Post on 04-Jan-2016
KISTI Grid CA Status ReportKISTI Grid CA Status Report
Korea Institute of Science and Technology Information
Sangwan Kim (sangwan@kisti.re.kr)
Jae-Hyuck Kwan (jhkwak@kisti.re.kr)
5th APGrid PMA MeetingSeptember 16 2008Biopolis, Singapore
5th APGrid PMA MeetingSeptember 16 2008Biopolis, Singapore
ContentsContents
• History of KISTI Grid CA Operation
• KISTI Grid CA Overview
• Statistics
• Future Works
History of KISTI Grid CA OperationHistory of KISTI Grid CA Operation
• K*Grid Project started from 2002 in Korea.• Experimental CA System (2002 ~ June 2004)
▶ Statistics• # of users (subscribers) : more than 390 users• # of issued certificates : more than 3,000 certificates
• Production Level CA System (June 2004 ~ June 2007)
▶ Statistics• # of users (subscribers) : more than 60 users• # of issued certificates : more than 400 certificates
• Production CA v2.0 (June 2007~)▶ Statistics
• # of users (subscribers) : 27• # of issued certificates : 66 certificates
KISTI Grid CA OverviewKISTI Grid CA Overview
• Web Site (online certificates repository)▶ http://ca.gridcenter.or.kr/
• CA cert▶ http://ca.gridcenter.or.kr/certs/certificates/722e5071.0▶ Valid : Jul 12, 2007 – Aug 1, 2017 (10 years)▶ Key size: 2048 bits
• Certificate Policy & Practice Statement:▶ http://ca.gridcenter.or.kr/cps/KISTI-CPCPS-2.0.html▶ Based on RFC 3647▶ X.509 OID: 1.3.6.1.4.1.14305.1.1.1.2.0
• CRL▶ http://ca.gridcenter.or.kr/CRL/722e5071.crl▶ X509 Version 2, CRL life time: 30 days (new CRL 7 days before expiration
of the previous one)
KISTI Grid CA OverviewKISTI Grid CA Overview
• Certificate Profile: X509 v3 Extensions▶ CA certificate
• Basic Constraints: CA: TRUE• Key Usage: critical, Certificate Sign, CRL Sign• Certificate Policies: 1.3.6.1.4.1.14305.1.1.1.2.0
▶ User certificates• Basic Constraints: CA: FALSE• Key Usage: critical, Digital Signature, Non Repudiation, Key Encipherment, Data Enciper
ment• Extended Key Usage: TLS Web Client Authentication• Issuser Alternative Name, CRL Distribution Point, Policies OID
▶ Host certificates• Basic Constraints: CA: FALSE• Key Usage: critical, Digital Signature, Key Encipherment, Data Enciperment• Extended Key Usage: TLS Web Server/Client Authentication• Issuser Alternative Name, CRL Distribution Point, Policies OID• Subject Alternative Name: DNS:<FQDN of the host>
KISTI Grid CA OverviewKISTI Grid CA Overview
• Name forms▶Issuer:
• C=KR, O=KISTI, O=GRID, CN=KISTI Grid Certificate Authority
▶User DN:• C=KR, O=KISTI, O=GRID, O=[applicant's
organization], CN=[the name of applicant]
▶Host DN:• C=KR, O=KISTI, O=GRID, O=[applicant's
organization], CN=[FQDN of the hostname]
StatisticsStatistics
• # of Applicants : 78• # of Certificates
▶User certificates• 68 valid, 4 revoked, 3 expired
▶Host certificates• 162 valid, 4 revoked, 3 expired
Future WorksFuture Works
• Some improvement of web system (user interfaces, design, etc..)
• Self-auditing of KISTI CA
Thank You For Your Thank You For Your AttentionAttention
Thank You For Your Thank You For Your AttentionAttention