SLCS cert must be Every DN in a SLCS cert must be linked to one and only one End Entity.linked to one and only one End Entity.
The DN owner is the human The DN owner is the human individual or organizational group individual or organizational group that has valid rights to exclusive use that has valid rights to exclusive use of a subject name in a certificate. of a subject name in a certificate.
March 27, 2006 TAGPMA - Rio de Janeiro 7
Identity Translation rulesIdentity Translation rules All identities used to create a Short Lived All identities used to create a Short Lived
Certificate will be based on the local Certificate will be based on the local Site/Organization identity system. Site/Organization identity system.
A SLCS must identify the Site/Organization A SLCS must identify the Site/Organization identity management service that will be used to identity management service that will be used to provide the authenticated identity to the SLCS. provide the authenticated identity to the SLCS.
A SLCS must describe in their CP/CPS: A SLCS must describe in their CP/CPS: How the identity (DN) assigned in the certificate is How the identity (DN) assigned in the certificate is
unique within the namespace of the issuer.unique within the namespace of the issuer. How it attests to the validity of the identity. How it attests to the validity of the identity. How it provides accountability, show that they have How it provides accountability, show that they have
verified enough identity information to get back to the verified enough identity information to get back to the physical person any time now and in the futurephysical person any time now and in the future
March 27, 2006 TAGPMA - Rio de Janeiro 8
Operational RequirementsOperational Requirements
SLCS CA must be a dedicated machineSLCS CA must be a dedicated machine The CA must be located in a secure The CA must be located in a secure
access controlled environment.access controlled environment. CA’s private key must be protected:CA’s private key must be protected:
FIPS 140-2 Level 3 HSMFIPS 140-2 Level 3 HSM Non-FIPS: Must describe the security Non-FIPS: Must describe the security
precautions. precautions. CA Key >= 2048, lifetime <= 20 yearsCA Key >= 2048, lifetime <= 20 years
March 27, 2006 TAGPMA - Rio de Janeiro 9
Certificates and CRL profileCertificates and CRL profile The accredited SLCS authority must publish a X.509 certificate as a root The accredited SLCS authority must publish a X.509 certificate as a root
of trust. of trust. SLCS CAs are not expected to issue CRLs. SLCS CAs are not expected to issue CRLs. The short lived certificates must be in X.509v3 format and compliant The short lived certificates must be in X.509v3 format and compliant
with RFC3280 unless explicitly stated otherwise. In the certificate with RFC3280 unless explicitly stated otherwise. In the certificate extensions:extensions: a a Policy IdentifierPolicy Identifier must be included and must contain an OID and must be included and must contain an OID and
an OID onlyan OID only keyUsagekeyUsage must be included and marked as critical must be included and marked as critical basicConstraintsbasicConstraints may be included, and when included it must be may be included, and when included it must be
set to ‘CA: false’ and marked as critical so it conforms to general CA set to ‘CA: false’ and marked as critical so it conforms to general CA and ASN.1 practice.and ASN.1 practice.
if an OCSP responder, operated as a production service by the if an OCSP responder, operated as a production service by the issuing CA, is available, issuing CA, is available, AuthorityInfoAccessAuthorityInfoAccess must be included must be included and contain at least one URIand contain at least one URI
If a If a commonNamecommonName component is used as part of the subject DN, it component is used as part of the subject DN, it should contain an appropriate presentation of the actual name of the should contain an appropriate presentation of the actual name of the end-entity.end-entity.
The message digests of the certificates must be generated by a The message digests of the certificates must be generated by a trustworthy mechanism, like SHA1 (in particular, MD5 must not be trustworthy mechanism, like SHA1 (in particular, MD5 must not be used). used).
March 27, 2006 TAGPMA - Rio de Janeiro 10
RevocationRevocation It is assumed that the Short Lived Certificates will It is assumed that the Short Lived Certificates will
not need to be revoked because their life time is not need to be revoked because their life time is shorter than the update cycle of most CRLs. shorter than the update cycle of most CRLs.
