March 27, 2006 TAGPMA - Rio de Janeiro 1

Short Lived Short Lived Credential Services Credential Services

ProfileProfile

Tony J. GenoveseTony J. GenoveseThe Americas Grid PMAThe Americas Grid PMA

DOEGridsDOEGridsATF/ESnet/LBNLATF/ESnet/LBNL

March 27, 2006 TAGPMA - Rio de Janeiro 2

SLCS ProfileSLCS Profile

The Authentication Profile is The Authentication Profile is managed by the TAGPMAmanaged by the TAGPMA

Derived from EUGridPMA GuidelinesDerived from EUGridPMA Guidelines Minimum Requirements version 4.0Minimum Requirements version 4.0

Reviewed and approved by TAGPMA:Reviewed and approved by TAGPMA: 15 November 200515 November 2005

March 27, 2006 TAGPMA - Rio de Janeiro 3

What is SLCSWhat is SLCS Short-Term certificate has a life cycle less then 1 million Short-Term certificate has a life cycle less then 1 million

seconds (~11 days)seconds (~11 days) A translation of a local site’s native Identity to a Grid A translation of a local site’s native Identity to a Grid

Identity.Identity. A KCA can translate a local Kerberos Identity to A KCA can translate a local Kerberos Identity to

a Grid Identity. a Grid Identity. MyProxy can be integrated to some sitesMyProxy can be integrated to some sites

Active credential repositories – different AuthN Active credential repositories – different AuthN profile.profile.

Identity is validated by site security officeIdentity is validated by site security office Leverages Site help desk and customer supportLeverages Site help desk and customer support Possible local site service candidates:Possible local site service candidates:

Kerberos, Windows Domain, LDAP, One Time Kerberos, Windows Domain, LDAP, One Time Password and Long term Certs.Password and Long term Certs.

March 27, 2006 TAGPMA - Rio de Janeiro 4

Document IdentificationDocument Identification

Document title: Profile for Short Lived Credential Services X.509 Public Key Certification Authorities with secured infrastructure

Document vers: 1.1

Document date: November 15, 2005.

OID: 1.2.840.113612.5 = IGTF

OID: IGTF.Policies.Authentication Profiles.SLCS.version

Document OID: 1.2.840.113612.5.2.3.1.1

Location: http://www.tagpma.org/files/IGTF-AP-SLCS-20051115-1-1.pdf

March 27, 2006 TAGPMA - Rio de Janeiro 5

SLIC General ArchitectureSLIC General Architecture

LDAPAuthN

KerberosAuthN

RADIUS AuthN

SecureIDAuthN(RADIUS)

slic

slicslic

slic

slic slic

Certificate Authority

Sources of Identity Grid Identity Mint

Local Site AuthN infrastructure

Short lived Grid Identity/Proxy/Attribute Certificates

March 27, 2006 TAGPMA - Rio de Janeiro 6

IdentityIdentity

Every DN in a SLCS cert must be Every DN in a SLCS cert must be linked to one and only one End Entity.linked to one and only one End Entity.

The DN owner is the human The DN owner is the human individual or organizational group individual or organizational group that has valid rights to exclusive use that has valid rights to exclusive use of a subject name in a certificate. of a subject name in a certificate.

March 27, 2006 TAGPMA - Rio de Janeiro 7

Identity Translation rulesIdentity Translation rules All identities used to create a Short Lived All identities used to create a Short Lived

Certificate will be based on the local Certificate will be based on the local Site/Organization identity system. Site/Organization identity system.

A SLCS must identify the Site/Organization A SLCS must identify the Site/Organization identity management service that will be used to identity management service that will be used to provide the authenticated identity to the SLCS. provide the authenticated identity to the SLCS.

A SLCS must describe in their CP/CPS: A SLCS must describe in their CP/CPS: How the identity (DN) assigned in the certificate is How the identity (DN) assigned in the certificate is

unique within the namespace of the issuer.unique within the namespace of the issuer. How it attests to the validity of the identity. How it attests to the validity of the identity. How it provides accountability, show that they have How it provides accountability, show that they have

verified enough identity information to get back to the verified enough identity information to get back to the physical person any time now and in the futurephysical person any time now and in the future

March 27, 2006 TAGPMA - Rio de Janeiro 8

Operational RequirementsOperational Requirements

SLCS CA must be a dedicated machineSLCS CA must be a dedicated machine The CA must be located in a secure The CA must be located in a secure

access controlled environment.access controlled environment. CA’s private key must be protected:CA’s private key must be protected:

FIPS 140-2 Level 3 HSMFIPS 140-2 Level 3 HSM Non-FIPS: Must describe the security Non-FIPS: Must describe the security

precautions. precautions. CA Key >= 2048, lifetime <= 20 yearsCA Key >= 2048, lifetime <= 20 years

March 27, 2006 TAGPMA - Rio de Janeiro 9

Certificates and CRL profileCertificates and CRL profile The accredited SLCS authority must publish a X.509 certificate as a root The accredited SLCS authority must publish a X.509 certificate as a root

of trust. of trust. SLCS CAs are not expected to issue CRLs. SLCS CAs are not expected to issue CRLs. The short lived certificates must be in X.509v3 format and compliant The short lived certificates must be in X.509v3 format and compliant

with RFC3280 unless explicitly stated otherwise. In the certificate with RFC3280 unless explicitly stated otherwise. In the certificate extensions:extensions: a a Policy IdentifierPolicy Identifier must be included and must contain an OID and must be included and must contain an OID and

an OID onlyan OID only keyUsagekeyUsage must be included and marked as critical must be included and marked as critical basicConstraintsbasicConstraints may be included, and when included it must be may be included, and when included it must be

set to ‘CA: false’ and marked as critical so it conforms to general CA set to ‘CA: false’ and marked as critical so it conforms to general CA and ASN.1 practice.and ASN.1 practice.

