grid fr
Download
Skip this Video
Download Presentation
GRID-FR

Loading in 2 Seconds...

play fullscreen
1 / 21

GRID-FR - PowerPoint PPT Presentation


  • 169 Views
  • Uploaded on

GRID-FR. French CA http://igc.services.cnrs.fr/GRID-FR Alice de Bignicourt. Outline. Requirement to access to the GRID GRID-FR CA Certificate Statistics. Requirement to access to GRID. User certificate (authentication) Access to VO or VOMS (authorization)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' GRID-FR ' - yaron


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
grid fr

GRID-FR

French CA

http://igc.services.cnrs.fr/GRID-FR

Alice de Bignicourt

outline
Outline
  • Requirement to access to the GRID
  • GRID-FR CA
  • Certificate
  • Statistics
requirement to access to grid
Requirement to access to GRID
  • User certificate (authentication)
  • Access to VO or VOMS (authorization)
  • User interface or web service access
outline1
Outline
  • Requirement to access to the GRID
  • About GRID-FR CA
  • Certificate
  • Statistics
about grid fr ca
About GRID-FR CA
  • CA=Certification Authority
  • CA GRID-FR
    • Issue certificates for institutes participating in GRID projects in which CNRS is involved:
      • EGEE, LCG, DEISA , Grid 5000, ILDG, E-Sciences, Integrative Biology, …
  • Issue user, server and service certificates to:
    • French public institutes & private institutes
    • Foreign public & private institutes, no HEP, and who do not have CA (catch-all).
about grid fr ca1
About GRID-FR CA

Composition of a CA

  • CA : Certification Authority
  • RA : Registration Authority
  • EE : End Entity (person, host, service)
  • Certificate repository
    • Certificates (EE, CAs)
    • CRLs
  • Validation Service
  • Encipherment Private Key Recovery Service
about grid fr ca2
About GRID-FR CA
  • GRID-FR sign algorithm
    • SHA1
  • CRL=Certification Revocation List
    • Generated each night
    • Lifetime : 1 month
    • Download dedicated server:
      • crls.services.cnrs.fr
  • EUGridPMA requirements
    • European Policy Management Authority for Grid Authentication (http://www.eugridpma.org)
    • Activity :
      • To verify the minimum requirements
      • To accredit new CAs
grid fr in the cnrs pki

CNRS

CNRS-Standard

CNRS-Plus

CNRS-Projets

GRID - FR

SSI

Partenaires-CNRS

GRID-FR in the CNRS PKI
outline2
Outline
  • Requirement to access to the GRID
  • GRID-FR CA
  • Certificate
  • Statistics
x509v3 certificate
X509v3 Certificate
  • asymmetric encryption algorithm
  • Accredited by the trusted CA
  • Certificate for :
    • User
    • Host
    • Service
  • Couple of 2 keys :
    • Private key
      • NOT communicated
      • Encoded and protected by password
    • Public key (also called certificate)
      • Signed by CA
      • Published
structure of an x509 certificate
Structure of an X509 certificate
  • Certificate
    • Version
    • Serial Number
    • Algorithm ID
    • Issuer
    • Validity
      • Not Before
      • Not After
    • Subject
    • Subject Public Key Info
      • Public Key Algorithm
      • Subject Public Key
    • Issuer Unique Identifier (Optional)
    • Subject Unique Identifier (Optional)
    • Extensions (Optional)
      • ...
  • Certificate Signature Algorithm
  • Certificate Signature

(Issuer and subject unique identifiers were introduced in Version 2, Extensions in Version 3)

example 1 2
Example 1/2

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1323 (0x52b)

Signature Algorithm: md5WithRSAEncryption

Issuer: C=FR, O=CNRS, CN=GRID-FR

Validity

Not Before: Oct 3 13:13:42 2006 GMT

Not After : Oct 3 13:13:42 2007 GMT

Subject: O=GRID-FR, C=FR, O=CNRS, OU=UREC, CN=Alice De Bignicourt

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:f6:48:51:86:3f:c3:0e:5a:1d:69:9e:c9:a7:4c: 25:d8:a1:e7:5a:9c:6f:50:d4:d6:34:ab:3f:57:a7: 60:d9:f1:3d:58:43:3a:ca:90:fb:51:9d:2f:4a:3e: 10:d4:14:4e:48:ca:6b:9f:d0:ac:f0:b5:94:bb:15: d6:43:49:91:37:72:75:0e:1b:89:d2:7c:76:db:25: 60:d1:fd:fc:b5:20:78:18:cb:11:a3:73:9a:e3:2b: ab:a3:cd:7c:0c:6c:9a:3a:19:5e:cb:10:e6:66:f4: 8e:02:aa:8f:1b:12:e0:f8:42:5e:68:a8:53:1b:f6:

c6:00:92:f0:76:77:6b:f9:cd

Exponent: 65537 (0x10001)

Serial Number

CA Issuer

Validity

Subject

Public Key

example 2 2
Example 2/2

X509v3 extensions: X509v3

Basic Constraints: critical

CA:FALSE

Netscape Cert Type:

SSL Client, S/MIME, Object Signing

X509v3 Key Usage: critical

Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement

Netscape Comment: Certificat GRID-FR. Pour toute information se reporter à http://igc.services.cnrs.fr/GRID-FR/

X509v3 Subject Key Identifier:

C6:89:EF:A4:82:41:0A:3A:CB:EB:BE:36:69:35:AA:CB:27:E6:15:CC

X509v3 Authority Key Identifier:

keyid:77:49:79:C1:F6:BB:92:F0:EC:08:C3:EE:D1:9C:B0:77:10:8C:93:2F

DirName:/C=FR/O=CNRS/CN=CNRS-Projets

serial:0C

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.10813.1.1.8.1.0

X509v3 Subject Alternative Name:

email:[email protected]

X509v3 CRL Distribution Points:

URI:http://crls.services.cnrs.fr/GRID-FR/getder.crl

1.3.6.1.4.1.7650.1:

unicoreClient

Signature Algorithm: md5WithRSAEncryption

a6:35:3a:d8:50:2c:ab:d8:8e:67:fd:54:cf:9c:65:76:1d:31 ../..

Use of the certificate

Version of the CA’s CP/CPS

E-mail address

CRL

information in the x509 certificate
Information in the X509 certificate
  • Information
    • Subject = Distinguish Name (DN)
      • Identifier in the Grid
    • Lifetime
      • Date not bedore
      • Date not after
    • Extensions  the use of the certificate
  • Common filename extensions for X.509-certificates are :
    • .PEM
      • 2 files : public key, private key protected
    • .P7C - PKCS#7
      • Certificates or CRLs
    • .P12 - PKCS#12
      • 1 file : 2keys, protected
    • Also : CER DER P7B
how to obtain a grid fr certificate
How to obtain a GRID-FR certificate ?
  • Requestor
    • Generates :
      • private key
      • public key
    • Sends public key
  • RA (Registration Authority = GRID-FR manager) to verify & valid
  • Public key is signed and certificate issued
  • Requestor get back the certificate
outline3
Outline
  • Requirement to access to the GRID
  • GRID-FR CA
  • Certificate
  • Statistics
grid fr statistics
GRID-FR Statistics
  • Valide certificates

(On June 7th 2007)

ad