Terena server certificate service
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

TERENA Server Certificate Service PowerPoint PPT Presentation


  • 58 Views
  • Uploaded on
  • Presentation posted in: General

TERENA Server Certificate Service. Towards the large-scale use of affordable popup-free server certificates for the European NRENs. Licia Florio TERENA. Topics. PKI and X.509 certificates Motivation for the TERENA Server Certificate Project What is the project Service Characteristics

Download Presentation

TERENA Server Certificate Service

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Terena server certificate service

TERENA Server Certificate Service

Towards the large-scale use of affordable popup-free server certificates for the European NRENs

Licia Florio

TERENA

EuroCAMP Ljubljana,

3-5 March 2006


Topics

Topics

  • PKI and X.509 certificates

  • Motivation for the TERENA Server Certificate Project

  • What is the project

  • Service Characteristics

  • Why joining

[email protected]


Pki in short

Diego’s priv key

Diego’s pub key

Dear

I’ve arrived in Slovenia..

Dear

I’ve arrived in Slovenia..

Dear

I’ve arrived in Slovenia..

Decryption

Encryption

Diego

Licia

PKI in short

  • Public key cryptography

    - public key (encryption, signature verification)

    - private key (decryption, signing)

[email protected]


Problems

Problems

  • Public Key distribution

  • Building trust

  • Scalability

  • Solution: create a hierarchical trust fabric: X.509 PKI

[email protected]


X 509 pki infrastructure

X.509 PKI Infrastructure

  • What are the elements

    - Certification Authority (CA)

    * Certificates issuer (trusted 3d party)

    - X.509 Certificates

    * Bind the pub key to the holder

    - Registration Authority (RA)

    *Identity verification

    - End Entity

    * Private key holder (machine, end-user)

    - Relying parties

    *Users

[email protected]


Real x 509 certificate usage today

Real X.509 Certificate Usage Today

  • Grid (closed community)

    - Use both server and user certs

  • Web servers

    - Only server certificates

    - In many case with pop-up problem

    Large scale user certificate use: nowhere !

[email protected]


The famous pop up pki problem 1

The Famous Pop-up:PKI Problem#1

  • Due to the fact that the issuer of the certificate is not trusted by the browsers

[email protected]


Terena server certificate service1

TERENA Server Certificate Service

  • What is it about?

    • - Service…of course ;-) in short SCS

  • To issue server certificates

    - popup free

    - unlimitednumber

    - Very low price

    (price is not per certificate)

  • For whom?

    • For the National Research and Education Network community in Europe

[email protected]


When scs started

When SCS started

  • Project started in june 2004

  • European NREN PKIs around for ~7 years

    - But still not really deployed

  • Anticipated growth in need:

    - AAI middleware services

    - Web-based ‘stuff’ (mail, e-learning, webservices etc.)

    - VPN, email

    - eduroam

  • Community needs more server certificates

[email protected]


Pki growth problems

PKI Growth Problems

  • Pop-up Problem#1

    - Typically for NRENs CA

    - Defeats the security purpose of the certificate

  • Costs Problem#2

    - For a large number of server certificates costs can become a problem

[email protected]


Solution 1

Solution 1

  • Fixing the pop-up problem

    - Get root certificate in root repositories

    - Requires webtrust audit

    - Expensive for an individual NREN PKI (~25.000 first time, annual ~25.000 for the audits, plus all the costs to follow guidelines) --> CA hierarchy adds to cost!

  • Running a CA

    • Is that so interesting?

[email protected]


Solution 2

Solution 2

  • Fixing the costs

    - Try to contract a CA already in the browser

    - Flexibility in the certificates profiles definitions

    - Tailored RA procedures

    - Not per certificate costs

[email protected]


Solution 2 the way forward

Solution 2: the way forward

  • 8 NRENs + TERENA combined forces (proposal launched feb. 2005)

  • Investigated market

  • Investigated EU tender guidelines

  • Ran a light-weight tender (start Sep 2005)

  • Signed a contract (Jan 2006)

  • First certificate issued on 16 March 2006 !

[email protected]


Who is involved

Who is involved

  • ACOnet (.at),

  • CARnet (.hr),

  • CESnet (.cz),

  • RedIRIS (.es),

  • RENATER (.fr),

  • SURFnet (.nl),

  • SWITCH (.ch)

  • UNI-C (.dk),

  • TERENA signing party

[email protected]


Service structure

Service Structure

  • TERENA contracts with supplier

    - For an initial one year

    - Possibility to extend the contract

  • NRENs contract with TERENA (liability!)

  • NRENs are ‘delegated RA’ for the supplier

  • TERENA appoints delegated RAs

  • NRENs are responsible for delivering RA services and technical support

[email protected]


Service features

Service Features

  • Re-use existing RA organisation

  • Certificate profile flexibility (Grids!)

  • Electronic RA procedures (under implementation)

  • Easy server certificate delivery

  • NREN-specific branding!

[email protected]


Benefits for the universities

Benefits for the Universities

  • Need server certificates to enable SSL/TLS channels

  • Very low costs upon agreement with your NRENs

[email protected]


How to join

How to join

  • Your NREN has to join

  • After June 06 we can open to service to new NRENs

    • Some NRENs are already waiting

  • There is fee to pay to join

[email protected]


Conclusion

Conclusion

  • To make security tools a normal habit, they need to be easy to use

    • Scs is easy

  • SCS proves how a ‘federated’ approach has solved a big problem

  • We got a cool service 

  • http://www.terena.nl/activities/tf-emc2/scs.html

[email protected]


  • Login