if an OCSP responder, operated as a production service by the if an OCSP responder, operated as a production service by the issuing CA, is available, issuing CA, is available, AuthorityInfoAccessAuthorityInfoAccess must be included must be included and contain at least one URIand contain at least one URI

If a If a commonNamecommonName component is used as part of the subject DN, it component is used as part of the subject DN, it should contain an appropriate presentation of the actual name of the should contain an appropriate presentation of the actual name of the end-entity.end-entity.

The message digests of the certificates must be generated by a The message digests of the certificates must be generated by a trustworthy mechanism, like SHA1 (in particular, MD5 must not be trustworthy mechanism, like SHA1 (in particular, MD5 must not be used). used).

March 27, 2006 TAGPMA - Rio de Janeiro 10

RevocationRevocation It is assumed that the Short Lived Certificates will It is assumed that the Short Lived Certificates will

not need to be revoked because their life time is not need to be revoked because their life time is shorter than the update cycle of most CRLs. shorter than the update cycle of most CRLs.

If revocation is supported, then revocation If revocation is supported, then revocation requests can be made by:requests can be made by: certificate holders, Site identity managers and the SLCS certificate holders, Site identity managers and the SLCS

CA. CA. Others…Others… Individual holders of a SLCS certificate must Individual holders of a SLCS certificate must

request revocation if the private key pertaining to request revocation if the private key pertaining to the certificate is lost or has been compromised, or the certificate is lost or has been compromised, or if the data in the certificate are no longer valid.if the data in the certificate are no longer valid.

March 27, 2006 TAGPMA - Rio de Janeiro 11

Publication and Repository Publication and Repository responsibilities responsibilities

Each SLCS authority must publish:Each SLCS authority must publish: a SLCS CA root certificate or set of CA root certificates a SLCS CA root certificate or set of CA root certificates

up to a self-signed root;up to a self-signed root; a http or https URL of the PEM-formatted CA certificate;a http or https URL of the PEM-formatted CA certificate; a http or https URL of the web page of the CA for general a http or https URL of the web page of the CA for general

information;information; the CP and CPS documents;the CP and CPS documents; an official contact email address for inquiries and fault an official contact email address for inquiries and fault

reportingreporting a physical postal contact addressa physical postal contact address

The SLCS CA shall provide their trust anchor to a The SLCS CA shall provide their trust anchor to a trust anchor repository, specified by the trust anchor repository, specified by the accrediting PMA, via the method specified in the accrediting PMA, via the method specified in the policy of the trust anchor repository. policy of the trust anchor repository.

March 27, 2006 TAGPMA - Rio de Janeiro 12

AuditsAudits The SLCS CA must record and archive all requests for The SLCS CA must record and archive all requests for

certificates, along with all the issued certificates, all the certificates, along with all the issued certificates, all the requests for revocation and the login/logout/reboot of the requests for revocation and the login/logout/reboot of the issuing machine.issuing machine.

The SLCS CA must keep these records for at least three The SLCS CA must keep these records for at least three years. These records must be made available to external years. These records must be made available to external auditors in the course of their work as auditor.auditors in the course of their work as auditor.

Each SLCS CA must accept being audited by other Each SLCS CA must accept being audited by other accredited CAs to verify its compliance with the rules and accredited CAs to verify its compliance with the rules and procedures specified in its CP/CPS document. procedures specified in its CP/CPS document.

The SLCS CA should perform operational audits of the CA/RA The SLCS CA should perform operational audits of the CA/RA staff at least once per year. A list of CA and site identity staff at least once per year. A list of CA and site identity management personnel should be maintained and verified management personnel should be maintained and verified at least once per year.at least once per year.

The identity management system on which the SLCS CA The identity management system on which the SLCS CA relies should undergo a periodic review or audit. This review relies should undergo a periodic review or audit. This review should be conducted by persons other than the system should be conducted by persons other than the system operators.operators.

March 27, 2006 TAGPMA - Rio de Janeiro 13

SLCS EtceteraSLCS Etcetera Privacy and confidentialityPrivacy and confidentiality

Accredited SLCS CAs must define a privacy and data Accredited SLCS CAs must define a privacy and data release policy compliant with the relevant national release policy compliant with the relevant national legislation. legislation.

Compromise and Disaster recoveryCompromise and Disaster recovery The SLCS CA must have an adequate compromise and The SLCS CA must have an adequate compromise and

disaster recovery procedure, and be willing to discuss disaster recovery procedure, and be willing to discuss this procedure in the TAGPMA. The procedure need not this procedure in the TAGPMA. The procedure need not be disclosed in the policy and practice statements.be disclosed in the policy and practice statements.

Due diligence of subscribersDue diligence of subscribers The SLCS CA should make a reasonable effort to make The SLCS CA should make a reasonable effort to make

sure that people realize the importance of properly sure that people realize the importance of properly protecting their private data. protecting their private data.