Transcript Document
NECTEC-GOC CA APGrid PMA face-to-face meeting. October, 15 2006 Sornthep Vannarat National Electronics and Computer Technology Center, Thailand Introduction » NECTEC:National Electronics and Computer Technology Center » Government research institute under Ministry of Science » For electronics, telecommunication, computer and information technologies including Grid Computing » NECTEC GOC CA:NECTEC GRID Operation Center » Certificate Authority NECTEC GRID PMA » Large Scale Simulation Research Laboratory, » Network Technology Laboratory » Thai Computer Emergency Response Team 2 CP/CPS » Current version:1.0 (October, 2006) » Object ID: 1.3.6.1.4.1.25149.1.1.1.0 » Conform to RFC 2527 » Managed by the NECTEC GRID PMA » Changes in contents need to be approved by the NECTEC GRID PMA 3 NECTEC-GOC CA Organization Table 1-2 Organization... » GRID CA PMA: Policy Management Authority » CA Manager: Administrates all tasks on the CA » system RA Operator: » Accepts and verifies User Application form GRID CA PMA » Checks Certificate Signing Request form » Informs CA to issue certificate CA Manager » CA Operator: » » » » Issues certificates Manages CA and RA servers Maintains the CA system Manages CA private key RA Operator CA Operator Remove CP/CPS 2.2.5 4 End Entity » NECTEC-GOC CA issues certificates for the following subjects: » Users of NECTEC. » Users of domestic Grid-based applications or projects. » Collaborators related to NECTEC Grid Computing research. 5 Certificate Type » User Certificate: C=TH,O=NECTEC,OU=GOC,CN=Sornthep Vannarat/ [email protected] » Grid Host Certificate: C=TH,O=NECTEC,OU=GOC, CN=host/grid64.hpcc.nectec.or.th 6 Identification and Authentication » User and Grid Host Certificate: » Subscriber meet in-person with RA Operator » RA Operator review and approve Application and Certificate Request according to user’s documents [CPS 1.3.2 and 3.1.x] 7 Certificate Restrictions » Certificate Lifetime: » 13 months for End Entity certificate. » 10 years for CA certificate. 8 Issuing Certificates » End entities request certificates » Each generate keypair by itself » Submit Applications and Certificate Signing Request forms » RA Operator checks the Requests » RA Operator uses secure communication method e.g. signed and encrypted email 9 Issuing Certificates (cont’d) » RA Operator transfers the Request to CA Operator » RA Operator tar ball the CSRs and copy to USB drive » CA Operator copy tar ball from USB drive to CA machine 10 Issuing Certificates (cont’d) » CA Operator checks CSRs and issues certificates » CA Operator transfers certificates to RA Operator » CA Operator tar ball certificates to USB drive » RA Operator copy tar ball into RA server » RA Operator publishes certificates to website and informs users by emails 11 Certificate Revocation » Certificates are revoked when » User private key compromised » Inaccurate user information suspected » User Obligation violated (CPS 2.1.4) » CA private key compromised » User leaves his/her organization 12 Revocation Request Procedure » Revocation Requests can be submitted through web interface » OR to CA Manager 13 CRL » CRL validity is 30 days. » New CRL issued » 7 days before expiration of previous one » immediately after certificate revocation 14 Physical Security » CA Server: » Stored in a safe deposit box, which is protected by six-digit code » Not connected to network of any sort » Located in a room, which is restricted to CA Operator during its operations » CA private key: » Protected by passpharse 15 characters. » Backup in USB drive and stored in the safe box by CA Operator. 15 CA Room & Equipments (1) » CA Room 16 CA Room & Equipments (2) » CA Machine » RA Server » UPS 17 CA Room & Equipments (3) » Safe box 18 Records Archival » Types of archive data: » All issued certificates and CRLs » All enrollment requests and notifications between the NECTEC-GOC CA and users. » Operation history of the CA key » Events of interest, as described in CP/CPS section 4.7.1 » The retention period is 3 years. » Archived files are stored in CD or DVD located at NECTEC server room’s safe box. 19 Key Pair » CA private key generated by CA operator using OpenCA » User and Grid Host key pair generated by User using e.g. grid-cert-req » Key Length: » CA Certificate 2048 bits » End Entity Certificate: 1024 bits 20 Contact Information Sornthep Vannarat and Suriya U-ruekolan National Electronics and Computer Technology Center Grid Operation Center 112 Paholyotin Road, Klong 1, Klong Luang, Pathumthani 12120 Thailand Tel: (662) 564-6900 ext 2278 Fax: (662) 564-6772 Email: [email protected] 21