Profile for Portal-based Credential Services

(POCS)

Yoshio TanakaYoshio TanakaInternational Grid Trust Federation International Grid Trust Federation

APGrid PMAAPGrid PMAAISTAIST

Motivation

There are many Grid project which provide portal-There are many Grid project which provide portal-based user registration system.based user registration system.

GEON Grid, Earth System Grid, etc.These portals issue certificates for users using These portals issue certificates for users using credential management systems such as GAMA and credential management systems such as GAMA and PURSE, but there is no appropriate profile recognized PURSE, but there is no appropriate profile recognized by IGTF.by IGTF.

Key pair is generated not at the client side but at the centralized server.Users do not need to take care about their certificates and private keys.Method of identity vetting can be flexible, but these portals are not doing strict vetting.They use online CA without HSM. Furthermore, some portals do not have a dedicated CA server.No CP/CPS.…

Portal server 2

GAMA architecture

Portal server 1

GAMA server

CACL

MyProxy

CAS

AX

IS W

eb S

ervi

ces

wra

pper

…

Servlet container

import user

retrieve credential

Stand-alone applications

retrieve credential

DBDBgridportlets

Java keystoreJava keystore

Java keystoreJava keystore

gama

GridSphere

Servlet container

create user

PURSE (Portal-based User Registration Service)

2. General Architecture

A POCS is a system that issues Grid A POCS is a system that issues Grid credentials to end entities via credentials to end entities via Web/Grid portals.Web/Grid portals.

There are different levels of assurance There are different levels of assurance in POCS according to the policy and in POCS according to the policy and practices.practices.

RudimentaryBasicMediumHigh

3.1 Identity vetting rules

A CA must define the role of registration A CA must define the role of registration authority (RA) which is responsible for authority (RA) which is responsible for the identity vetting of all end-entities.the identity vetting of all end-entities.

A POCS must describe the method for the A POCS must describe the method for the identity vetting in its CP/CPS.identity vetting in its CP/CPS.

A POCS must describe in its CP/CPS:A POCS must describe in its CP/CPS:How the identity (DN) assigned in the certificate is unique within the namespace of the issuer.How it attests to the validity of the identity.How it provides accountability.

3.1 Identity vetting rules (cont’d)

Possible methods for identity vetting:Possible methods for identity vetting:In-person meeting with photo ID (high)Approval by the pre-approved subscriber’s supervisor (e.g. PI) (medium)Phone call (basic)Email address (rudimentary)

3.2 End-entity certificate expiration, renewal and re-keying

Certificates (and private keys) Certificates (and private keys) managed in a software based token managed in a software based token should only be re-keyed, not renewed.should only be re-keyed, not renewed.A certificate (and a private key) may be A certificate (and a private key) may be renewed if it is in high level and uses a renewed if it is in high level and uses a hardware token for a period of up to 5 hardware token for a period of up to 5 years (for equivalent RSA key length of years (for equivalent RSA key length of 2048 bits) or 3 years (for equivalent 2048 bits) or 3 years (for equivalent RSA key length 1024 bits).RSA key length 1024 bits).Certifications may not be renewed or Certifications may not be renewed or re-keyed for more than 5 years without re-keyed for more than 5 years without a form of identity and eligibility a form of identity and eligibility validation, and this procedure must be validation, and this procedure must be described in the CP/CPS.described in the CP/CPS.

3.3 Removal of an authority from the authentication profile accreditation

An accredited authority should be An accredited authority should be removed from the list of authorities removed from the list of authorities accredited under this profile if it fails accredited under this profile if it fails to comply with this authentication to comply with this authentication profile document, or with the IGTF profile document, or with the IGTF Federation Document, via the voting Federation Document, via the voting process described in the charter of the process described in the charter of the PMA to which this authority is PMA to which this authority is accredited.accredited.

4. Operational requirements

POCS systems may havePOCS systems may havePortal serverCA (signing) serverCredential repository (e.g. My Proxy)

POCS must describe in CP/CPS the architecture POCS must describe in CP/CPS the architecture of the system.of the system.Possible architectures:Possible architectures:

Dedicated CA server is off-line or use FIPS 140-2 Level 3 HSM (high)Dedicated CA server is on-line without HSM, but connection to the other computers is limited to the Portal server and the credential repository (medium)CA server and the credential repository are the same computer which has a limited connection to the Portal server (basic)All three servers are on the same computer (rudimentary)

4. Operational requirements (cont’d)

The CA key lengthThe CA key length2048 bit (high)1024 bit (medium, basic, rudimentary)

Lifetime of the CA keyLifetime of the CA key20 years (2048 bit)5 years (1024 bit)

4.1 Certificate Policy and Practices Statement Identification

Every POCS CA must have a Certificate Policy Every POCS CA must have a Certificate Policy and Certificate Practices Statement (CP/CPS and Certificate Practices Statement (CP/CPS Document) and assign it a globally unique Document) and assign it a globally unique object identifier (OID). CP/CPS should be object identifier (OID). CP/CPS should be structured as defined in RFC 3647.structured as defined in RFC 3647.

Whenever there is a change in the CP/CPS Whenever there is a change in the CP/CPS the OID of the document must change and the OID of the document must change and the major changes must be announced to the the major changes must be announced to the accrediting PMA and approved before accrediting PMA and approved before signing any certificates under the new signing any certificates under the new CP/CPS.CP/CPS.

All the CP/CPS under which valid certificates All the CP/CPS under which valid certificates are issued must be available on the web.are issued must be available on the web.

