nectec-goc ca the 3 rd apgrid pma face-to-face meeting. june, 4 2007 suriya u-ruekolan national...
DESCRIPTION
3 Update NECTEC GOC CA Status » Accredited to be in Production Level by APGrid PMA on October » Bundled with IGTF CA distribution. » Started operation on January » Web Repository » Moved form ThaiSarn to NECTEC local network for stability better.TRANSCRIPT
NECTEC-GOC CANECTEC-GOC CA
The 3rd APGrid PMA face-to-face meeting. June, 4 2007
Suriya U-ruekolan
National Electronics and Computer Technology Center, Thailand
2
NECTEC-GOC CA Organization
GRID CA PMA
CA Manager
RA Operator CA Operator
» GRID CA PMA: Policy Management Authority» CA Manager: Administrates all tasks on the
CA system» RA Operator:
» Accepts and verifies User Application form» Checks Certificate Signing Request form» Informs CA to issue certificate
» CA Operator: » Issues certificates» Manages CA and RA servers» Maintains the CA system» Manages CA private key
3
Update NECTEC GOC CA Status
»Accredited to be in Production Level by
APGrid PMA on October 2006.»Bundled with IGTF CA distribution.»Started operation on January 2007.»Web Repository
» Moved form ThaiSarn to NECTEC local network for stability better.
4
Issued Certificate Status»None has been issues certificates.»NECTEC GOC CA issues certificates
to» Collaborators related to NECTEC Grid
Computing research. Computation Fluid Dynamic Grid projects. Information Grid project.
5
Plan
»NECTEC GOC CA have plans to,» Draft the CP/CPS according to RFC
3647 on October 2007.
» Internal audit after drafted the CP/CPS.
6
Detail report on compliance with the latest
Classic Authentication profile
7
Identity and End-Entity certificate expiration
» User and Grid Host Certificate:» Subscriber meets in-person with RA Operator» RA Operator reviews and approves Application
and Certificate Request according to user’s documents [CPS 1.3.2 and 3.1.x]
» RA communicate with the CA by signed emails.
» NECTEC GOC CA uses the re-key certificates method.
8
Operation Requirements» CA Server:
» S tored in a safe deposit box, which is protected by six- digit code
» Not connected to network of any sort» Located in a room, which is restricted to CA Operator
during its operations» CA private key:
» Key length 2048 bits and life time 10 years» Protected by passpharse 15 characters.» Backup in USB drive and stored in the safe box by
CA Operator.
9
CP/CPS Identification» Current version:1.0 (October, 2006)» Object ID: 1.3.6.1.4.1.25149.1.1.1.0» Conform to RFC 2527 (plan for draft
according to RFC 3647 on October 2007)
» Managed by the NECTEC GRID PMA» Changes in contents need to be approved
by the NECTEC GRID PMA
10
Certificate and CRL profile (1)»CA’s Certificate:
» DN: C=TH,O=NECTEC,OU=GOC,CN=NECTEC GOC CA
» Signature Algorithm: sha1WithRSAEncryption.» Extensions field:
Basic constraints : critical– CA:TRUE
Key Usage : critical– digitalSignature,crlSign,keyCertSign
11
Certificate and CRL profile (2)»End-Entity Certificate
» Key length are 1024 bits and life time 13 months.» Extension field:
basicConstraints : critical– CA:false
keyUsage : critical– nonRepudiation, digitalSignature, keyEncipherment,
dataEncipherment (User Certificate)– digitalSignature, keyEncipherment, dataEncipherment (Host Certificate)
PolicyIdentifier : OID (Refer CPS 1.2) CRLDistributionPoints: URI of CRL subjectAltnativeName : Email Address of User (User Certificate) subjectAltnativeName : FQDN (Host Certificate)
12
Certificate and CRL profile (3)
»Comply with RFC 3280.»CRL profile:
» Basic field: Version : 2 algorithmIdentifer : SHA1
» Extensions field: cRLNumber : integer distributionPointName : URI of the CRL
13
CRL
»CRL validity is 30 days.»New CRL issued
» 7 days before expiration of previous one.» immediately after certificate revocation.» Published in web repository.
14
Publication and Repository»NECTEC GOC CA repository consists:
» CP/CPS.» CA’s Certificate (DER,CRT and PEM format).» CRL (DER,PEM and r0 format).» Application form, user guide and contact
information.
http://http://gridca.hpcc.nectec.or.thgridca.hpcc.nectec.or.th
15
END
Any comment or suggestion?