NECTEC-GOC CANECTEC-GOC CA

APGrid PMA face-to-face meeting. October, 15 2006

Sornthep Vannarat

National Electronics and Computer Technology Center, Thailand

2

Introduction» NECTEC:National Electronics and Computer

Technology Center» Government research institute under Ministry of Science» For electronics, telecommunication, computer and

information technologies including Grid Computing

» NECTEC GOC CA:NECTEC GRID Operation Center Certificate Authority

» NECTEC GRID PMA » Large Scale Simulation Research Laboratory,» Network Technology Laboratory » Thai Computer Emergency Response Team

3

CP/CPS

»Current version:1.0 (October, 2006)

»Object ID: 1.3.6.1.4.1.25149.1.1.1.0

»Conform to RFC 2527

»Managed by the NECTEC GRID PMA» Changes in contents need to be

approved by the NECTEC GRID PMA

4

NECTEC-GOC CA Organization

GRID CA PMA

CA Manager

RA Operator CA Operator

Remove CP/CPS 2.2.5

Table 1-2 Organization...» GRID CA PMA: Policy Management Authority» CA Manager: Administrates all tasks on the

CA system» RA Operator:

» Accepts and verifies User Application form» Checks Certificate Signing Request form» Informs CA to issue certificate

» CA Operator: » Issues certificates» Manages CA and RA servers» Maintains the CA system» Manages CA private key

5

End Entity

» - NECTEC GOC CA issues certificates fo r the following subjects:» U sers of NECTEC.» - Users of domestic Grid based applications or pr

ojects.» Collaborators related to NECTEC Grid Computin

g research.

6

Certificate Type

»User Certificate:C=TH,O=NECTEC,OU=GOC,CN=Sornthep Vannarat/emailAddress=sornthep@nectec.or.th

»Grid Host Certificate:C=TH,O=NECTEC,OU=GOC, CN=host/grid64.hpcc.nectec.or.th

7

Identification and Authentication

»User and Grid Host Certificate:» Subscriber meet in-person with RA

Operator» RA Operator review and approve

Application and Certificate Request according to user’s documents [CPS 1.3.2 and 3.1.x]

8

Certificate Restrictions

»Certificate Lifetime:» 13 months for End Entity certificate.» 10 years for CA certificate.

9

Issuing Certificates

»End entities request certificates» Each generate keypair by itself» Submit Applications and Certificate

Signing Request forms

»RA Operator checks the Requests» RA Operator uses secure

communication method e.g. signed and encrypted email

10

»RA Operator transfers the Request to CA Operator» RA Operator tar ball the CSRs and

copy to USB drive» CA Operator copy tar ball from USB

drive to CA machine

Issuing Certificates (cont’d)

11

»CA Operator checks CSRs and issues certificates

»CA Operator transfers certificates to RA Operator» CA Operator tar ball certificates to USB

drive» RA Operator copy tar ball into RA server

»RA Operator publishes certificates to website and informs users by emails

Issuing Certificates (cont’d)

12

Certificate Revocation

»Certificates are revoked when» User private key compromised» Inaccurate user information suspected» User Obligation violated (CPS 2.1.4)» CA private key compromised» User leaves his/her organization

13

Revocation Request Procedure

»Revocation Requests can be submitted through web interface

»OR to CA Manager

14

CRL

»CRL validity is 30 days.

»New CRL issued » 7 days before expiration of previous one» immediately after certificate revocation

15

Physical Security» CA Server:

» S tored in a safe deposit box, which is protect - ed by six digit code

» Not connected to network of any sort» Located in a room, which is restricted to CA

Operator during its operations» CA private key:

» Protected by passpharse 15 characters.» Backup in USB drive and stored in the safe

box by CA Operator.

16

CA Room & Equipments (1)

»CA Room

17

CA Room & Equipments (2)

»CA Machine

»UPS

»RA Server

18

CA Room & Equipments (3)

»Safe box

19

Records Archival

» Types of archive data:» All issued certificates and CRLs» All enrollment requests and notifications

between the NECTEC-GOC CA and users.» Operation history of the CA key» Events of interest, as described in CP/CPS

section 4.7.1

» The retention period is 3 years.» Archived files are stored in CD or DVD

located at NECTEC server room’s safe box.

20

Key Pair

» CA private key generated by CA operator using OpenCA

» User and Grid Host key pair generated by User using e.g. - -grid cert req

» Key Length:» CA Certificate 2048 bits» End Entity Certificate: 1024 bits

21

Contact Information

Sornthep Vannarat and Suriya U-ruekolan

National Electronics and Computer Technology Center Grid Operation Center 112 Paholyotin Road ,

Klong 1, Klong Luang, 12120Pathumthani Thailand

Tel : (662 ) 564-6900 ext 2278 Fax : (662 ) 564-6772Email : camanager@hpcc.nectec.or.th