Slide 2
› Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘pop-up’ problem).
› Purchasing certificates directly from commercial CAs is expensive in bulk.
Background
Slide 3
› Five types of certificate available:
› Server Certificate - for authenticating servers and establishing secure sessions with end clients.
› e-Science Server Certificate - for authenticating Grid hosts and services. These are IGTF compliant.
› Personal Certificate - for identifying individual users and securing e-mail communications.
› e-Science Personal Certificate - for identifying individual users accessing Grid services. These are IGTF compliant.
› Code-signing Certificates - for authenticating software distributed over the Internet.
› Comodo is also offering free EV certificates for a limited period.
Certificate Types
Slide 4
NREN/Country S P C NREN/Country S P C
ACOnet AT LITNET LT -
BELNET BE UoM MT -
CARNet HR - - SURFnet NL
Cyprus CY UNINETT NO
CESNET CZ - PSNC PL
UNI•C DK - FCCN PT - -
FUNET FI - RoEduNet RO -
RENATER FR - AMRES RS -
GRNET GR - ARNES SI - -
HUNGARNET HU - - RedIRIS ES
HEAnet IE SUNET SE
GARR IT - JANET(UK) UK - -
IUCC IL -
Participants
Built using contracts
• scales well to large numbers of organisations and users• assurance requirements on subscribers ensure quality ID• bound through legal contracts
Slide 7
› Several NRENs decided to pool resources and operate common portal for personal certificates.
› Hosted on resilient servers at Tilburg University under contract to TERENA.
› Utilises Confusa software.
› Each NREN community needs to operate at least one IdP, but multiple IdPs are supported.
› Participants:
› ACOnet (AT), BELNET (BE), FUNET (FI), GARR (IT), RENATER (FR), SUNET (SE), SURFnet (NL), UNI-C (DK), UNINETT (NO)
TCS Portal
Authenticating users via Subscriber and Federation
National research-education federations provide the basis for authenticating users and obtaining key attributes
like a persistent unique identifier andincluding assurance level via service entitlements
User’s home organisation
NREN or Federation Operator
Slide 9
› Server Certificates
› Since 1 Jul 2009 - 45,710 (most JANET(UK) with 9,321 )
› eScience Server Certificates
› Since 1 Oct 2010 - 42 (most PSNC with 16)
› Personal Certificates
› Since 5 Feb 2010 - 1,169 (most 499 with CESNET)
› eScience Personal Certificates
› Since 5 Feb 2010 - 547 (most 332 with UNINETT)
› Code-Signing Certificates
› Since 1 June 2010 - 52 (most 13 with PSNC)
Statistics(1 Jul 2009 - 31 Dec 2010)
TCS eScience - global recognition
Meets the IGTF requirements for long-term integrated credential services and thereby has global recognition by all major e-Infrastructures