4.2 Certificate and CRL profile

Details is still under consideration…Details is still under consideration…

Generation of the end-entity’s Generation of the end-entity’s cryptographic data:cryptographic data:

By the applicant, or based on cryptographic data that can be held only by the applicant on a secure hardware token (high)By the POCS CA (medium, basic, rudimentary)

4.3 Revocation

A CA which issues long-lived credentials must A CA which issues long-lived credentials must publish a CRL.publish a CRL.The CA must react as soon as possible, but within The CA must react as soon as possible, but within one working day, to any revocation request one working day, to any revocation request received.received.The maximum CRL lifetime must be at least 30 The maximum CRL lifetime must be at least 30 days and the CA must issue a new CRL at least 7 days and the CA must issue a new CRL at least 7 days before expiration and immediately after a days before expiration and immediately after a revocation.revocation.The CRLs must be published in a repository at The CRLs must be published in a repository at least accessible via the web, as soon as issued.least accessible via the web, as soon as issued.Revocation request can be made by end-entities, Revocation request can be made by end-entities, RAs and the CA. These requests must be properly RAs and the CA. These requests must be properly authenticated. Others can request revocation if authenticated. Others can request revocation if they can sufficiently prove compromise or they can sufficiently prove compromise or exposure of the associated private key.exposure of the associated private key.A CA which issues short-lived credentials will not A CA which issues short-lived credentials will not need to revoke certificates and will not need to need to revoke certificates and will not need to publish a CRL.publish a CRL.

4.4 CA key changeover

When a POCS CA’s cryptographic data When a POCS CA’s cryptographic data needs to be changed, such a transition needs to be changed, such a transition shall be managed; from the time of shall be managed; from the time of distribution of the new cryptographic distribution of the new cryptographic data, only the new key will be used for data, only the new key will be used for certificates signing purposes.certificates signing purposes.

The overlap of the old and new key The overlap of the old and new key must be at least as long as the time an must be at least as long as the time an issued certificate will be valid.issued certificate will be valid.

5. Site security

The pass phrase of the encrypted The pass phrase of the encrypted private key must be kept also on an private key must be kept also on an offline medium, separated from the offline medium, separated from the encrypted keys and guarded in a safe encrypted keys and guarded in a safe place where only the authorized place where only the authorized personnel of the CA have access.personnel of the CA have access.

Alternatively, another documented Alternatively, another documented procedure that is equally secure may procedure that is equally secure may be used.be used.

6. Publication and Repository responsibilities

Each authority must publish for their Each authority must publish for their subscribers, relying parties and for the subscribers, relying parties and for the benefit of distribution by the PMA and the benefit of distribution by the PMA and the federationfederation

The CA root certificate or the set of CA certificates up to a self-signed root;A http or https URL of the PEM-formatted CA certificate;A http URL of the PME or DER formatted CRL (if applicable);A http or https URL of the web page of the CA for general information;The CP and/or CPS documents;An official contact email address for inquiries and fault reporting;A physical or postal contact address.

6. Publication and Repository responsibilities (cont’d)

The CA should provide a means to validate The CA should provide a means to validate the integrity of its root of trust.the integrity of its root of trust.

Furthermore, the CA shall provide their trust Furthermore, the CA shall provide their trust anchor to a trust anchor repository, specified anchor to a trust anchor repository, specified by the accrediting PMA, via the method by the accrediting PMA, via the method specified in the policy of the trust anchor specified in the policy of the trust anchor repository.repository.

The repository must be run at least on a best-The repository must be run at least on a best-effort basis, with an intended continuous effort basis, with an intended continuous availability.availability.

The originating authority must grant to the The originating authority must grant to the PMA and the Federation - by virtue of its PMA and the Federation - by virtue of its accreditation - the right of unlimited re-accreditation - the right of unlimited re-distribution of this information. distribution of this information.

7. Audits

The CA must record and archive all requests The CA must record and archive all requests for certificates, along with all the issued for certificates, along with all the issued certificates, all the requests for revocation and certificates, all the requests for revocation and the login/logout/reboot of the issuing machine.the login/logout/reboot of the issuing machine.The CA must keep these records for at least The CA must keep these records for at least three years. These records must be available three years. These records must be available to external auditors in the course of their work to external auditors in the course of their work as auditor.as auditor.Each CA must accept being audited by other Each CA must accept being audited by other accredited CAs to verify its compliance with accredited CAs to verify its compliance with the rules and procedures specified in its the rules and procedures specified in its CP/CPS document.CP/CPS document.The CA should perform operational audits of The CA should perform operational audits of the CA/RA staff at least once per year. A list of the CA/RA staff at least once per year. A list of CA and RA personnel should be maintained CA and RA personnel should be maintained and verified at least once per year.and verified at least once per year.

8. Privacy and confidentiality

Accredited CAs must define a privacy Accredited CAs must define a privacy and data release policy compliant with and data release policy compliant with the relevant national legislation.the relevant national legislation.

The CA is responsible for recording, at The CA is responsible for recording, at the time of validation, sufficient the time of validation, sufficient information regarding the subscribers information regarding the subscribers to identify the subscriber.to identify the subscriber.

The CA is not required to release such The CA is not required to release such information unless provided by a valid information unless provided by a valid legal request according to national legal request according to national laws applicable to that CA.laws applicable to that CA.

9. Compromise and disaster recovery

The CA must have an adequate The CA must have an adequate compromise and disaster recovery compromise and disaster recovery procedure, and we willing to discuss procedure, and we willing to discuss this procedure in the PMA.this procedure in the PMA.

The procedure need not be disclosed in The procedure need not be disclosed in the policy and practice statement.the policy and practice statement.

9.1 Due diligence for end-entities

The CA should make a reasonable The CA should make a reasonable effort to make sure that end-entities effort to make sure that end-entities realize the importance of properly realize the importance of properly protecting their private data.protecting their private data.