EU NREN PKI

Jan Meijer AARnet PKI / Access Federations Strategy Workshop

10 February 2010Sydney

me

• 1998-2007: SURFnet – CERT, security, PKI, systems

engineering, e-voting

• 2007-now: UNINETT – service development, storage,

PKI

beautiful morning....

• 22 NRENs• 6 months• 12573 server certs

• starting personal

PKI purpose

Guarantee:

• Authenticity• Confidentiality• Integrity• Non repudiation

ehr, no, we want

• others not to read our mail• to know the sender is the sender• that, for documents, thanks

• no reading of my credit card number• no reading of my health information• no reading of my passwords

• log on to my internal web site

if it doesn’t work

it doesn’t work

the issue

?

direct trust

hierarchical trust

web of trust

Feb 1993, RFC 1422

Privacy Enhancement for Internet Electronic Mail:Part II: Certificate-Based Key Management

obsoletes RFC 1114 Mail Privacy: Key Management (1989)

Feb 1993, RFC 1422

The infrastructure specified in this document establishes a single root for all certification within the Internet, the Internet Policy Registration Authority (IPRA).

The IPRA establishes global policies, described in this document, which apply to all certification effected under this hierarchy.

Beneath IPRA root are Policy Certification Authorities (PCAs), each of which establishes and publishes (in the form of an informational RFC) its policies for registration of users or organizations.

Each PCA is certified by the IPRA.

USA crypto exports

<1996: International Traffic in Arms Regulation

1996: Export Administration Regulations (EAR) of the Department

Commerce31 Dec 1998: 56 bit without license12 January 2000: Freedom to export

source: Bert-Jaap Koops’ Crypto Law Surveyhttp://rechten.uvt.nl/koops/cryptolaw/cls2.htm#us

Pretty Good Privacy

Jun 5, 1991: PGP 1.0Jan 18, 1996: Ståle Schumacher from

Norway publishes PGP2.63i…with help:

Aug 1996: RFC1991, PGP Message Exchange Formats (FYI)

Nov 1998: RFC2440, OpenPGP Message Format (STD)

1994: Netscape Navigator 1.0

1995: Internet Explorer 2.0

(1994) 1996: .nl electronic purse

chipknip

chipper

13 December 1999:

DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

1995: Student Chip Card

qualified digital signatures!

1998: SURFnet PKI

• PGP PKI

• PGP keyserver pgp.surfnet.nl

• x.509 PKI

use

PGP– email signing and encryption– document signing and encryption

x.509– email signing and encryption– document signing and encryption– authentication– smartcard deployments

requirements

• scalable• identity vetting at university• affordable server and client certificates

SURFnet x.509 PKI

1998: setup1999: production

more levels

europe

down in the trenches

soon

~2000

• Netherlands qualified Digital Signature accreditation framework ready

• SURFnet PKI: test audit

~2001

“SURFdiensten” GlobalSign discount dealfor .nl higher ed

1998-2004: PKI evolves

• Focus on policy• Focus on CA operations• Plans to interlink European PKIs• Separate eScience Grid PKI• TACAR

• Experience but not large scale deployment

SURFnet PKI numbersNew CAs Personal Server

2000 1 1 14

2001 1 48 38

2002 3 43 47

2003 16 91 201

2004 2 52 125 course

popular?

• SSL server certificates

• Personal certificates

• Code Signing certificates

biggest problem?

get root in browsers

2000: $250.000 x 2

2004: IE: WebTrust

puzzling pieces

• in browser root,$$

• flat rate

• unpunished success

• why do I want to run my own CA?

