Nectec goc ca
1 / 21

NECTEC-GOC CA - PowerPoint PPT Presentation

  • Uploaded on

NECTEC-GOC CA. APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand. Introduction. NECTEC: National Electronics and Computer Technology Center Government research institute under Ministry of Science

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' NECTEC-GOC CA' - lance-oconnor

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Nectec goc ca


APGrid PMA face-to-face meeting. October, 15 2006

Sornthep VannaratNational Electronics and Computer Technology Center, Thailand


  • NECTEC:National Electronics and Computer Technology Center

    • Government research institute under Ministry of Science

    • For electronics, telecommunication, computer and information technologies including Grid Computing

  • NECTEC GOC CA:NECTEC GRID Operation Center Certificate Authority


    • Large Scale Simulation Research Laboratory,

    • Network Technology Laboratory

    • Thai Computer Emergency Response Team

Cp cps

  • Current version:1.0 (October, 2006)

  • Object ID:

  • Conform to RFC 2527

  • Managed by the NECTEC GRID PMA

    • Changes in contents need to be approved by the NECTEC GRID PMA

Nectec goc ca organization


CA Manager

CA Operator

RA Operator

NECTEC-GOC CA Organization

Table 1-2 Organization...

  • GRID CA PMA: Policy Management Authority

  • CA Manager: Administrates all tasks on the CA system

  • RA Operator:

    • Accepts and verifies User Application form

    • Checks Certificate Signing Request form

    • Informs CA to issue certificate

  • CA Operator:

    • Issues certificates

    • Manages CA and RA servers

    • Maintains the CA system

    • Manages CA private key

Remove CP/CPS 2.2.5

End entity
End Entity

  • NECTEC-GOC CA issues certificates for the following subjects:

    • Users of NECTEC.

    • Users of domestic Grid-based applications or projects.

    • Collaborators related to NECTEC Grid Computing research.

Certificate type
Certificate Type

  • User Certificate:C=TH,O=NECTEC,OU=GOC,CN=Sornthep Vannarat/

  • Grid Host Certificate:C=TH,O=NECTEC,OU=GOC, CN=host/

Identification and authentication
Identification and Authentication

  • User and Grid Host Certificate:

    • Subscriber meet in-person with RA Operator

    • RA Operator review and approve Application and Certificate Request according to user’s documents [CPS 1.3.2 and 3.1.x]

Certificate restrictions
Certificate Restrictions

  • Certificate Lifetime:

    • 13 months for End Entity certificate.

    • 10 years for CA certificate.

Issuing certificates
Issuing Certificates

  • End entities request certificates

    • Each generate keypair by itself

    • Submit Applications and Certificate Signing Request forms

  • RA Operator checks the Requests

    • RA Operator uses secure communication method e.g. signed and encrypted email

Issuing certificates cont d
Issuing Certificates (cont’d)

  • RA Operator transfers the Request to CA Operator

    • RA Operator tar ball the CSRs and copy to USB drive

    • CA Operator copy tar ball from USB drive to CA machine

Issuing certificates cont d1
Issuing Certificates (cont’d)

  • CA Operator checks CSRs and issues certificates

  • CA Operator transfers certificates to RA Operator

    • CA Operator tar ball certificates to USB drive

    • RA Operator copy tar ball into RA server

  • RA Operator publishes certificates to website and informs users by emails

Certificate revocation
Certificate Revocation

  • Certificates are revoked when

    • User private key compromised

    • Inaccurate user information suspected

    • UserObligation violated (CPS 2.1.4)

    • CA private key compromised

    • User leaves his/her organization

Revocation request procedure
Revocation Request Procedure

  • Revocation Requests can be submitted through web interface

  • OR to CA Manager

Nectec goc ca

  • CRL validity is 30 days.

  • New CRL issued

    • 7 days before expiration of previous one

    • immediately after certificate revocation

Physical security
Physical Security

  • CA Server:

    • Stored in a safe deposit box, which is protected by six-digit code

    • Not connected to network of any sort

    • Located in a room, which is restricted to CA Operator during its operations

  • CA private key:

    • Protected by passpharse 15 characters.

    • Backup in USB drive and stored in the safe box by CA Operator.

Ca room equipments 2
CA Room & Equipments (2)

  • RA Server

  • CA Machine

  • UPS

Records archival
Records Archival

  • Types of archive data:

    • All issued certificates and CRLs

    • All enrollment requests and notifications between the NECTEC-GOC CA and users.

    • Operation history of the CA key

    • Events of interest, as described in CP/CPS section 4.7.1

  • The retention period is 3 years.

  • Archived files are stored in CD or DVD located at NECTEC server room’s safe box.

Key pair
Key Pair

  • CA private key generated by CA operator using OpenCA

  • User and Grid Host key pair generated by User using e.g. grid-cert-req

  • Key Length:

    • CA Certificate 2048 bits

    • End Entity Certificate: 1024 bits

Contact information
Contact Information

Sornthep Vannarat and Suriya U-ruekolan

National Electronics and Computer Technology Center

Grid Operation Center

112 Paholyotin Road,

Klong 1, Klong Luang,

Pathumthani 12120 Thailand

Tel: (662) 564-6900 ext 2278

Fax: (662) 564-6772