NECTEC-GOC CANECTEC-GOC CA

The 3rd APGrid PMA face-to-face meeting. June, 4 2007

Suriya U-ruekolan

National Electronics and Computer Technology Center, Thailand

2

NECTEC-GOC CA Organization

GRID CA PMA

CA Manager

RA Operator CA Operator

» GRID CA PMA: Policy Management Authority» CA Manager: Administrates all tasks on the

CA system» RA Operator:

» Accepts and verifies User Application form» Checks Certificate Signing Request form» Informs CA to issue certificate

» CA Operator: » Issues certificates» Manages CA and RA servers» Maintains the CA system» Manages CA private key

3

Update NECTEC GOC CA Status

»Accredited to be in Production Level by

APGrid PMA on October 2006.»Bundled with IGTF CA distribution.»Started operation on January 2007.»Web Repository

» Moved form ThaiSarn to NECTEC local network for stability better.

4

Issued Certificate Status»None has been issues certificates.»NECTEC GOC CA issues certificates

to» Collaborators related to NECTEC Grid

Computing research. Computation Fluid Dynamic Grid projects. Information Grid project.

5

Plan

»NECTEC GOC CA have plans to,» Draft the CP/CPS according to RFC

3647 on October 2007.

» Internal audit after drafted the CP/CPS.

6

Detail report on compliance with the latest

Classic Authentication profile

7

Identity and End-Entity certificate expiration

» User and Grid Host Certificate:» Subscriber meets in-person with RA Operator» RA Operator reviews and approves Application

and Certificate Request according to user’s documents [CPS 1.3.2 and 3.1.x]

» RA communicate with the CA by signed emails.

» NECTEC GOC CA uses the re-key certificates method.

8

Operation Requirements» CA Server:

» S tored in a safe deposit box, which is protected by six- digit code

» Not connected to network of any sort» Located in a room, which is restricted to CA Operator

during its operations» CA private key:

» Key length 2048 bits and life time 10 years» Protected by passpharse 15 characters.» Backup in USB drive and stored in the safe box by

CA Operator.

9

CP/CPS Identification» Current version:1.0 (October, 2006)» Object ID: 1.3.6.1.4.1.25149.1.1.1.0» Conform to RFC 2527 (plan for draft

according to RFC 3647 on October 2007)

» Managed by the NECTEC GRID PMA» Changes in contents need to be approved

by the NECTEC GRID PMA

10

Certificate and CRL profile (1)»CA’s Certificate:

» DN: C=TH,O=NECTEC,OU=GOC,CN=NECTEC GOC CA

» Signature Algorithm: sha1WithRSAEncryption.» Extensions field:

Basic constraints : critical– CA:TRUE

Key Usage : critical– digitalSignature,crlSign,keyCertSign

11

Certificate and CRL profile (2)»End-Entity Certificate

» Key length are 1024 bits and life time 13 months.» Extension field:

basicConstraints : critical– CA:false

keyUsage : critical– nonRepudiation, digitalSignature, keyEncipherment,

dataEncipherment (User Certificate)– digitalSignature, keyEncipherment, dataEncipherment (Host Certificate)

PolicyIdentifier : OID (Refer CPS 1.2) CRLDistributionPoints: URI of CRL subjectAltnativeName : Email Address of User (User Certificate) subjectAltnativeName : FQDN (Host Certificate)

12

Certificate and CRL profile (3)

»Comply with RFC 3280.»CRL profile:

» Basic field: Version : 2 algorithmIdentifer : SHA1

» Extensions field: cRLNumber : integer distributionPointName : URI of the CRL

13

CRL

»CRL validity is 30 days.»New CRL issued

» 7 days before expiration of previous one.» immediately after certificate revocation.» Published in web repository.

14

Publication and Repository»NECTEC GOC CA repository consists:

» CP/CPS.» CA’s Certificate (DER,CRT and PEM format).» CRL (DER,PEM and r0 format).» Application form, user guide and contact

information.

http://http://gridca.hpcc.nectec.or.thgridca.hpcc.nectec.or.th

15

END

Any comment or suggestion?