EU NREN PKI
description
Transcript of EU NREN PKI
EU NREN PKI
Jan Meijer AARnet PKI / Access Federations Strategy Workshop
10 February 2010Sydney
me
• 1998-2007: SURFnet – CERT, security, PKI, systems
engineering, e-voting
• 2007-now: UNINETT – service development, storage,
PKI
beautiful morning....
• 22 NRENs• 6 months• 12573 server certs
• starting personal
PKI purpose
Guarantee:
• Authenticity• Confidentiality• Integrity• Non repudiation
ehr, no, we want
• others not to read our mail• to know the sender is the sender• that, for documents, thanks
• no reading of my credit card number• no reading of my health information• no reading of my passwords
• log on to my internal web site
if it doesn’t work
it doesn’t work
the issue
?
direct trust
hierarchical trust
web of trust
Feb 1993, RFC 1422
Privacy Enhancement for Internet Electronic Mail:Part II: Certificate-Based Key Management
obsoletes RFC 1114 Mail Privacy: Key Management (1989)
Feb 1993, RFC 1422
The infrastructure specified in this document establishes a single root for all certification within the Internet, the Internet Policy Registration Authority (IPRA).
The IPRA establishes global policies, described in this document, which apply to all certification effected under this hierarchy.
Beneath IPRA root are Policy Certification Authorities (PCAs), each of which establishes and publishes (in the form of an informational RFC) its policies for registration of users or organizations.
Each PCA is certified by the IPRA.
USA crypto exports
<1996: International Traffic in Arms Regulation
1996: Export Administration Regulations (EAR) of the Department
Commerce31 Dec 1998: 56 bit without license12 January 2000: Freedom to export
source: Bert-Jaap Koops’ Crypto Law Surveyhttp://rechten.uvt.nl/koops/cryptolaw/cls2.htm#us
Pretty Good Privacy
Jun 5, 1991: PGP 1.0Jan 18, 1996: Ståle Schumacher from
Norway publishes PGP2.63i…with help:
Aug 1996: RFC1991, PGP Message Exchange Formats (FYI)
Nov 1998: RFC2440, OpenPGP Message Format (STD)
1994: Netscape Navigator 1.0
1995: Internet Explorer 2.0
(1994) 1996: .nl electronic purse
chipknip
chipper
13 December 1999:
DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
1995: Student Chip Card
qualified digital signatures!
1998: SURFnet PKI
• PGP PKI
• PGP keyserver pgp.surfnet.nl
• x.509 PKI
use
PGP– email signing and encryption– document signing and encryption
x.509– email signing and encryption– document signing and encryption– authentication– smartcard deployments
requirements
• scalable• identity vetting at university• affordable server and client certificates
SURFnet x.509 PKI
1998: setup1999: production
more levels
europe
down in the trenches
soon
~2000
• Netherlands qualified Digital Signature accreditation framework ready
• SURFnet PKI: test audit
~2001
“SURFdiensten” GlobalSign discount dealfor .nl higher ed
1998-2004: PKI evolves
• Focus on policy• Focus on CA operations• Plans to interlink European PKIs• Separate eScience Grid PKI• TACAR
• Experience but not large scale deployment
SURFnet PKI numbersNew CAs Personal Server
2000 1 1 14
2001 1 48 38
2002 3 43 47
2003 16 91 201
2004 2 52 125 course
popular?
• SSL server certificates
• Personal certificates
• Code Signing certificates
biggest problem?
get root in browsers
2000: $250.000 x 2
2004: IE: WebTrust
puzzling pieces
• in browser root,$$
• flat rate
• unpunished success
• why do I want to run my own CA?
