TERENA Certificate Service Milan Sova CESNET Agenda History TCS - - PowerPoint PPT Presentation

terena certificate service
SMART_READER_LITE
LIVE PREVIEW

TERENA Certificate Service Milan Sova CESNET Agenda History TCS - - PowerPoint PPT Presentation

Mar 15, 2024 6 likes •177 views

TERENA Certificate Service Milan Sova CESNET Agenda History TCS Structure Procedures Conclusions History pop-up free server certificates History: SCS TERENA Server Certificate Service summer 2004: first idea

slide-1
SLIDE 1

TERENA Certificate Service

Milan Sova CESNET

slide-2
SLIDE 2

Agenda

  • History
  • TCS Structure
  • Procedures
  • Conclusions
slide-3
SLIDE 3

History

“pop-up free server certificates”

slide-4
SLIDE 4

History: SCS

  • TERENA Server Certificate Service

– summer 2004: first idea – Dec 2004: SCS project started – Sep 2005: Call for Proposals – Jan 2006: Contract with GlobalSign (1 year)

  • 8 NRENs

– March 16 2006: service operational – Jan 2007: Contract prolonged (3 years)

slide-5
SLIDE 5

History: SCS -> TCS

  • Sep 2008: new Call for Proposals
  • Apr 2009: Contract with Comodo CA Ltd.

– server, personal, object signing certificates

=> TCS (TERENA Certificate Service)

  • Jul 2009: TERENA SSL CA operational
  • Feb 2009: TERENA eScience Personal CA

accredited by EUGridPMA, operational

  • Feb 2009: TERENA Personal CA
  • perational
slide-6
SLIDE 6

TCS

“PKI that works”

slide-7
SLIDE 7

TCS Characteristics

  • 22 NRENs
  • flat fee – unlimited number of certificates
  • 5 CAs operated by Comodo

– including CRL, OCSP – access via HTTP API – implicitly trusted by major OSs and software

  • RA roles and issuance managed by

NRENs

– except for object signing

slide-8
SLIDE 8

Legal Structure

  • Contract TERENA – Comodo
  • Contracts TERENA – NRENs
  • Contracts NREN – member organizations

– all referring CPS

  • 3 CPs

– Server & Object Signing

  • including eScience Server

– Personal – eScience Personal

slide-9
SLIDE 9

TCS CAs

  • TERENA SSL CA
  • TERENA eScience SSL CA
  • TERENA Personal CA*
  • TERENA eScience Personal CA*
  • TERENA Code Signing CA*

* optional (surcharge)

slide-10
SLIDE 10

UTN-USERFirst-Object

TCS Certificate Chain

(AddTrust External CA Root) UTN-USERFirst-Hardware TCS SSL TCS eScience Personal TCS Object Signing TCS eScience SSL TCS Personal End Entity End Entity End Entity End Entity End Entity End Entity End Entity End Entity End Entity End Entity UTN-USERFirst-Client Authentication and Email

slide-11
SLIDE 11

Procedures

“solid and usable”

slide-12
SLIDE 12

Procedures: Server

  • NREN

– web portal – register of organizations

  • administrators
  • DNS zones
slide-13
SLIDE 13

Procedures: Server

  • server admin requests a certificate

– DNS names

  • checked by the portal against the register

– public key (PKCS#10)

  • organization admin

– checks DNS – requester relation – approves

slide-14
SLIDE 14

Procedures: Personal

  • “self-service” certificate issuance
  • federated portal

– front-end to TCS CA

  • organizations – Identity Providers

– identity checked using official ID – account management – attributes release

slide-15
SLIDE 15

Attributes

  • eduPersonEntitlement

– authorization & eligibility

  • uniqueID

– traceability, naming conflicts

  • commonName
  • email
slide-16
SLIDE 16

Conclusions

  • cost-effective
  • implicitly trusted by common software
  • SSL server authentication
  • S/MIME, user authentication
  • grid user authentication

– grid SSL server accreditation pending

  • easy to use
slide-17
SLIDE 17