Public Key Activities in the

Spanish Academic Network

PKI-COORD (PKI Coordination for Europe)December 6, 2000. Amsterdam

PKI Coordination for Europe - 2December 6, 2000, Amsterdam

Outline

IRIS-PCA Objectives and Characteristics Hierarchy Policy Procedures Links

PKCS#11 Library PAPI

Architecture Status Goals

PKI Coordination for Europe - 3December 6, 2000, Amsterdam

IRIS-PCA: Objectives

Explore PK technologies Establish a hierarchical certification structure

in the Spanish Research and Academic Network (RedIRIS constituency)

Establish a common certification framework Share applications and experiencies between

the members of the community Promote the use of open-source software

PKI Coordination for Europe - 4December 6, 2000, Amsterdam

IRIS-PCA: The Begginings

PKI activities were started at the end of 1997 GTI-PCA Working Group 7th WG meeting in November 2000

IRIS-PCA is in production Started November 2000 Two organizations certified Nine organizations working on their own PKI

(candidates to be incorporated)

PKI Coordination for Europe - 5December 6, 2000, Amsterdam

IRIS-PCA: Characteristics

Scope: Root CAs of organizations under our constituency (Research and Acedmic institutions)

X509 v3 certificate format RedIRIS operates the root CA

Software: openssl On dedicated, securified, off-line Linux box Certificates available through HTTP (plus LDAP in

the next future)

Each organization is free to establish its own CA and RA structure, CP and CPS At least as restrictive as the IRIS-PCA CP

PKI Coordination for Europe - 6December 6, 2000, Amsterdam

IRIS-PCA: Hierarchy

IRIS-PCA

Org-RootCA

Org-SubCA

Server certificate

User certificate

Other certificates

Server certificate

User certificate

Other certificates

PKI Coordination for Europe - 7December 6, 2000, Amsterdam

IRIS-PCA: Policy

http://www.rediris.es/cert/iris-pca/docs/politica.html (only Spanish version available)

At the moment, no CP/CPS full compliance to standards (RFC 2527)

Chapters on: IRIS-PCA identity Scope Certification tree Use of the RAs Security and privacy requirements Policiy and procedures for certificates Policy and procedures for revocations Validity of the certificates Naming conventions CRL and certificate management Obligations and responsibilities

PKI Coordination for Europe - 8December 6, 2000, Amsterdam

IRIS-PCA: Procedures

The candidate organization sends By e-mail (iris-pca@rediris.es)

Certificate request (PKCS#10 or self-signed certificate formats)

By certified postal mail Certification policy Request document and legal agreement Formal appointment to the technical contact

RA@RedIRIS replies By e-mail (to the organization technical contact)

CA certificate (PEM format), also published by HTTP By certified postal mail

Secret code for revocation

PKI Coordination for Europe - 9December 6, 2000, Amsterdam

IRIS-PCA: Links

IRIS-PCA Pilothttp://www.rediris.es/cert/proyectos/iris-pca/

index.en.html

GTI-PCA Working Grouphttp://www.rediris.es/cert/iris-pca/gti-pca/

Mailing listGTI-PCA@listserv.rediris.eshttp://www.rediris.es/list/info/gti-pca.es.html

iris-pca@rediris.es

PKI Coordination for Europe - 10

December 6, 2000, Amsterdam

PKCS#11 Library

Developed by the University of Murcia for their internal PKI project Open to different formats and sizes of smart-cards Available for Unix/Linux and Windows Thoroughly tested in an operational environment

About 10,000 users Acces control, clock-in, facility reservation,...

The aim of RedIRIS is to distribute the library under GPL Negotiation is ongoing Configuration procedures and documentation

necessary

PKI Coordination for Europe - 11

December 6, 2000, Amsterdam

PAPI

Was initiated to solve the problems derived from access control based on IP-address filters

Its main objective is the provision of controlled access to information services with A simple and transparent user interface Maximum flexibility for

Clients (universities and other centers inside the RedIRIS network)

Information providers User ubiquity User privacy with respect to content providers

Started with the collaboration of content providers and client organizations

Liaisons with other academic networks

PKI Coordination for Europe - 12

December 6, 2000, Amsterdam

PAPI: Architecture

PKI Coordination for Europe - 13

December 6, 2000, Amsterdam

PAPI: Status

Functioning prototype Based on Apache mod_perl and virtual servers Running from October http://www.rediris.es/app/papi/

First real environment testbed available on mid-December Access to digital library services at a major

university in Southern Spain About 300 initial users

70,000 potential users Successful initial tests

PKI Coordination for Europe - 14

December 6, 2000, Amsterdam

PAPI: Short- and mid-term goals

Optimization of system modules based on performance measurements and user feedback Management facilities Implementation of a set of basic authentication

hooks (user- and group-based)

Installation procedures and documentation set: dissemination PAPI-on-a-box

Harmonization (standardization?) with similar projects Essential to effectively involve content providers