TERENA
idea
• join forces• contract commercial CA• flat-rate for the TERENA community• unlimited• NREN becomes RA• re-use existing contractual relations
make it stupid to not secure your server with SSL
use existing relations
SCS timeline
• Jan 2005: idea written up (TF-CSIRT!)• Feb 2005: presented at TF-EMC2
“the list”20 kEUR
• Summer 2005: reality + procedure check
• September 2005: CfP• January 2006: GlobalSign contract
16 March 2006: SCS is born
SCS numbers 12/2007NRENs # issued # organisationsACONet 979 26ARNES* 23 n/aBELNET 673 57CARNet 166 n/aCESNET 452 20CRU/RENATER 1446 134GARR** 100 20JANET (UK) 2300 212RedIRIS 1077 86SUNET*** 487 17SURFnet 1934 91SWITCH 1200 n/aUNI-C **** 1366 n/aUNINETT 348 24
14 NRENs
12551 certificates
SCS numbers per 1 Aug 2008
# participating NRENs 18 (14)# certificates issued 19.400 (12551)# participating orgs 2.225# proxies 3.800
2007: mission accomplished!
no ssl = lame
and behavioural change...
SCS: lessons learned
• vested interests, existing services, strong opinions, policy devil....
• browser popup was the problem• certain level of control good• do what matters
• good enough = good enough!
2007
• contract renewal with GlobalSign
• start preliminary work with new CfP
new CfP, lessons learned1. root coverage: browsers *and* other platforms2. validity on contract end3. ensuring future root coverage4. end user interfaces5. interface response times6. describe certificate request processing7. profiles8. subjectAltName9. multiple valid certificates10. internationalisation11. support12. auditing13. training14. certificate lifetime
more lessons...optional reqs
1. alternative lifetimes2. end user interface for renewal3. per NREN branding4. additional profiles5. eScience Grid certificate support6. API7. wildcard certificates8. OCSP9. extensive reporting
interesting CfP
TERENA Certificate Service
crucial lesson
GlobalSign SCS certificates
revoked
3 months
after contract expiry
CfP failure
Plan B?
New TCS!
• 5 TERENA CAs– Server– Code signing– Personal– eScience Server– eScience Personal
• own CPS• own front-ends• Comodo backend + roots
TCS numbers Jan. 2010RENATER 2758SURFnet 2499UNI-C 1643JANET(UK) 1289SUNET 1088CESNET 1069ACOnet 733UNINETT 599BELNET 383PSNC 140GRNET 116FCCN 61CARNet 56HUNGARNET 35GARR 22LITNET 21RedIRIS 21HEAnet 11ARNES 7CSC 6AMRES 2UoM 0
# issued 12573# NRENs 22
TCS is
TCS organisation
• TERENA– contractual party, financial clearing house, contact
conduit to Comodo
• TCS PMA, club of 5– CPS responsibility
• TCS Representatives– 1 per NREN, formal decisions
• TCS RAs– day to day operations
TCS Mem
bers
Country NREN Server Code Personal
Austria ACOnet X X X
Belgium BELNET X X X
Croatia CARnet X
Czech Republic CESNET X X
Denmark UNI-C X
Finland CSC X X
France RENATER X X
Greece GRNET X X
Hungary HUNGARNET X
Ireland HEAnet X X
Lithuania LITNET X X
Malta UoM X
Netherlands SURFnet X X X
Norway UNINETT X X X
Poland PSNC X X X
Portugal FCCN X
Serbia AMRES X X
Slovenia ARNES X
Spain RedIRIS X X X
Sweden SUNET X X X
UK JANET X
22 7 14
how?SCS
Guido Aben, Jan Meijer, Teun Nijssen (SURFnet), Kaspar Brandt (SWITCH), Licia Florio, Karel Vietsch (TERENA), Milan Sova (CESNET), and more...
TCSKent Engstrøm (SUNET), Licia Florio, Jan Meijer, Kevin Meynell, Teun Nijssen, Milan Sova, Karel Vietsch, Henrik Austad, and more...
TCS Tender CommitteeKurt Bøge (UNI-C), Daniel Garcia (RedIRIS), Licia Florio, Dominique Launay (RENATER), Jan Meijer, Damien Shaw (JANET), Milan Sova, Karel Vietsch
PKI landscape Europe 2010
• TCS• DFN-PKI• SWITCH-PKI• Grid PKI• Geant3 PKI activity
obituaries
• chipknip: dead• chipper: dead• studenten chipkaart: dead • SURFnet PGP PKI: dead• SURFnet x.509 PKI: dead
alive and kicking
• TERENA Certificate Service• PGP: FIRST, 209 teams, 47 countries• Grid PKI• Personal certificates?
purpose