Upload File

tcs - terena · tcs history fall 2005: – terena opens a call for proposals; – first contract...

  • Home
  • Documents
  • TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating
24
TCS Milan Sova EUGridPMA Zurich May 2009

Upload: others

Post on 24-Aug-2020

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

TCS

Milan Sova

EUGridPMAZurich

May 2009

Page 2: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

TCS History● Fall 2005:

– TERENA opens a Call for Proposals;

– First contract with GlobalSign BV in 2006;

● SCS (Server Certificate Service)– NRENs participating would get SSL certificates against a

yearly flat-fee;

● Started with 8 NRENs (in 2006):– Now 19 NRENs participate;

– More than 15.000 SSL certifcates issued in Europe;

● March 2009:– As result of a new Call for Proposal, Comodo appointed as

new supplier;

Page 3: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

SCS -> TCS

● New SCS service– Expected start in May 2009

● Model– yearly flat fee per NREN

– TERENA contractual party

– dedicated TERENA sub-CA

– 20 NRENs

Page 4: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

SCS -> TCS (cont.)

● Optional add-on services– personal (S/MIME & TLS client) certs

– object signing certs

– extra flat fee

=> TERENA Certificate Service● work on progress

– testing certificate profiles

– writing CPS

Page 5: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

Operational model

● Comodo– CA operator (hosted CA)

● TERENA– contractual party

● NRENs– RA

● Organizations– subscribers

– approving agents

Page 6: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

BigOrg Model

● BigOrg pre-registers with its NREN– BigOrg identity

● name(s), address, proof of legal existence

– registered domain names

● NREN verifies the registration● BigOrg approves requests● compliance checked by the TCS frontend

Page 7: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

SmallOrg Model

● SmallOrg registeres with its NREN– SmallOrg identity

● name(s), address, proof of legal existence

● SmallOrgs issues request● NREN RA verifies & approves the request

● NRENs would prefer BigOrg model ;)

Page 8: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

Server Profile - Subject

● C required● ST (optional)● L (optional)● O required● OU optional● CN required● unstructuredName (optional)

Page 9: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

Server profile - Extensions

● basicConstraints (critical): – ca:false (no pathLenConstraint)

● keyUsage (critical):– digitalSignature, keyEncipherment

● extendedKeyUsage (non-critical): – id-kp-serverAuth, id-kp-clientAuth

● subjectAltName (non-critical): – dNSName (min 1, max 100 names)

Page 10: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

Server profile – Extensions (cont.)

● cRLDistributionPoints (non-critical):– URI:http://crl.tcs.terena.org/ssl_server.crl

● authorityInfoAccess (non-critical):– CA Issuer:

URI:http://crt.tcs.terena.org/ssl_server.crt

– OCSP: URI: http://ocsp.tcs.terena.org

Page 11: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

Server profile – Extensions (cont.)

● authorityKeyIdentifier (non-critical):– keyID:...

● subjectKeyIdentifier (non-critical): ...● certificatePolicies (non-critical):

– SCS policyID (no qualifiers)

Page 12: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

eScience Server Profile - Subject

● DC "org"● DC "terena"● DC "scs"● C required● O required● OU optional● CN required

Page 13: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

eScience Server Profile - Extensions● bacicConstraints (critical):

– ca:false (no pathLenConstraint)

● keyUsage (critical): – digitalSignature, keyEncipherment,

dataEncipherment

● extendedKeyUsage (non-critical): – id-kp-serverAuth, id-kp-clientAuth

● subjectAltName (non-critical): – dNSName (min 1, max 100 names)

Page 14: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

eScience Server Profile – Extensions (cont.)● cRLDistributionPoints (non-critical):

– URI:http://crl.tcs.terena.org/eScience_server_crl

● authorityInfoAccess (non-critical):– CA Issuer:

URI:http://crt.tcs.terena.org/eScience_server.crt

– OCSP – URI:http://ocsp.tcs.terena.org

Page 15: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

eScience Server Profile – Extensions (cont.)● authorityKeyIdentifier (non-critical):

– keyID:...

● subjectKeyIdentifier (non-critical): ...● certificatePolicies (non-critical):

– SCS policyID (no qualifiers)

– 1.2.840.113612.5.2.2.1 (no qualifiers)

Page 16: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

(eScience) Personal CA

● federated CA● front-end - portal(s) operated by NRENs● IdPs – RA functions

Page 17: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

Attributes - Authorization

● eduPersonEntitlement– “user vetted properly”

– “request approved by the Org”

Page 18: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

Attributes - Naming

● Common Name● Organization Name

– preregistered

● “unique ID” assigned by IdP– ePTargetedID, ePPrincipalName, whatever...

● email(s)– verified by IdP

static int

Page 19: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

Attributes - Naming

● Common Name● Organization Name

– preregistered

● “unique ID” assigned by IdP– ePTargetedID, ePPrincipalName, whatever...

● email(s)– verified by IdP

static int

Page 20: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

eScience Personal Profile -Subject

● DC "org"● DC "terena"● DC "scs"● C required● O required● OU optional● CN required● unstructuredName optional

Page 21: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

eScience Personal Profile - Extensions● basicConstraints (critical):

– ca:false (no pathLenConstraint)

● keyUsage (critical):– digitalSignature, keyEncipherment,

dataEncipherment

● extendedKeyUsage (non-critical): – id-kp-emailProtection, id-kp-clientAuth

● subjectAltName (non-critical):– rfc822Name (min 1, max 10 email addresses)

Page 22: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

eScience Personal Profile – Extensions (cont.)● cRLDistributionPoints (non-critical):● URI:

http://crl.tcs.terena.org/TERENAeSciencePersonalCA.crl

● authorityInfoAccess (non-critical):– CA Issuer:

http://crt.tcs.terena.org/TERENAeSciencePersonalCA.crt

– OCSP – URI:http://ocsp.tcs.terena.org

Page 23: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

eScience Personal Profile – Extensions (cont.)● authorityKeyIdentifier (non-critical):

– keyID:...