If revocation is supported, then revocation If revocation is supported, then revocation requests can be made by:requests can be made by: certificate holders, Site identity managers and the SLCS certificate holders, Site identity managers and the SLCS
CA. CA. Others…Others… Individual holders of a SLCS certificate must Individual holders of a SLCS certificate must
request revocation if the private key pertaining to request revocation if the private key pertaining to the certificate is lost or has been compromised, or the certificate is lost or has been compromised, or if the data in the certificate are no longer valid.if the data in the certificate are no longer valid.
March 27, 2006 TAGPMA - Rio de Janeiro 11
Publication and Repository Publication and Repository responsibilities responsibilities
Each SLCS authority must publish:Each SLCS authority must publish: a SLCS CA root certificate or set of CA root certificates a SLCS CA root certificate or set of CA root certificates
up to a self-signed root;up to a self-signed root; a http or https URL of the PEM-formatted CA certificate;a http or https URL of the PEM-formatted CA certificate; a http or https URL of the web page of the CA for general a http or https URL of the web page of the CA for general
information;information; the CP and CPS documents;the CP and CPS documents; an official contact email address for inquiries and fault an official contact email address for inquiries and fault
reportingreporting a physical postal contact addressa physical postal contact address
The SLCS CA shall provide their trust anchor to a The SLCS CA shall provide their trust anchor to a trust anchor repository, specified by the trust anchor repository, specified by the accrediting PMA, via the method specified in the accrediting PMA, via the method specified in the policy of the trust anchor repository. policy of the trust anchor repository.
March 27, 2006 TAGPMA - Rio de Janeiro 12
AuditsAudits The SLCS CA must record and archive all requests for The SLCS CA must record and archive all requests for
certificates, along with all the issued certificates, all the certificates, along with all the issued certificates, all the requests for revocation and the login/logout/reboot of the requests for revocation and the login/logout/reboot of the issuing machine.issuing machine.
The SLCS CA must keep these records for at least three The SLCS CA must keep these records for at least three years. These records must be made available to external years. These records must be made available to external auditors in the course of their work as auditor.auditors in the course of their work as auditor.
Each SLCS CA must accept being audited by other Each SLCS CA must accept being audited by other accredited CAs to verify its compliance with the rules and accredited CAs to verify its compliance with the rules and procedures specified in its CP/CPS document. procedures specified in its CP/CPS document.
The SLCS CA should perform operational audits of the CA/RA The SLCS CA should perform operational audits of the CA/RA staff at least once per year. A list of CA and site identity staff at least once per year. A list of CA and site identity management personnel should be maintained and verified management personnel should be maintained and verified at least once per year.at least once per year.
The identity management system on which the SLCS CA The identity management system on which the SLCS CA relies should undergo a periodic review or audit. This review relies should undergo a periodic review or audit. This review should be conducted by persons other than the system should be conducted by persons other than the system operators.operators.
March 27, 2006 TAGPMA - Rio de Janeiro 13
SLCS EtceteraSLCS Etcetera Privacy and confidentialityPrivacy and confidentiality
Accredited SLCS CAs must define a privacy and data Accredited SLCS CAs must define a privacy and data release policy compliant with the relevant national release policy compliant with the relevant national legislation. legislation.
Compromise and Disaster recoveryCompromise and Disaster recovery The SLCS CA must have an adequate compromise and The SLCS CA must have an adequate compromise and
disaster recovery procedure, and be willing to discuss disaster recovery procedure, and be willing to discuss this procedure in the TAGPMA. The procedure need not this procedure in the TAGPMA. The procedure need not be disclosed in the policy and practice statements.be disclosed in the policy and practice statements.
Due diligence of subscribersDue diligence of subscribers The SLCS CA should make a reasonable effort to make The SLCS CA should make a reasonable effort to make
sure that people realize the importance of properly sure that people realize the importance of properly protecting their private data. protecting their private data.