APAC Grid Certificate Authority - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

APAC Grid Certificate Authority

Description:

User picks up their certificate. from the web site using the. pass phrase they set at step 1 ... Chris Samuel Network Engineer (2IC), csamuel_at_vpac.org ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 21
Provided by: wikiAr
Category:

less

Transcript and Presenter's Notes

Title: APAC Grid Certificate Authority


1
APAC Grid Certificate Authority
Presentation by David Bannon, VPAC Feb 2005
meeting. To the APGrid PMA Meeting, November 7th
2005
1
2
  • APAC Grid
  • Federally funded and strongly supported by
    Governments and Universities.
  • Involves 8 partner organisations from 7 states
    and territories in Australia
  • Many thousands of kilometres between partners
  • Lot of empty space in Australia !

2
3
  • APAC Grid
  • Committed to supporting a wide range of sciences.
  • And a wide range of people ...
  • Need to provide a range of services
  • Based on a number of standards !

3
4
  • APAC Grid - Projects
  • Apart from the infrastructure groups, there is a
    number of projects, each
  • Working on one field of science.
  • Distributed around the country.
  • Producing products to be used !

Chemistry High Energy Physics Bioinfomatics
Astrophysics Earth Systems Geoscience
4
5
  • One Certificate Authority
  • But lots of sites !
  • Not a huge number of users at each site yet.
  • Agreed that we did not want many separate CAs.
  • Too hard to control
  • Ensure standards maintained.
  • Especially for occasional use.

5
6
  • Issuer
  • CAU, OAPAC-GRID, CNAPAC-GRID CA
  • Person
  • CAU, OAPAC-GRID, OUgroup/uni/company etc,
    CNfullPersonName
  • Hosts
  • CAU, OAPAC-GRID, OUgroup/uni/company etc,
    CNfullyQualifiedDomainName
  • or
  • CAU, OAPAC-GRID, OUgroup/uni/company etc,
    CNhost/fullyQualifiedDomainName
  • Service
  • CAU, OAPAC-GRID, OUgroup/uni/company etc,
    CNserviceName/fullyQualifiedDomainName

6
7
Certificate Authority, registration
User registers over web on RA, records a one off
pass phrase so he can come back later.
CA
User Site
7
8
Certificate Authority, registration
User is directed to a face to face meeting with
RAO, must show photo ID and advise ref to
application.
CA
User Site
8
9
Certificate Authority, registration
If RAO is satisfied, he/she will digitally sign
the application from their certificate
aware browser.
CA
User Site
9
10
Certificate Authority, registration
CA
User Site
10
11
Certificate Authority, registration
User picks up their certificate from the web site
using the pass phrase they set at step 1
CA
User Site
11
12
  • CPS
  • Based on RFC2527, getting closer.
  • Working towards APGrid Compliance.
  • Standards are not hard...
  • But getting it correctly specified is, perhaps
    because we approached it from the wrong angle.
  • (Initially thought we were setting up for a
    years operation with no outside interaction, we
    were wrong !)

12
13
  • Issues
  • Identification.
  • Distributed identification, a problem ?
  • Operation
  • Who can do what ?
  • Two on site operators.
  • RAO at other sites.
  • Records
  • Logs and records.
  • Certificates and CRLs on line.

13
14
  • Issues
  • Physical
  • Dedicated machines.
  • Secure Room, restricted and logged access
  • Stable environment, good power, fire and water
    alarms.
  • Operated by a group with a professional approach
    and strong commitment to user service.

14
15
  • Issues
  • OID, new to us !
  • Granted 1.3.6.1.4.1.23953 to APAC
  • .1 to Grid Project
  • .2 to Certificate Authority
  • .1 to Document Version
  • .1 to Document Release
  • So, the CPS is 1.3.6.1.4.1.23953.1.2.1.1 now !

15
16
  • Issues (continued)
  • Technical
  • Based on Open CA
  • Key lengths, protection as expected.
  • How to force users to protect their own ?
  • Computers, dedicated, uptodate.

16
17
  • Issues (continued)
  • Certificates
  • Certificate Profiles
  • Revocation
  • User request
  • Supervisor or official request.
  • CA decision, misuse or mistake.
  • CRL
  • Valid for 30 days.
  • Issued immediately after a revocation.
  • Reissued even if no additions.

17
18
  • Issues (continued)
  • Specification Administration
  • Change Control
  • Notification (Spam v need to know)
  • Disaster recovery.
  • CA Private key and backup CDs stored in a large,
    secure safe accessible to only Systems Manager
    (and, exceptionally, the CEO).

18
19
  • Issues (continued)
  • Hours of operation ?
  • We, the PACs, generally are not manned 24x7
  • But our systems do operate 24x7
  • The CRL and website is 24x7
  • The manual component is not!
  • We do run help desks beyond 9 to 5..
  • Just where does this appear in rfc2527 ?

19
20
VPAC Team (Grid Proj)
  • Grid Project (VPAC only)
  • David Bannon Blame Taker, D.Bannon_at_vpac.org
  • Chris Samuel Network Engineer (2IC),
    csamuel_at_vpac.org
  • Graham Jenkins Systems Admin graham_at_vpac.org
  • Chris Kendrick Systems Admin
    kendrick_at_vpac.org
  • Others in Systems Team at VPAC
  • Hu Ping, Brett Pemberton, Nelsie Fernandez, Leena
    Joshi
  • Web site http//www.vpac.org/apacgrid
  • Active Partners
  • VPAC, SAPAC, CSIRO, QPSF, ac3, TPAC, IVEC, NF

20
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "APAC Grid Certificate Authority" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!