slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
REUNA Certificate Authority Juan Carlos Martínez jcmartin@reuna.cl REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, PowerPoint Presentation
Download Presentation
REUNA Certificate Authority Juan Carlos Martínez jcmartin@reuna.cl REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting,

Loading in 2 Seconds...

play fullscreen
1 / 16

REUNA Certificate Authority Juan Carlos Martínez jcmartin@reuna.cl REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, - PowerPoint PPT Presentation


  • 131 Views
  • Uploaded on

REUNA Certificate Authority Juan Carlos Martínez jcmartin@reuna.cl REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA. REUNA Certificate Authority CP/CPS reviewers: Bob Cowles : rdc@slac.stanford.edu Scott Rea : Scott.Rea@Dartmouth.EDU. REUNA Certificate Authority REUNA

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'REUNA Certificate Authority Juan Carlos Martínez jcmartin@reuna.cl REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting,' - parker


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

REUNA Certificate Authority

Juan Carlos Martínez

jcmartin@reuna.cl

REUNA Chile

Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA

slide2

REUNA Certificate Authority

CP/CPS reviewers:

Bob Cowles : rdc@slac.stanford.edu

Scott Rea : Scott.Rea@Dartmouth.EDU

slide3

REUNA Certificate Authority

REUNA

Red Universitaria Nacional

REUNA, Red Universitaria Nacional is a non-profit private corporation initially formed by 14 Chilean universities and the National Commission for Scientific and Technological Research (CONICYT).

It is an initiative of the university collaboration that counts on the only technological infrastructure of advanced networks of academic nature, dedicated to research and development in Chile.

PROVIDE PKI SERVICES TO ALL CHILEAN RESEARCH AND EDUCATION COMMUNITY (members and not members, conditions: Network req., agreements.)

slide4

REUNA Certificate Authority

  • CA structure
  • CA: manager, Operators
  • RAs
    • RAs will be setup to as needed.
    • Deploy in the institutions.
    • Chief department or the host administrator

CA

Inst. 1

Inst. 2

Inst. 3

Inst. 4

RA

RA

RA

RA

RA

slide5

REUNA Certificate Authority

  • Certificate Authority
  • REUNA CA provides PKI services for the users of the Chilean Research and Education community
  • Issued certificates to all the correctly authenticated EE.
  • Audit the RA and CA personnel
  • Revoke certificate properly authenticated (CRL)
  • Archive all the information: request and certs Issued, revocations requests, CRL issued, Logs signing machine
slide6

REUNA Certificate Authority

  • Register authority
  • The RA must be the chief department or the Host Administrator with a declaration signed by the Dean of the faculty that he can do the job of the RA and he has his support.
  • The RA is in charge to authenticate and to collect all the information about the EE and the organization. (Photo-id, address, phone numbers, email, etc.)
  • Archive all the data of the EE and also the CSR, confirmation and revocation request.
  • Must use signed email or other secure way to communicate with CA and EE.
slide7

REUNA Certificate Authority

  • Publication and repository
  • Repository (pending)
  • The REUNA CA’s certificate,
  • All publicly accessible certificates issued by this CA,
  • The CRL (Certificate Revocation List),
  • All past and current officials versions of the CP/CPS.
  • Information about the existents RAs,
  • Other relevant information about the REUNA CA service.
  • A link to the TAGPMA trust anchor repository where the CA root of trust has been previously published.
  • The CRL shall have a lifetime of 30 days at most, the REUNA CA must issue a new CRL at least 7 days before the expiration date or immediately after having a revocation. A new CRL must be published immediately after its issuance.
  • The repository will be available in a month from now (testing)
slide8

REUNA Certificate Authority

Naming

Distinguished Name:

For a person:

C=CL, O=REUNACA,

O = Organization, OU = Department-Unit, CN = Full username

For a server:

C=CL, O=REUNACA,

O = Organization, OU = Department-Unit, CN = host/FQDN

 For a service:

C=CL, O=REUNACA,

O=Organization, OU=Department-Unit, CN=service/FQDN

slide9

REUNA Certificate Authority

  • Certificate operational requirements
  • Certificate application prcessing:
  • Users must present an application form to the appropriate RA (in the repository).
  • The RA must meet the user in person and authenticate the EE identity by checking Chilean national identity card or passport.
  • If the application is approved, then the RA will inform the REUNA CA that the request has been approved using signed email or another secure way, also the csr must be transmitted by a secure way.
  • In case of a server or service the request can only be submitted by the administrator responsible for the particular host.

1 Generate Key Pair

Dept. Chief

2 Send CSR

CA

REUNA

RA

Institution 1

4 Get Certificate

3 Issue Certificate

slide10

REUNA Certificate Authority

  • Certificate operational requirements
  • Subscribers:
  • Read and adhere to the procedures described in this document;
  • Provide true and accurate information to REUNA CA and RA
  • Generate a key pair (at least 1024bits) using a trustworthy method;
  • Selecting a strong pass phrase of a minimum recommended 12 characters;
  • Protecting the pass phrase from others;
  • Never sharing the private key with other users;
  • Notify the REUNA CA “immediately” in case of private key loss or compromise;
  • Use the certificates for the permitted uses only.
slide11

REUNA Certificate Authority

Certificate operational requirements

Certificate issuance:

An offline computer who holds the private key of the CA is used to sign the certificates.

The notification is made by email with the URL (repository) to download the issued certificate, and also an acknowledgement of the issuance is sent to the appropriate RA.

The subscriber must notify the REUNA CA and the appropriate RA of the acceptance of the issued certificate.

slide12

REUNA Certificate Authority

  • Certificate operational requirements
  • Certificate Renewal:
  • Use the same key pair.
  • The renewal process must be done before the certificate expires, so the new certificate and the old certificate will have an overlap time.
  • The information contained in the certificate must be without change or modification.
  • The process to get a renewal is just like when a new certificate is issued, but a face to face meeting is not necessary.
  • Certificate ReKey:
  • Use a new key pair.
slide13

REUNA Certificate Authority

  • Certificate operational requirements
  • Certificate Revocation:
  • A certificate revocation can be requested by:
  • The subscriber who owns the certificate.
  • The REUNA CA or any RA that has proof of a private key compromise.
  • The RA which authenticates the subscriber who owns the certificate.
  • Any person presenting proof of knowledge that the subscriber’s private key has been compromise or the subscriber’s data have changed.
  • After authenticate the revocation request, the certificate
  • must be revoked as soon is possible(new CRL)
slide14

REUNA Certificate Authority

  • Certificate operational requirements
  • Certificate lifetime
  • Root certificate: 10 years (2048bits)
  • EE certificate: 1 year & 1 month (1024bits)
  • CRL: 30 days
    • The CRL shall have a lifetime of 30 days at most, the REUNA CA must issue a new CRL at least 7 days before the expiration date or immediately after having a revocation. A new CRL must be published immediately after its issuance.
slide15

REUNA Certificate Authority

  • Security
  • 2 different safe to backup the private key and the pass phrase.
  • The Private Key and the pass phrase shall never be in a online media.
  • The machines are kept in the computer center of REUNA managed by the network operator where the access is controled
slide16

REUNA Certificate Authority

  • Incomplete topics
  • Time issues, “as soon as possible”, 10 minutes, next working day?
  • Minimal extensions for the CA
  • To specify better the duties of the RA
  • OID, IANA or IGTF