NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National...
-
Upload
constance-bailey -
Category
Documents
-
view
218 -
download
0
Transcript of NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National...
NECTEC-GOC CANECTEC-GOC CA
APGrid PMA face-to-face meeting. October, 15 2006
Sornthep Vannarat
National Electronics and Computer Technology Center, Thailand
2
Introduction» NECTEC:National Electronics and Computer
Technology Center» Government research institute under Ministry of Science» For electronics, telecommunication, computer and
information technologies including Grid Computing
» NECTEC GOC CA:NECTEC GRID Operation Center Certificate Authority
» NECTEC GRID PMA » Large Scale Simulation Research Laboratory,» Network Technology Laboratory » Thai Computer Emergency Response Team
3
CP/CPS
»Current version:1.0 (October, 2006)
»Object ID: 1.3.6.1.4.1.25149.1.1.1.0
»Conform to RFC 2527
»Managed by the NECTEC GRID PMA» Changes in contents need to be
approved by the NECTEC GRID PMA
4
NECTEC-GOC CA Organization
GRID CA PMA
CA Manager
RA Operator CA Operator
Remove CP/CPS 2.2.5
Table 1-2 Organization...» GRID CA PMA: Policy Management Authority» CA Manager: Administrates all tasks on the
CA system» RA Operator:
» Accepts and verifies User Application form» Checks Certificate Signing Request form» Informs CA to issue certificate
» CA Operator: » Issues certificates» Manages CA and RA servers» Maintains the CA system» Manages CA private key
5
End Entity
» - NECTEC GOC CA issues certificates fo r the following subjects:» U sers of NECTEC.» - Users of domestic Grid based applications or pr
ojects.» Collaborators related to NECTEC Grid Computin
g research.
6
Certificate Type
»User Certificate:C=TH,O=NECTEC,OU=GOC,CN=Sornthep Vannarat/[email protected]
»Grid Host Certificate:C=TH,O=NECTEC,OU=GOC, CN=host/grid64.hpcc.nectec.or.th
7
Identification and Authentication
»User and Grid Host Certificate:» Subscriber meet in-person with RA
Operator» RA Operator review and approve
Application and Certificate Request according to user’s documents [CPS 1.3.2 and 3.1.x]
8
Certificate Restrictions
»Certificate Lifetime:» 13 months for End Entity certificate.» 10 years for CA certificate.
9
Issuing Certificates
»End entities request certificates» Each generate keypair by itself» Submit Applications and Certificate
Signing Request forms
»RA Operator checks the Requests» RA Operator uses secure
communication method e.g. signed and encrypted email
10
»RA Operator transfers the Request to CA Operator» RA Operator tar ball the CSRs and
copy to USB drive» CA Operator copy tar ball from USB
drive to CA machine
Issuing Certificates (cont’d)
11
»CA Operator checks CSRs and issues certificates
»CA Operator transfers certificates to RA Operator» CA Operator tar ball certificates to USB
drive» RA Operator copy tar ball into RA server
»RA Operator publishes certificates to website and informs users by emails
Issuing Certificates (cont’d)
12
Certificate Revocation
»Certificates are revoked when» User private key compromised» Inaccurate user information suspected» User Obligation violated (CPS 2.1.4)» CA private key compromised» User leaves his/her organization
13
Revocation Request Procedure
»Revocation Requests can be submitted through web interface
»OR to CA Manager
14
CRL
»CRL validity is 30 days.
»New CRL issued » 7 days before expiration of previous one» immediately after certificate revocation
15
Physical Security» CA Server:
» S tored in a safe deposit box, which is protect - ed by six digit code
» Not connected to network of any sort» Located in a room, which is restricted to CA
Operator during its operations» CA private key:
» Protected by passpharse 15 characters.» Backup in USB drive and stored in the safe
box by CA Operator.
16
CA Room & Equipments (1)
»CA Room
17
CA Room & Equipments (2)
»CA Machine
»UPS
»RA Server
18
CA Room & Equipments (3)
»Safe box
19
Records Archival
» Types of archive data:» All issued certificates and CRLs» All enrollment requests and notifications
between the NECTEC-GOC CA and users.» Operation history of the CA key» Events of interest, as described in CP/CPS
section 4.7.1
» The retention period is 3 years.» Archived files are stored in CD or DVD
located at NECTEC server room’s safe box.
20
Key Pair
» CA private key generated by CA operator using OpenCA
» User and Grid Host key pair generated by User using e.g. - -grid cert req
» Key Length:» CA Certificate 2048 bits» End Entity Certificate: 1024 bits
21
Contact Information
Sornthep Vannarat and Suriya U-ruekolan
National Electronics and Computer Technology Center Grid Operation Center 112 Paholyotin Road ,
Klong 1, Klong Luang, 12120Pathumthani Thailand
Tel : (662 ) 564-6900 ext 2278 Fax : (662 ) 564-6772Email : [email protected]