Upload
kristina-burns
View
213
Download
0
Embed Size (px)
Citation preview
Public Key Activities in the
Spanish Academic Network
PKI-COORD (PKI Coordination for Europe)December 6, 2000. Amsterdam
PKI Coordination for Europe - 2December 6, 2000, Amsterdam
Outline
IRIS-PCA Objectives and Characteristics Hierarchy Policy Procedures Links
PKCS#11 Library PAPI
Architecture Status Goals
PKI Coordination for Europe - 3December 6, 2000, Amsterdam
IRIS-PCA: Objectives
Explore PK technologies Establish a hierarchical certification structure
in the Spanish Research and Academic Network (RedIRIS constituency)
Establish a common certification framework Share applications and experiencies between
the members of the community Promote the use of open-source software
PKI Coordination for Europe - 4December 6, 2000, Amsterdam
IRIS-PCA: The Begginings
PKI activities were started at the end of 1997 GTI-PCA Working Group 7th WG meeting in November 2000
IRIS-PCA is in production Started November 2000 Two organizations certified Nine organizations working on their own PKI
(candidates to be incorporated)
PKI Coordination for Europe - 5December 6, 2000, Amsterdam
IRIS-PCA: Characteristics
Scope: Root CAs of organizations under our constituency (Research and Acedmic institutions)
X509 v3 certificate format RedIRIS operates the root CA
Software: openssl On dedicated, securified, off-line Linux box Certificates available through HTTP (plus LDAP in
the next future)
Each organization is free to establish its own CA and RA structure, CP and CPS At least as restrictive as the IRIS-PCA CP
PKI Coordination for Europe - 6December 6, 2000, Amsterdam
IRIS-PCA: Hierarchy
IRIS-PCA
Org-RootCA
Org-SubCA
Server certificate
User certificate
Other certificates
Server certificate
User certificate
Other certificates
PKI Coordination for Europe - 7December 6, 2000, Amsterdam
IRIS-PCA: Policy
http://www.rediris.es/cert/iris-pca/docs/politica.html (only Spanish version available)
At the moment, no CP/CPS full compliance to standards (RFC 2527)
Chapters on: IRIS-PCA identity Scope Certification tree Use of the RAs Security and privacy requirements Policiy and procedures for certificates Policy and procedures for revocations Validity of the certificates Naming conventions CRL and certificate management Obligations and responsibilities
PKI Coordination for Europe - 8December 6, 2000, Amsterdam
IRIS-PCA: Procedures
The candidate organization sends By e-mail ([email protected])
Certificate request (PKCS#10 or self-signed certificate formats)
By certified postal mail Certification policy Request document and legal agreement Formal appointment to the technical contact
RA@RedIRIS replies By e-mail (to the organization technical contact)
CA certificate (PEM format), also published by HTTP By certified postal mail
Secret code for revocation
PKI Coordination for Europe - 9December 6, 2000, Amsterdam
IRIS-PCA: Links
IRIS-PCA Pilothttp://www.rediris.es/cert/proyectos/iris-pca/
index.en.html
GTI-PCA Working Grouphttp://www.rediris.es/cert/iris-pca/gti-pca/
Mailing [email protected]://www.rediris.es/list/info/gti-pca.es.html
PKI Coordination for Europe - 10
December 6, 2000, Amsterdam
PKCS#11 Library
Developed by the University of Murcia for their internal PKI project Open to different formats and sizes of smart-cards Available for Unix/Linux and Windows Thoroughly tested in an operational environment
About 10,000 users Acces control, clock-in, facility reservation,...
The aim of RedIRIS is to distribute the library under GPL Negotiation is ongoing Configuration procedures and documentation
necessary
PKI Coordination for Europe - 11
December 6, 2000, Amsterdam
PAPI
Was initiated to solve the problems derived from access control based on IP-address filters
Its main objective is the provision of controlled access to information services with A simple and transparent user interface Maximum flexibility for
Clients (universities and other centers inside the RedIRIS network)
Information providers User ubiquity User privacy with respect to content providers
Started with the collaboration of content providers and client organizations
Liaisons with other academic networks
PKI Coordination for Europe - 12
December 6, 2000, Amsterdam
PAPI: Architecture
PKI Coordination for Europe - 13
December 6, 2000, Amsterdam
PAPI: Status
Functioning prototype Based on Apache mod_perl and virtual servers Running from October http://www.rediris.es/app/papi/
First real environment testbed available on mid-December Access to digital library services at a major
university in Southern Spain About 300 initial users
70,000 potential users Successful initial tests
PKI Coordination for Europe - 14
December 6, 2000, Amsterdam
PAPI: Short- and mid-term goals
Optimization of system modules based on performance measurements and user feedback Management facilities Implementation of a set of basic authentication
hooks (user- and group-based)
Installation procedures and documentation set: dissemination PAPI-on-a-box
Harmonization (standardization?) with similar projects Essential to effectively involve content providers