1 / 13

Short Lived Credential Services Profile

Short Lived Credential Services Profile. Tony J. Genovese The Americas Grid PMA DOEGrids ATF/ESnet/LBNL. SLCS Profile. The Authentication Profile is managed by the TAGPMA Derived from EUGridPMA Guidelines Minimum Requirements version 4.0 Reviewed and approved by TAGPMA: 15 November 2005.

virgil
Download Presentation

Short Lived Credential Services Profile

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGrids ATF/ESnet/LBNL TAGPMA - Rio de Janeiro

  2. SLCS Profile • The Authentication Profile is managed by the TAGPMA • Derived from EUGridPMA Guidelines • Minimum Requirements version 4.0 • Reviewed and approved by TAGPMA: • 15 November 2005 TAGPMA - Rio de Janeiro

  3. What is SLCS • Short-Term certificate has a life cycle less then 1 million seconds (~11 days) • A translation of a local site’s native Identity to a Grid Identity. • A KCA can translate a local Kerberos Identity to a Grid Identity. • MyProxy can be integrated to some sites • Active credential repositories – different AuthN profile. • Identity is validated by site security office • Leverages Site help desk and customer support • Possible local site service candidates: • Kerberos, Windows Domain, LDAP, One Time Password and Long term Certs. TAGPMA - Rio de Janeiro

  4. Document Identification Document title:Profile for Short Lived Credential Services X.509 Public Key Certification Authorities with secured infrastructure Document vers: 1.1 Document date: November 15, 2005. OID: 1.2.840.113612.5 = IGTF OID: IGTF.Policies.Authentication Profiles.SLCS.version Document OID: 1.2.840.113612.5.2.3.1.1 Location:http://www.tagpma.org/files/IGTF-AP-SLCS-20051115-1-1.pdf TAGPMA - Rio de Janeiro

  5. Sources of Identity Grid Identity Mint Short lived Grid Identity/Proxy/Attribute Certificates LDAP AuthN SLIC General Architecture slic Kerberos AuthN slic slic slic RADIUS AuthN slic slic Certificate Authority SecureID AuthN (RADIUS) Local Site AuthN infrastructure TAGPMA - Rio de Janeiro

  6. Identity • Every DN in a SLCS cert must be linked to one and only one End Entity. • The DN owner is the human individual or organizational group that has valid rights to exclusive use of a subject name in a certificate. TAGPMA - Rio de Janeiro

  7. Identity Translation rules • All identities used to create a Short Lived Certificate will be based on the local Site/Organization identity system. • A SLCS must identify the Site/Organization identity management service that will be used to provide the authenticated identity to the SLCS. • A SLCS must describe in their CP/CPS: • How the identity (DN) assigned in the certificate is unique within the namespace of the issuer. • How it attests to the validity of the identity. • How it provides accountability, show that they have verified enough identity information to get back to the physical person any time now and in the future TAGPMA - Rio de Janeiro

  8. Operational Requirements • SLCS CA must be a dedicated machine • The CA must be located in a secure access controlled environment. • CA’s private key must be protected: • FIPS 140-2 Level 3 HSM • Non-FIPS: Must describe the security precautions. • CA Key >= 2048, lifetime <= 20 years TAGPMA - Rio de Janeiro

  9. Certificates and CRL profile • The accredited SLCS authority must publish a X.509 certificate as a root of trust. • SLCS CAs are not expected to issue CRLs. • The short lived certificates must be in X.509v3 format and compliant with RFC3280 unless explicitly stated otherwise. In the certificate extensions: • a Policy Identifier must be included and must contain an OID and an OID only • keyUsage must be included and marked as critical • basicConstraints may be included, and when included it must be set to ‘CA: false’ and marked as critical so it conforms to general CA and ASN.1 practice. • if an OCSP responder, operated as a production service by the issuing CA, is available, AuthorityInfoAccess must be included and contain at least one URI • If a commonName component is used as part of the subject DN, it should contain an appropriate presentation of the actual name of the end-entity. • The message digests of the certificates must be generated by a trustworthy mechanism, like SHA1 (in particular, MD5 must not be used). TAGPMA - Rio de Janeiro

  10. Revocation • It is assumed that the Short Lived Certificates will not need to be revoked because their life time is shorter than the update cycle of most CRLs. • If revocation is supported, then revocation requests can be made by: • certificate holders, Site identity managers and the SLCS CA. Others… • Individual holders of a SLCS certificate must request revocation if the private key pertaining to the certificate is lost or has been compromised, or if the data in the certificate are no longer valid. TAGPMA - Rio de Janeiro

  11. Publication and Repository responsibilities • Each SLCS authority must publish: • a SLCS CA root certificate or set of CA root certificates up to a self-signed root; • a http or https URL of the PEM-formatted CA certificate; • a http or https URL of the web page of the CA for general information; • the CP and CPS documents; • an official contact email address for inquiries and fault reporting • a physical postal contact address • The SLCS CA shall provide their trust anchor to a trust anchor repository, specified by the accrediting PMA, via the method specified in the policy of the trust anchor repository. TAGPMA - Rio de Janeiro

  12. Audits • The SLCS CA must record and archive all requests for certificates, along with all the issued certificates, all the requests for revocation and the login/logout/reboot of the issuing machine. • The SLCS CA must keep these records for at least three years. These records must be made available to external auditors in the course of their work as auditor. • Each SLCS CA must accept being audited by other accredited CAs to verify its compliance with the rules and procedures specified in its CP/CPS document. • The SLCS CA should perform operational audits of the CA/RA staff at least once per year. A list of CA and site identity management personnel should be maintained and verified at least once per year. • The identity management system on which the SLCS CA relies should undergo a periodic review or audit. This review should be conducted by persons other than the system operators. TAGPMA - Rio de Janeiro

  13. SLCS Etcetera • Privacy and confidentiality • Accredited SLCS CAs must define a privacy and data release policy compliant with the relevant national legislation. • Compromise and Disaster recovery • The SLCS CA must have an adequate compromise and disaster recovery procedure, and be willing to discuss this procedure in the TAGPMA. The procedure need not be disclosed in the policy and practice statements. • Due diligence of subscribers • The SLCS CA should make a reasonable effort to make sure that people realize the importance of properly protecting their private data. TAGPMA - Rio de Janeiro

More Related