eu nren pki
DESCRIPTION
EU NREN PKI. Jan Meijer. AARnet PKI / Access Federations Strategy Workshop 10 February 2010 Sydney. me. 1998-2007: SURFnet CERT, security, PKI, systems engineering, e-voting 2007-now: UNINETT service development, storage, PKI. beautiful morning. 22 NRENs 6 months - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/1.jpg)
EU NREN PKI
Jan Meijer AARnet PKI / Access Federations Strategy Workshop
10 February 2010Sydney
![Page 2: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/2.jpg)
me
• 1998-2007: SURFnet – CERT, security, PKI, systems
engineering, e-voting
• 2007-now: UNINETT – service development, storage,
PKI
![Page 3: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/3.jpg)
beautiful morning....
• 22 NRENs• 6 months• 12573 server certs
• starting personal
![Page 4: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/4.jpg)
PKI purpose
Guarantee:
• Authenticity• Confidentiality• Integrity• Non repudiation
![Page 5: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/5.jpg)
ehr, no, we want
• others not to read our mail• to know the sender is the sender• that, for documents, thanks
• no reading of my credit card number• no reading of my health information• no reading of my passwords
• log on to my internal web site
![Page 6: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/6.jpg)
if it doesn’t work
it doesn’t work
![Page 7: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/7.jpg)
the issue
?
![Page 8: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/8.jpg)
direct trust
![Page 9: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/9.jpg)
hierarchical trust
![Page 10: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/10.jpg)
web of trust
![Page 11: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/11.jpg)
Feb 1993, RFC 1422
Privacy Enhancement for Internet Electronic Mail:Part II: Certificate-Based Key Management
obsoletes RFC 1114 Mail Privacy: Key Management (1989)
![Page 12: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/12.jpg)
Feb 1993, RFC 1422
The infrastructure specified in this document establishes a single root for all certification within the Internet, the Internet Policy Registration Authority (IPRA).
The IPRA establishes global policies, described in this document, which apply to all certification effected under this hierarchy.
Beneath IPRA root are Policy Certification Authorities (PCAs), each of which establishes and publishes (in the form of an informational RFC) its policies for registration of users or organizations.
Each PCA is certified by the IPRA.
![Page 13: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/13.jpg)
USA crypto exports
<1996: International Traffic in Arms Regulation
1996: Export Administration Regulations (EAR) of the Department
Commerce31 Dec 1998: 56 bit without license12 January 2000: Freedom to export
source: Bert-Jaap Koops’ Crypto Law Surveyhttp://rechten.uvt.nl/koops/cryptolaw/cls2.htm#us
![Page 14: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/14.jpg)
Pretty Good Privacy
Jun 5, 1991: PGP 1.0Jan 18, 1996: Ståle Schumacher from
Norway publishes PGP2.63i…with help:
Aug 1996: RFC1991, PGP Message Exchange Formats (FYI)
Nov 1998: RFC2440, OpenPGP Message Format (STD)
![Page 15: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/15.jpg)
1994: Netscape Navigator 1.0
1995: Internet Explorer 2.0
![Page 16: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/16.jpg)
(1994) 1996: .nl electronic purse
chipknip
chipper
![Page 17: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/17.jpg)
13 December 1999:
DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
![Page 18: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/18.jpg)
1995: Student Chip Card
![Page 19: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/19.jpg)
qualified digital signatures!
![Page 20: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/20.jpg)
1998: SURFnet PKI
• PGP PKI
• PGP keyserver pgp.surfnet.nl
• x.509 PKI
![Page 21: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/21.jpg)
use
PGP– email signing and encryption– document signing and encryption
x.509– email signing and encryption– document signing and encryption– authentication– smartcard deployments
![Page 22: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/22.jpg)
requirements
• scalable• identity vetting at university• affordable server and client certificates
![Page 23: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/23.jpg)
SURFnet x.509 PKI
1998: setup1999: production
![Page 24: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/24.jpg)
more levels
![Page 25: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/25.jpg)
europe
![Page 26: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/26.jpg)
down in the trenches
![Page 27: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/27.jpg)
soon
![Page 28: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/28.jpg)
~2000
• Netherlands qualified Digital Signature accreditation framework ready
• SURFnet PKI: test audit
![Page 29: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/29.jpg)
~2001
“SURFdiensten” GlobalSign discount dealfor .nl higher ed
![Page 30: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/30.jpg)
1998-2004: PKI evolves
• Focus on policy• Focus on CA operations• Plans to interlink European PKIs• Separate eScience Grid PKI• TACAR
• Experience but not large scale deployment
![Page 31: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/31.jpg)
SURFnet PKI numbersNew CAs Personal Server
2000 1 1 14
2001 1 48 38
2002 3 43 47
2003 16 91 201
2004 2 52 125 course
![Page 32: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/32.jpg)
popular?
• SSL server certificates
• Personal certificates
• Code Signing certificates
![Page 33: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/33.jpg)
biggest problem?
![Page 34: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/34.jpg)
get root in browsers
2000: $250.000 x 2
2004: IE: WebTrust
![Page 35: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/35.jpg)
puzzling pieces
• in browser root,$$
• flat rate
• unpunished success
• why do I want to run my own CA?
