Terena server certificate service
Sponsored Links
This presentation is the property of its rightful owner.
1 / 19

TERENA Server Certificate Service PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

TERENA Server Certificate Service. Towards the large-scale use of affordable popup-free server certificates for the European NRENs. Licia Florio TERENA. Topics. PKI and X.509 certificates Motivation for the TERENA Server Certificate Project What is the project Service Characteristics

Download Presentation

TERENA Server Certificate Service

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


TERENA Server Certificate Service

Towards the large-scale use of affordable popup-free server certificates for the European NRENs

Licia Florio

TERENA

EuroCAMP Ljubljana,

3-5 March 2006


Topics

  • PKI and X.509 certificates

  • Motivation for the TERENA Server Certificate Project

  • What is the project

  • Service Characteristics

  • Why joining

licia@terena.nl


Diego’s priv key

Diego’s pub key

Dear

I’ve arrived in Slovenia..

Dear

I’ve arrived in Slovenia..

Dear

I’ve arrived in Slovenia..

Decryption

Encryption

Diego

Licia

PKI in short

  • Public key cryptography

    - public key (encryption, signature verification)

    - private key (decryption, signing)

licia@terena.nl


Problems

  • Public Key distribution

  • Building trust

  • Scalability

  • Solution: create a hierarchical trust fabric: X.509 PKI

licia@terena.nl


X.509 PKI Infrastructure

  • What are the elements

    - Certification Authority (CA)

    * Certificates issuer (trusted 3d party)

    - X.509 Certificates

    * Bind the pub key to the holder

    - Registration Authority (RA)

    *Identity verification

    - End Entity

    * Private key holder (machine, end-user)

    - Relying parties

    *Users

licia@terena.nl


Real X.509 Certificate Usage Today

  • Grid (closed community)

    - Use both server and user certs

  • Web servers

    - Only server certificates

    - In many case with pop-up problem

    Large scale user certificate use: nowhere !

licia@terena.nl


The Famous Pop-up:PKI Problem#1

  • Due to the fact that the issuer of the certificate is not trusted by the browsers

licia@terena.nl


TERENA Server Certificate Service

  • What is it about?

    • - Service…of course ;-) in short SCS

  • To issue server certificates

    - popup free

    - unlimitednumber

    - Very low price

    (price is not per certificate)

  • For whom?

    • For the National Research and Education Network community in Europe

licia@terena.nl


When SCS started

  • Project started in june 2004

  • European NREN PKIs around for ~7 years

    - But still not really deployed

  • Anticipated growth in need:

    - AAI middleware services

    - Web-based ‘stuff’ (mail, e-learning, webservices etc.)

    - VPN, email

    - eduroam

  • Community needs more server certificates

licia@terena.nl


PKI Growth Problems

  • Pop-up Problem#1

    - Typically for NRENs CA

    - Defeats the security purpose of the certificate

  • Costs Problem#2

    - For a large number of server certificates costs can become a problem

licia@terena.nl


Solution 1

  • Fixing the pop-up problem

    - Get root certificate in root repositories

    - Requires webtrust audit

    - Expensive for an individual NREN PKI (~25.000 first time, annual ~25.000 for the audits, plus all the costs to follow guidelines) --> CA hierarchy adds to cost!

  • Running a CA

    • Is that so interesting?

licia@terena.nl


Solution 2

  • Fixing the costs

    - Try to contract a CA already in the browser

    - Flexibility in the certificates profiles definitions

    - Tailored RA procedures

    - Not per certificate costs

licia@terena.nl


Solution 2: the way forward

  • 8 NRENs + TERENA combined forces (proposal launched feb. 2005)

  • Investigated market

  • Investigated EU tender guidelines

  • Ran a light-weight tender (start Sep 2005)

  • Signed a contract (Jan 2006)

  • First certificate issued on 16 March 2006 !

licia@terena.nl


Who is involved

  • ACOnet (.at),

  • CARnet (.hr),

  • CESnet (.cz),

  • RedIRIS (.es),

  • RENATER (.fr),

  • SURFnet (.nl),

  • SWITCH (.ch)

  • UNI-C (.dk),

  • TERENA signing party

licia@terena.nl


Service Structure

  • TERENA contracts with supplier

    - For an initial one year

    - Possibility to extend the contract

  • NRENs contract with TERENA (liability!)

  • NRENs are ‘delegated RA’ for the supplier

  • TERENA appoints delegated RAs

  • NRENs are responsible for delivering RA services and technical support

licia@terena.nl


Service Features

  • Re-use existing RA organisation

  • Certificate profile flexibility (Grids!)

  • Electronic RA procedures (under implementation)

  • Easy server certificate delivery

  • NREN-specific branding!

licia@terena.nl


Benefits for the Universities

  • Need server certificates to enable SSL/TLS channels

  • Very low costs upon agreement with your NRENs

licia@terena.nl


How to join

  • Your NREN has to join

  • After June 06 we can open to service to new NRENs

    • Some NRENs are already waiting

  • There is fee to pay to join

licia@terena.nl


Conclusion

  • To make security tools a normal habit, they need to be easy to use

    • Scs is easy

  • SCS proves how a ‘federated’ approach has solved a big problem

  • We got a cool service 

  • http://www.terena.nl/activities/tf-emc2/scs.html

licia@terena.nl


  • Login