NECTEC-GOC CA - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

NECTEC-GOC CA

Description:

... 1.3.6.1.4.1.25149.1.1.1.0 Conform to RFC 2527 Managed by the NECTEC GRID PMA Changes in contents need to be approved by the NECTEC GRID PMA NECTEC-GOC CA ... – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 22
Provided by: dut98
Category:
Tags: goc | nectec

less

Transcript and Presenter's Notes

Title: NECTEC-GOC CA


1
NECTEC-GOC CA
  • APGrid PMA face-to-face meeting. October, 15
    2006
  • Sornthep VannaratNational Electronics and
    Computer Technology Center, Thailand

2
Introduction
  • NECTECNational Electronics and Computer
    Technology Center
  • Government research institute under Ministry of
    Science
  • For electronics, telecommunication, computer and
    information technologies including Grid Computing
  • NECTEC GOC CANECTEC GRID Operation Center
    Certificate Authority
  • NECTEC GRID PMA
  • Large Scale Simulation Research Laboratory,
  • Network Technology Laboratory
  • Thai Computer Emergency Response Team

3
CP/CPS
  • Current version1.0 (October, 2006)
  • Object ID 1.3.6.1.4.1.25149.1.1.1.0
  • Conform to RFC 2527
  • Managed by the NECTEC GRID PMA
  • Changes in contents need to be approved by the
    NECTEC GRID PMA

4
NECTEC-GOC CA Organization
  • Table 1-2 Organization...
  • GRID CA PMA Policy Management Authority
  • CA Manager Administrates all tasks on the CA
    system
  • RA Operator
  • Accepts and verifies User Application form
  • Checks Certificate Signing Request form
  • Informs CA to issue certificate
  • CA Operator
  • Issues certificates
  • Manages CA and RA servers
  • Maintains the CA system
  • Manages CA private key

Remove CP/CPS 2.2.5
5
End Entity
  • NECTEC-GOC CA issues certificates for the
    following subjects
  • Users of NECTEC.
  • Users of domestic Grid-based applications or
    projects.
  • Collaborators related to NECTEC Grid Computing
    research.

6
Certificate Type
  • User CertificateCTH,ONECTEC,OUGOC,CNSornthep
    Vannarat/
  • emailAddresssornthep_at_nectec.or.th
  • Grid Host CertificateCTH,ONECTEC,OUGOC,
    CNhost/grid64.hpcc.nectec.or.th

7
Identification and Authentication
  • User and Grid Host Certificate
  • Subscriber meet in-person with RA Operator
  • RA Operator review and approve Application and
    Certificate Request according to users documents
    CPS 1.3.2 and 3.1.x

8
Certificate Restrictions
  • Certificate Lifetime
  • 13 months for End Entity certificate.
  • 10 years for CA certificate.

9
Issuing Certificates
  • End entities request certificates
  • Each generate keypair by itself
  • Submit Applications and Certificate Signing
    Request forms
  • RA Operator checks the Requests
  • RA Operator uses secure communication method e.g.
    signed and encrypted email

10
Issuing Certificates (contd)
  • RA Operator transfers the Request to CA Operator
  • RA Operator tar ball the CSRs and copy to USB
    drive
  • CA Operator copy tar ball from USB drive to CA
    machine

11
Issuing Certificates (contd)
  • CA Operator checks CSRs and issues certificates
  • CA Operator transfers certificates to RA Operator
  • CA Operator tar ball certificates to USB drive
  • RA Operator copy tar ball into RA server
  • RA Operator publishes certificates to website and
    informs users by emails

12
Certificate Revocation
  • Certificates are revoked when
  • User private key compromised
  • Inaccurate user information suspected
  • User Obligation violated (CPS 2.1.4)
  • CA private key compromised
  • User leaves his/her organization

13
Revocation Request Procedure
  • Revocation Requests can be submitted through web
    interface
  • OR to CA Manager

14
CRL
  • CRL validity is 30 days.
  • New CRL issued
  • 7 days before expiration of previous one
  • immediately after certificate revocation

15
Physical Security
  • CA Server
  • Stored in a safe deposit box, which is protected
    by six-digit code
  • Not connected to network of any sort
  • Located in a room, which is restricted to CA
    Operator during its operations
  • CA private key
  • Protected by passpharse 15 characters.
  • Backup in USB drive and stored in the safe box by
    CA Operator.

16
CA Room Equipments (1)
  • CA Room

17
CA Room Equipments (2)
  • CA Machine
  • RA Server
  • UPS

18
CA Room Equipments (3)
  • Safe box

19
Records Archival
  • Types of archive data
  • All issued certificates and CRLs
  • All enrollment requests and notifications between
    the NECTEC-GOC CA and users.
  • Operation history of the CA key
  • Events of interest, as described in CP/CPS
    section 4.7.1
  • The retention period is 3 years.
  • Archived files are stored in CD or DVD located at
    NECTEC server rooms safe box.

20
Key Pair
  • CA private key generated by CA operator using
    OpenCA
  • User and Grid Host key pair generated by User
    using e.g. grid-cert-req
  • Key Length
  • CA Certificate 2048 bits
  • End Entity Certificate 1024 bits

21
Contact Information
  • Sornthep Vannarat and Suriya U-ruekolan
  • National Electronics and Computer Technology
    Center
  • Grid Operation Center
  • 112 Paholyotin Road,
  • Klong 1, Klong Luang,
  • Pathumthani 12120 Thailand
  • Tel (662) 564-6900 ext 2278
  • Fax (662) 564-6772
  • Email camanager_at_hpcc.nectec.or.th
Write a Comment
User Comments (0)
About PowerShow.com