![Page 36: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/36.jpg)
TERENA
![Page 37: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/37.jpg)
![Page 38: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/38.jpg)
idea
• join forces• contract commercial CA• flat-rate for the TERENA community• unlimited• NREN becomes RA• re-use existing contractual relations
make it stupid to not secure your server with SSL
![Page 39: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/39.jpg)
use existing relations
![Page 40: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/40.jpg)
SCS timeline
• Jan 2005: idea written up (TF-CSIRT!)• Feb 2005: presented at TF-EMC2
“the list”20 kEUR
• Summer 2005: reality + procedure check
• September 2005: CfP• January 2006: GlobalSign contract
![Page 41: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/41.jpg)
16 March 2006: SCS is born
![Page 42: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/42.jpg)
SCS numbers 12/2007NRENs # issued # organisationsACONet 979 26ARNES* 23 n/aBELNET 673 57CARNet 166 n/aCESNET 452 20CRU/RENATER 1446 134GARR** 100 20JANET (UK) 2300 212RedIRIS 1077 86SUNET*** 487 17SURFnet 1934 91SWITCH 1200 n/aUNI-C **** 1366 n/aUNINETT 348 24
14 NRENs
12551 certificates
![Page 43: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/43.jpg)
SCS numbers per 1 Aug 2008
# participating NRENs 18 (14)# certificates issued 19.400 (12551)# participating orgs 2.225# proxies 3.800
![Page 44: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/44.jpg)
2007: mission accomplished!
no ssl = lame
and behavioural change...
![Page 45: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/45.jpg)
SCS: lessons learned
• vested interests, existing services, strong opinions, policy devil....
• browser popup was the problem• certain level of control good• do what matters
• good enough = good enough!
![Page 46: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/46.jpg)
2007
• contract renewal with GlobalSign
• start preliminary work with new CfP
![Page 47: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/47.jpg)
new CfP, lessons learned1. root coverage: browsers *and* other platforms2. validity on contract end3. ensuring future root coverage4. end user interfaces5. interface response times6. describe certificate request processing7. profiles8. subjectAltName9. multiple valid certificates10. internationalisation11. support12. auditing13. training14. certificate lifetime
![Page 48: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/48.jpg)
more lessons...optional reqs
1. alternative lifetimes2. end user interface for renewal3. per NREN branding4. additional profiles5. eScience Grid certificate support6. API7. wildcard certificates8. OCSP9. extensive reporting
![Page 49: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/49.jpg)
interesting CfP
![Page 50: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/50.jpg)
TERENA Certificate Service
![Page 51: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/51.jpg)
crucial lesson
GlobalSign SCS certificates
revoked
3 months
after contract expiry
![Page 52: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/52.jpg)
CfP failure
Plan B?
![Page 53: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/53.jpg)
New TCS!
• 5 TERENA CAs– Server– Code signing– Personal– eScience Server– eScience Personal
• own CPS• own front-ends• Comodo backend + roots
![Page 54: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/54.jpg)
TCS numbers Jan. 2010RENATER 2758SURFnet 2499UNI-C 1643JANET(UK) 1289SUNET 1088CESNET 1069ACOnet 733UNINETT 599BELNET 383PSNC 140GRNET 116FCCN 61CARNet 56HUNGARNET 35GARR 22LITNET 21RedIRIS 21HEAnet 11ARNES 7CSC 6AMRES 2UoM 0
# issued 12573# NRENs 22
![Page 55: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/55.jpg)
TCS is
![Page 56: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/56.jpg)
TCS organisation
• TERENA– contractual party, financial clearing house, contact
conduit to Comodo
• TCS PMA, club of 5– CPS responsibility
• TCS Representatives– 1 per NREN, formal decisions
• TCS RAs– day to day operations
![Page 57: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/57.jpg)
TCS Mem
bers
Country NREN Server Code Personal
Austria ACOnet X X X
Belgium BELNET X X X
Croatia CARnet X
Czech Republic CESNET X X
Denmark UNI-C X
Finland CSC X X
France RENATER X X
Greece GRNET X X
Hungary HUNGARNET X
Ireland HEAnet X X
Lithuania LITNET X X
Malta UoM X
Netherlands SURFnet X X X
Norway UNINETT X X X
Poland PSNC X X X
Portugal FCCN X
Serbia AMRES X X
Slovenia ARNES X
Spain RedIRIS X X X
Sweden SUNET X X X
UK JANET X
22 7 14
![Page 58: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/58.jpg)
how?SCS
Guido Aben, Jan Meijer, Teun Nijssen (SURFnet), Kaspar Brandt (SWITCH), Licia Florio, Karel Vietsch (TERENA), Milan Sova (CESNET), and more...
TCSKent Engstrøm (SUNET), Licia Florio, Jan Meijer, Kevin Meynell, Teun Nijssen, Milan Sova, Karel Vietsch, Henrik Austad, and more...
TCS Tender CommitteeKurt Bøge (UNI-C), Daniel Garcia (RedIRIS), Licia Florio, Dominique Launay (RENATER), Jan Meijer, Damien Shaw (JANET), Milan Sova, Karel Vietsch
![Page 59: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/59.jpg)
PKI landscape Europe 2010
• TCS• DFN-PKI• SWITCH-PKI• Grid PKI• Geant3 PKI activity
![Page 60: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/60.jpg)
obituaries
• chipknip: dead• chipper: dead• studenten chipkaart: dead • SURFnet PGP PKI: dead• SURFnet x.509 PKI: dead
![Page 61: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/61.jpg)
alive and kicking
• TERENA Certificate Service• PGP: FIRST, 209 teams, 47 countries• Grid PKI• Personal certificates?
![Page 62: EU NREN PKI](https://reader035.vdocuments.net/reader035/viewer/2022062410/56815706550346895dc4aaa9/html5/thumbnails/62.jpg)
purpose