Community PKIs Initiatives Updates

TF-EMC2 MeetingLoughborough, UK6-7 May, 2009

Licia Florio, TERENAflorio@terena.org

Slide 2

Aim of the work item

› Overseeing the patterns of usage and emerging technologies that might be relevant to support NRENs services;

› Proposing enhancements for the current PKI services;

› Promoting the current PKI services to other communities

<lastname@terena.org>

PKI Initiatives

› SCS service:› Soon to be knows as TCS;

› TERENA MICS/SLCS Pilot Service Project › TACAR

Slide 3

TERENA Certificates Service

Slide 4

SCS TCS

› Current SCS:› Provided by GlobalSign BV;› Only SSL server certs;› More than 20.000 certs issued;› Operating till March 2010;

› New SCS service:› Comodo CA;› Expected to start in May 2009;

› Model:› Yearly flat fee per NREN;› TERENA contractual party;› A dedicated TERENA sub-CA;

› NRENs participating can also buy client certificates and code-sign certificates:› Upon an extra flat fee;› TCS: TERENA Certificate Services

Slide 5

Who is in SCS

› Participants:› Switzerland out;› Greece and

Finland will now participate.

Slide 6

What has been done

› Lots of working spend on certificate profiles:› Finally ready since last Friday;› Profiles also for eScience server and client certs;

› Test CA to be expected in 10 days;› To testing certificates and interfaces;

› Writing CPS for the TERENA sub-CA:› First version of the CPS will only cover SSL server

certs;› Later client and code signing cert procedures will be

addressed.

Slide 7

What’s next

› Test phase:› Two weeks period for the test;

› Launching the SSL server certs:› Available for all NRENs participating;

› More work on the API:› The current prototype does not cover client and

code signing certs;› Accreditation with the EuGridPMA

Slide 8

A new PKI Service

Slide 9

TERENA MICS/SLCS Pilot Service Project

› Aim:› Establish a shared SLCS/MICS pilot service for the

(European) eScience Grid community, under the TERENA umbrella. › SLCS/MICS CA serving all countries participating;› EuGridPMA Accreditation;› Allow for scalability;

› The service will issue x.509 cert to persons› No hosts

Slide 10

Grid CAs Managements

› Grid uses x.509 certs as authN credential;› Three types of certs are possible:

› Classic› Short Lived Credential Service (SLCS)› Member Integrated Credential Service (MICS)

› Grid CAs have to accredited by the IGTF:› EuGriPMA (Europe)› TAGPMA (Americas)› APGridPMA (Asia-Pacific)

Slide 11

What are SLCS/MICS certs?

› Vetting process and cert lifetime different:› Classic:

› Face to Face verification of end-entities needed› Manual process @ RA level

› Cert validity: 13 months, but renewal of certs possible without new face-to-face validation.

› SLCS/MICS:› Vetting process relays on existing AAI framework;› User authenticates to the CA using an existing electronic

identity› This identity is mapped into a Grid cert

› SLCS certs are 10 days valid;› MICS certs are 13 months valid;

Slide 12

Benefit of EU SLCS/MICS Service

› How many SLCS-CAs does Europe need ;)

› Share operational cost and effort (!)› Continued operational PKI skills only needed at

one place;› For countries with limited resources very attractive;

Slide 13

More about the service› Use specific federation attribute to decide on SLCS or

MICS eligibility› According to the rules defined by the EuGridPMA

SLCS/MICS profiles

Slide 14

Who is involved?

› UNINETT› Jan Meijer, project management: Project Description,

CPS› Henrik Austad: Confusa development

› SURFnet› Teun Nijssen, Tilburg University

› CA + SLCS/MICS server ops, CPS, euGridPMA accreditation maintenance

› Sunet› Leif Johanssen: Federation issues

› TERENA› Licia Florio: Contractual party

› Denmark, Finland, the Netherlands, Norway and Sweden:› Until Dec 2009

› From Jan 2010 other countries/NRENs may join Slide 15

Status

› Project description almost ready:› Financial model not fully defined yet;

› Work on the CPS: › Presentation at the next EuGridPMA in May

› Start operations in June:› Quite optimistic ;-)

Slide 16

TACAR

Slide 17

New Developments

› TACAR will be also used to host GN3 root Cas:› So far only a couple;› But more is expected in the future;

› TACAR still being used as IGTF official repository;› Working with Massimiliano Pala:

› To use TACAR for the PKI Resources Query Protocol (PRQP):› to provide standardised way to query PKI

repositories to gather info on CAs;› New UI:

› Different way to update info;› Different policy;

Slide 18