nectec goc ca
Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 21

NECTEC-GOC CA - PowerPoint PPT Presentation

  • Uploaded on

NECTEC-GOC CA. APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand. Introduction. NECTEC: National Electronics and Computer Technology Center Government research institute under Ministry of Science

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' NECTEC-GOC CA' - lance-oconnor

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
nectec goc ca


APGrid PMA face-to-face meeting. October, 15 2006

Sornthep VannaratNational Electronics and Computer Technology Center, Thailand

  • NECTEC:National Electronics and Computer Technology Center
    • Government research institute under Ministry of Science
    • For electronics, telecommunication, computer and information technologies including Grid Computing
  • NECTEC GOC CA:NECTEC GRID Operation Center Certificate Authority
    • Large Scale Simulation Research Laboratory,
    • Network Technology Laboratory
    • Thai Computer Emergency Response Team
cp cps
  • Current version:1.0 (October, 2006)
  • Object ID:
  • Conform to RFC 2527
  • Managed by the NECTEC GRID PMA
    • Changes in contents need to be approved by the NECTEC GRID PMA
nectec goc ca organization


CA Manager

CA Operator

RA Operator

NECTEC-GOC CA Organization

Table 1-2 Organization...

  • GRID CA PMA: Policy Management Authority
  • CA Manager: Administrates all tasks on the CA system
  • RA Operator:
    • Accepts and verifies User Application form
    • Checks Certificate Signing Request form
    • Informs CA to issue certificate
  • CA Operator:
    • Issues certificates
    • Manages CA and RA servers
    • Maintains the CA system
    • Manages CA private key

Remove CP/CPS 2.2.5

end entity
End Entity
  • NECTEC-GOC CA issues certificates for the following subjects:
    • Users of NECTEC.
    • Users of domestic Grid-based applications or projects.
    • Collaborators related to NECTEC Grid Computing research.
certificate type
Certificate Type
  • User Certificate:C=TH,O=NECTEC,OU=GOC,CN=Sornthep Vannarat/

[email protected]

  • Grid Host Certificate:C=TH,O=NECTEC,OU=GOC, CN=host/
identification and authentication
Identification and Authentication
  • User and Grid Host Certificate:
    • Subscriber meet in-person with RA Operator
    • RA Operator review and approve Application and Certificate Request according to user’s documents [CPS 1.3.2 and 3.1.x]
certificate restrictions
Certificate Restrictions
  • Certificate Lifetime:
    • 13 months for End Entity certificate.
    • 10 years for CA certificate.
issuing certificates
Issuing Certificates
  • End entities request certificates
    • Each generate keypair by itself
    • Submit Applications and Certificate Signing Request forms
  • RA Operator checks the Requests
    • RA Operator uses secure communication method e.g. signed and encrypted email
issuing certificates cont d
Issuing Certificates (cont’d)
  • RA Operator transfers the Request to CA Operator
    • RA Operator tar ball the CSRs and copy to USB drive
    • CA Operator copy tar ball from USB drive to CA machine
issuing certificates cont d1
Issuing Certificates (cont’d)
  • CA Operator checks CSRs and issues certificates
  • CA Operator transfers certificates to RA Operator
    • CA Operator tar ball certificates to USB drive
    • RA Operator copy tar ball into RA server
  • RA Operator publishes certificates to website and informs users by emails
certificate revocation
Certificate Revocation
  • Certificates are revoked when
    • User private key compromised
    • Inaccurate user information suspected
    • UserObligation violated (CPS 2.1.4)
    • CA private key compromised
    • User leaves his/her organization
revocation request procedure
Revocation Request Procedure
  • Revocation Requests can be submitted through web interface
  • OR to CA Manager
  • CRL validity is 30 days.
  • New CRL issued
    • 7 days before expiration of previous one
    • immediately after certificate revocation
physical security
Physical Security
  • CA Server:
    • Stored in a safe deposit box, which is protected by six-digit code
    • Not connected to network of any sort
    • Located in a room, which is restricted to CA Operator during its operations
  • CA private key:
    • Protected by passpharse 15 characters.
    • Backup in USB drive and stored in the safe box by CA Operator.
ca room equipments 2
CA Room & Equipments (2)
  • RA Server
  • CA Machine
  • UPS
records archival
Records Archival
  • Types of archive data:
    • All issued certificates and CRLs
    • All enrollment requests and notifications between the NECTEC-GOC CA and users.
    • Operation history of the CA key
    • Events of interest, as described in CP/CPS section 4.7.1
  • The retention period is 3 years.
  • Archived files are stored in CD or DVD located at NECTEC server room’s safe box.
key pair
Key Pair
  • CA private key generated by CA operator using OpenCA
  • User and Grid Host key pair generated by User using e.g. grid-cert-req
  • Key Length:
    • CA Certificate 2048 bits
    • End Entity Certificate: 1024 bits
contact information
Contact Information

Sornthep Vannarat and Suriya U-ruekolan

National Electronics and Computer Technology Center

Grid Operation Center

112 Paholyotin Road,

Klong 1, Klong Luang,

Pathumthani 12120 Thailand

Tel: (662) 564-6900 ext 2278

Fax: (662) 564-6772

Email: [email protected]