Embed Size (px)
Citation preview
Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA
National Institute of Informatics, JAPANToshiyuki Kataoka, Kento Aida, Shinichi Mineo
APAN 24 Middleware Session, Xi’An Aug.28, 2007
2
OUTLINEOUTLINE
1. NAREGI Certification Service
2. UPKI Common Specifications
3. UPKI Enhancement of CA System
4. Grid Operation Center Plan
5. Issues
3
1. NAREGI-CA Certification Service
4
●
Publication of scientific results from academia
Human Resource Development and strong organization
NAREGI Middleware
Virtual OrganizationFor science
1-1 CyberScience Infrastructure1-1 CyberScience Infrastructure for Advanced Science (by NII)for Advanced Science (by NII)
To Innovate Academia and Industry
UPKI
★
★
★★★
★★
☆
Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers
Cyber Science Infrastructure
北海道大学
東北大学
東京大学NII
名古屋大学
京都大学
大阪大学
九州大学
(東京工業大学、早稲田大学、高エネルギー加速器研究機構等)
Scientific Repository
Ind
ustry L
iaison
and
So
cial B
enefit
Global C
ontribution
5
1-2 NAREGI Certification Authority
NAREGI (National Research Grid Initiative) PJ develops grid middleware.
NAREGI CA is operated by NAREGI PJ, and it issues certificates for development and doing research using NAREGI grid middleware
NAREGI CA is a member of APGrid - NAREGI CA is authorized by the APGrid PMA as a Production Level CA. - NAREGI PMA is a member of APGrid PMA. NAREGI CA issues certificates to NAREGI project
members (National Institute of informatics, Institute for Molecular Science)
6
Certificate UsersHost Administrators RA Administrator CA Operator
Application for bulk license ID
Issuance of bulk license ID
①Preparation
License ID request
Receive request,Inspection
②License ID request
Certificate request
③Issuance request④Revoke request⑤Reissuance request
Receive request,Issuance/Revoke
certificate
Retrieve data forcreating map file
Make data forcreating map file
⑥Retrieve data for creating map file
NAREGI CAUser site
Account Registration Request
Account Registration
1-3 NAREGI CA operation
7
2. UPKI Common Specifications
8
2-1 UPKI Architecture
Web サーバWeb サーバ
NII Pub CA
Web Srv.Web サーバWeb サーバ S/MIMES/MIME
Other Pub CA
S/MIMEWeb Srv.
学内用学内用
A Univ.
CA
EE学内用学内用
B Univ.
CA
EE
EEEE
A Univ. NAREGI CA
EEEE
B Univ. NAREGI CA
Campus PKI
Open Domain PKI
NAREGI PKI
S/MIMES/MIMES/MIME
Auth, Sign, Encrypt.
Sign, Encrypt.
Auth, Sign, Encrypt.
Grid Computing
ProxyProxyProxy EEProxyProxyProxy EE
Student, FacultyServer, Super Computer
Student, FacultyServer, Super Computer
9
2-2 UPKI Activities
Web サーバWeb サーバ
NII Pub CA
Web Srv.Web サーバWeb サーバ S/MIMES/MIME
Other Pub CA
S/MIMEWeb Srv.
学内用学内用
A Univ.
CA
EE学内用学内用
B Univ.
CA
EE
EEEE
A Univ. NAREGI CA
EEEE
B Univ. NAREGI CA
Campus PKI
Open Domain PKI
NAREGI PKI
S/MIMES/MIMES/MIME
Auth, Sign, Encrypt.
Sign, Encrypt.
Auth, Sign, Encrypt.
Grid Computing
ProxyProxyProxy EEProxyProxyProxy EE
Student, FacultyServer, Super Computer
Student, FacultyServer, Super Computer
NAREGI-CA Enhancement
NAREGI-CA Pack
UPKI CommonSpecification
Server Certificates
S/MIME Certificates
Eduroam
10
2-3 UPKI Common Specifications
Web サーバWeb サーバ
NII Pub CA
Web Srv.Web サーバWeb サーバ S/MIMES/MIME
Other Pub CA
S/MIMEWeb Srv.
学内用学内用
A Univ.
CA
EE学内用学内用
B Univ.
CA
EE
EEEE
A Univ. NAREGI CA
EEEE
B Univ. NAREGI CA
Campus PKI
Open Domain PKI
NAREGI PKI
S/MIMES/MIMES/MIME
Auth, Sign, Encrypt.
Sign, Encrypt.
Auth, Sign, Encrypt.