● subjectKeyIdentifier (non-critical): ...● certificatePolicies (non-critical):

– TCS policyID (no qualifiers)

– 1.2.840.113612.5.2.2.5 (no qualifier)

Page 24: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating

To be continued...


GlobalSign Certificate Policy...GlobalSign Certificate Policy Date: May 30, 2019 Effective date for Qualified Time Stamping, Qualified Web Authentication Certificates, Qualified Certificates

GlobalSign CA Certificate PolicyGlobalSign CA Certificate Policy GlobalSign Certificate Policy 3 of 44 Version: 3.0 1. Introduction This Certificate Policy (CP) of the GlobalSign Certification

GlobalSign Certificate Policy GlobalSign証明書ポリ …GlobalSign Certificate Policy (GlobalSign証明書ポリシー) 本書は、GlobalSign Certificate Policy を日本語に翻訳したものであり、言語の違いにより、原文の意

GlobalSign PDF Signing for Adobe CDS (Certified Document

SSL Managed Service for Education - GlobalSign

Palestra GlobalSign

GlobalSign Certificate Policy · 2020/12/29  · GlobalSign Certificate Policy Date: December 29, 2020 Effective date for Qualified Timestamping, Qualified Web Authentication Certificates,

TERENA Certificate Service (TCS) 9 June 2011

A Saga Terena

TERENA Technical Programme Update TERENA GA Meeting Vilnius, Lithuania 4 June 2010 Christoph Graf TERENA VP Technical Programme [email protected]

DRENAŽA TERENA - Weebly

Vukápanavo: Revista Terena

GlobalSign API for Client Certificates€¦ · GlobalSign API for Client Certificates 2.4.1 Page 10 of 46 128 String

Revisión de TCS · Los certificados emitidos por Comodo no se reemitirán con DigiCert (Al pasar de GlobalSign a Comodo, ... Perfiles de certificados SSL certificates

E.b. terena almoço

GlobalSign Certificate PolicyGlobalSign CP (Certificate Policy) 1 / 66 Version: 6.0 GlobalSign Certificate Policy (証明書ポリシー) 本書は、GlobalSign Certificate Policy

GlobalSign Integration Guide - SSL & Digital Certificates by … ·  · 2015-05-19GlobalSign Integration Guide GlobalSign Enterprise PKI ... establishing a pre-vetted organization

GlobalSign APIs for MSSL Certificates · globalsign api for mssl certificates v2.6 getaccountsnapshot request 25 getaccountshapshot response 25 8. certificate order entry parameters

GlobalSign Certificate Policy GlobalSign証明書ポリ …...GlobalSign Certificate Policy (GlobalSign証明書ポリシー) 本書は、GlobalSign Certificate Policyを日本語に翻訳したものであり、言語の違いにより、原文の意味

GAS User Guide - Retail 1.2 - GlobalSign

GlobalSign CA Certificate Policy Ver 3

TERENA GA Claudio Allocchio The TERENA Technical Programme Claudio Allocchio VP Technical Programme TERENA General Assembly Prague, 24-25 October 2002

Claudio Allocchio [email protected]@garr.it TERENA VP Technical Programme TERENA GA – Rhodes, 10 – 11 June 2004 1 TERENA Technical

TCS series · Models covered by this Quick Start Guide TCS-61, TCS-122, TCS-152, TCS-1561, TCS-B15A, TCS-B15B, TCS-B218 Thank you for choosing a TURBOSOUND loudspeaker product for

SIP Tutorial - TERENA

TERENA Technical Programme Update TERENA General Assembly Bruges, Belgium 22 May 2008 Christoph Graf TERENA VP Technical Programme

TERENA Technical Programme Update TERENA General Assembly Meeting Lyngby, Denmark 24 May 2007 Claudio Allocchio TERENA VP Technical Programme

GlobalSign CA Certificate Policy GlobalSign CA証明 …...GlobalSign CA Certificate Policy (GlobalSign CA証明書ポリシー) 本書は、GlobalSign CA Certificate Policyを日本語に翻訳したものであり、言語の違いにより、

TERENA Certificate Service

SSL & Digital Certificates by GlobalSign · SSL CERTIFICATE MANAGEMENT ISSUE THREAT RESPONSE MANAGE GlobalSign@ GMO INTERNET GROUP . Comprehensive SSL Certificate Management DATA

PBX Replacement - TERENA

Terena Wong

TERENA Certificate Service · TERENA Personal CA CPS Version 1.2, 16 December 2011 Page 1/51 TERENA Certificate Service TERENA Personal CA Certificate Practice Statement Version 1.2

GlobalSign Certificate PolicyGlobalSign CP (Certificate Policy) 1 / 67 Version: J-6.2.c. GlobalSign Certificate Policy (証明書ポリシー) 本書は、GlobalSign Certificate Policy

TCS-122 TCS SERIES ENGINEERING INFORMATION TCS-122DP