TERENA

idea

• join forces• contract commercial CA• flat-rate for the TERENA community• unlimited• NREN becomes RA• re-use existing contractual relations

make it stupid to not secure your server with SSL

use existing relations

SCS timeline

• Jan 2005: idea written up (TF-CSIRT!)• Feb 2005: presented at TF-EMC2

“the list”20 kEUR

• Summer 2005: reality + procedure check

• September 2005: CfP• January 2006: GlobalSign contract

16 March 2006: SCS is born

SCS numbers 12/2007NRENs # issued # organisationsACONet 979 26ARNES* 23 n/aBELNET 673 57CARNet 166 n/aCESNET 452 20CRU/RENATER 1446 134GARR** 100 20JANET (UK) 2300 212RedIRIS 1077 86SUNET*** 487 17SURFnet 1934 91SWITCH 1200 n/aUNI-C **** 1366 n/aUNINETT 348 24

14 NRENs

12551 certificates

SCS numbers per 1 Aug 2008

# participating NRENs 18 (14)# certificates issued 19.400 (12551)# participating orgs 2.225# proxies 3.800

2007: mission accomplished!

no ssl = lame

and behavioural change...

SCS: lessons learned

• vested interests, existing services, strong opinions, policy devil....

• browser popup was the problem• certain level of control good• do what matters

• good enough = good enough!

2007

• contract renewal with GlobalSign

• start preliminary work with new CfP

new CfP, lessons learned1. root coverage: browsers *and* other platforms2. validity on contract end3. ensuring future root coverage4. end user interfaces5. interface response times6. describe certificate request processing7. profiles8. subjectAltName9. multiple valid certificates10. internationalisation11. support12. auditing13. training14. certificate lifetime

more lessons...optional reqs

1. alternative lifetimes2. end user interface for renewal3. per NREN branding4. additional profiles5. eScience Grid certificate support6. API7. wildcard certificates8. OCSP9. extensive reporting

interesting CfP

TERENA Certificate Service

crucial lesson

GlobalSign SCS certificates

revoked

3 months

after contract expiry

CfP failure

Plan B?

New TCS!

• 5 TERENA CAs– Server– Code signing– Personal– eScience Server– eScience Personal

• own CPS• own front-ends• Comodo backend + roots

TCS numbers Jan. 2010RENATER 2758SURFnet 2499UNI-C 1643JANET(UK) 1289SUNET 1088CESNET 1069ACOnet 733UNINETT 599BELNET 383PSNC 140GRNET 116FCCN 61CARNet 56HUNGARNET 35GARR 22LITNET 21RedIRIS 21HEAnet 11ARNES 7CSC 6AMRES 2UoM 0

# issued 12573# NRENs 22

TCS is

TCS organisation

• TERENA– contractual party, financial clearing house, contact

conduit to Comodo

• TCS PMA, club of 5– CPS responsibility

• TCS Representatives– 1 per NREN, formal decisions

• TCS RAs– day to day operations

TCS Mem

bers

Country NREN Server Code Personal

Austria ACOnet X X X

Belgium BELNET X X X

Croatia CARnet X

Czech Republic CESNET X X

Denmark UNI-C X

Finland CSC X X

France RENATER X X

Greece GRNET X X

Hungary HUNGARNET X

Ireland HEAnet X X

Lithuania LITNET X X

Malta UoM X

Netherlands SURFnet X X X

Norway UNINETT X X X

Poland PSNC X X X

Portugal FCCN X

Serbia AMRES X X

Slovenia ARNES X

Spain RedIRIS X X X

Sweden SUNET X X X

UK JANET X

22 7 14

how?SCS

Guido Aben, Jan Meijer, Teun Nijssen (SURFnet), Kaspar Brandt (SWITCH), Licia Florio, Karel Vietsch (TERENA), Milan Sova (CESNET), and more...

TCSKent Engstrøm (SUNET), Licia Florio, Jan Meijer, Kevin Meynell, Teun Nijssen, Milan Sova, Karel Vietsch, Henrik Austad, and more...

TCS Tender CommitteeKurt Bøge (UNI-C), Daniel Garcia (RedIRIS), Licia Florio, Dominique Launay (RENATER), Jan Meijer, Damien Shaw (JANET), Milan Sova, Karel Vietsch

PKI landscape Europe 2010

• TCS• DFN-PKI• SWITCH-PKI• Grid PKI• Geant3 PKI activity

obituaries

• chipknip: dead• chipper: dead• studenten chipkaart: dead • SURFnet PGP PKI: dead• SURFnet x.509 PKI: dead

alive and kicking

• TERENA Certificate Service• PGP: FIRST, 209 teams, 47 countries• Grid PKI• Personal certificates?

purpose