Grid Computing
ProxyProxyProxy EEProxyProxyProxy EE
Student, FacultyServer, Super Computer
Student, FacultyServer, Super Computer
UPKI CommonSpecifications
11
UPKI Common Specifications Campus PKI procurement guidelines Campus PKI CP/CPS templates
Campus PKI model Two outsource models and one insource model
Developed and Published for outsource model https://upki-portal.nii.ac.jp/upkispecific/specific Only available in JAPANESE!
2-4 UPKI Common Specifications
CampusCP/CPStemplates
2006 2007 2009 -
-Deployment of campus PKI at each universities-Connecting universities- Federation of applications
2008
CampusPKISpec.
Outsource model Insource modelMulti-university cooperative model
Outsource model Insource modelMulti-university cooperative model
-To promote Campus To promote Campus PKI deploymentPKI deployment-To reduce costTo reduce cost-To keep multi-universityTo keep multi-university cooperativitycooperativity
12
Insource
Univ
RA IA
Univ. providerFull outsource
RA IA
IA outsourceUniv provider
IARA
CP/CPS
2-5 Operation Models of CA
13
3.UPKI Enhancement of CA System
14
3-1 Enhancement in UPKIEnhancement for actual operation
of CA/RA at universities;1. To split and delegate RA.2. To provide staffs/students means to
apply by themselves.3. To issue grid certificate by
identification of campus certificate.
15
3-2 Enhancement in UPKI (1),(2)1. To split and delegate RA.
- Created RA/LRA operator authorities split from RA administrator authorities.
- Secure delegation by using IC card. - Delegation to hierarchized institutions in universities for
actual operation.
2. To provide staffs/students means to apply by themselves.- Easy application of registration, issuance, and revocation
from the web.- Secure application by using challenge PIN.- Reduced burden of RA operation.
16
CA Administrator
CA RA
RA Administrator
TARO SUZUKITARO SUZUKI 08/07
IC Card
3-3 Enhanced Procedure To Issue Certificate
CA Administrator
RA Administrator
RA Operator
User
License ID
Issue Certificate
RACA
Apply
IdentifyApprove
Issue Certificate
Application Server (web)
Management Server (web)
Delegate
Challenge PINChallenge PIN
Challenge PINChallenge PIN
License ID
Local RA User
Identify
Apply
License ID
License ID
17
3-4 Enhancement in UPKI (3)
3. To issue grid certificate by identification of campus certificate.
- Cooperation of Grid CA and Campus CA.- Reduced burden of RA operation.- Any certificate can be issued for other AP.
18
CampusCA
Issue Certificate
Campus PKI Grid PKI
NAREGI CA
Super Computer
Super Computer
Grid System
Super Computer
Issue Certificate
Request Certificate(Use IC Card as credential)
LDAP
NAREGI RA
TARO SUZUKITARO SUZUKI 08/07
IC Card
Certificate for Grid System
Access
User
3-5 Campus-Grid PKI Federation
19
4. Grid Operation Center Plan
20
4-1 Grid Operation Center Plan GOC CA issues certificates to authorized m
embers of CSI using grid Operation will be compliant with APGrid pol
icies Cooperate with many universities and rese
arch institutes
21
4-2 Operation models of GOC
GOC will operate three models.(1) LRA in GOC operates registration; GOC will inspect user documents, and
face to face identification.(2)LRA in university operates
registration; University will inspect user documents,
and face to face identification.(3)Use Campus certificate as an
identification to issue grid certificate; University will inspect user documents,
but skip face to face identification.
22
5. Issues
23
5-1. Issue 1- User Identification
- APGrid PMA minimum CA requirements; “In order for an RA to validate the identity of a person,
the subject must contact the RA personally and present photo-id and/or valid official documents showing that the subject is an acceptable end entity as defined in the CP/CPS document of the CA.”
- Campus PKI CPS template; “The information of students or faculties will be collected on admis
sion and stored in database in universities. Campus PKI CA will issue campus certificate by using and trusting the collected information in the database”
-> Is it proper and feasible to use Campus certificate as an identification for issuing grid certificate?
-> Add a following term to Campus PKI CPS template? “photo-id and/or valid official documents in the case of using cam
pus certificate as an identification for grid certificate.”
24
5-2. Issue 2
- On revocation of campus certificate;- For the grid certificate that has issued
by identifying with campus certificate
-> Keep the grid certificate valid?
-> Revoke the grid certificate?
How? Check CRL of campus certificate?
25
5-3. Issue 3
- Audit- GOC : APGrid PMA will do mutual audit- LRA in universities: GOC will audit?- CA for campus PKI in universities: Need audit? and who?
