Community PKIs Initiatives Updates TF-EMC2 MeetingLoughborough, UK6-7 May, 2009 Licia Florio, TERENA firstname.lastname@example.org
Aim of the work item • Overseeing the patterns of usage and emerging technologies that might be relevant to support NRENs services; • Proposing enhancements for the current PKI services; • Promoting the current PKI services to other communities <email@example.com>
PKI Initiatives • SCS service: • Soon to be knows as TCS; • TERENA MICS/SLCS Pilot Service Project • TACAR
SCS TCS • Current SCS: • Provided by GlobalSign BV; • Only SSL server certs; • More than 20.000 certs issued; • Operating till March 2010; • New SCS service: • Comodo CA; • Expected to start in May 2009; • Model: • Yearly flat fee per NREN; • TERENA contractual party; • A dedicated TERENA sub-CA; • NRENs participating can also buy client certificates and code-sign certificates: • Upon an extra flat fee; • TCS: TERENA Certificate Services
Who is in SCS • Participants: • Switzerland out; • Greece and Finland will now participate.
What has been done • Lots of working spend on certificate profiles: • Finally ready since last Friday; • Profiles also for eScience server and client certs; • Test CA to be expected in 10 days; • To testing certificates and interfaces; • Writing CPS for the TERENA sub-CA: • First version of the CPS will only cover SSL server certs; • Later client and code signing cert procedures will be addressed.
What’s next • Test phase: • Two weeks period for the test; • Launching the SSL server certs: • Available for all NRENs participating; • More work on the API: • The current prototype does not cover client and code signing certs; • Accreditation with the EuGridPMA
TERENA MICS/SLCS Pilot Service Project • Aim: • Establish a shared SLCS/MICS pilot service for the (European) eScience Grid community, under the TERENA umbrella. • SLCS/MICS CA serving all countries participating; • EuGridPMA Accreditation; • Allow for scalability; • The service will issue x.509 cert to persons • No hosts
Grid CAs Managements • Grid uses x.509 certs as authN credential; • Three types of certs are possible: • Classic • Short Lived Credential Service (SLCS) • Member Integrated Credential Service (MICS) • Grid CAs have to accredited by the IGTF: • EuGriPMA (Europe) • TAGPMA (Americas) • APGridPMA (Asia-Pacific)
What are SLCS/MICS certs? • Vetting process and cert lifetime different: • Classic: • Face to Face verification of end-entities needed • Manual process @ RA level • Cert validity: 13 months, but renewal of certs possible without new face-to-face validation. • SLCS/MICS: • Vetting process relays on existing AAI framework; • User authenticates to the CA using an existing electronic identity • This identity is mapped into a Grid cert • SLCS certs are 10 days valid; • MICS certs are 13 months valid;
Benefit of EU SLCS/MICS Service • How many SLCS-CAs does Europe need ;) • Share operational cost and effort (!) • Continued operational PKI skills only needed at one place; • For countries with limited resources very attractive;
More about the service • Use specific federation attribute to decide on SLCS or MICS eligibility • According to the rules defined by the EuGridPMA SLCS/MICS profiles
Who is involved? • UNINETT • Jan Meijer, project management: Project Description, CPS • Henrik Austad: Confusa development • SURFnet • Teun Nijssen, Tilburg University • CA + SLCS/MICS server ops, CPS, euGridPMA accreditation maintenance • Sunet • Leif Johanssen: Federation issues • TERENA • Licia Florio: Contractual party • Denmark, Finland, the Netherlands, Norway and Sweden: • Until Dec 2009 • From Jan 2010 other countries/NRENs may join
Status • Project description almost ready: • Financial model not fully defined yet; • Work on the CPS: • Presentation at the next EuGridPMA in May • Start operations in June: • Quite optimistic ;-)
New Developments • TACAR will be also used to host GN3 root Cas: • So far only a couple; • But more is expected in the future; • TACAR still being used as IGTF official repository; • Working with Massimiliano Pala: • To use TACAR for the PKI Resources Query Protocol (PRQP): • to provide standardised way to query PKI repositories to gather info on CAs; • New UI: • Different way to update info; • Different policy;