TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract...
Transcript of TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract...
![Page 1: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/1.jpg)
TCS
Milan Sova
EUGridPMAZurich
May 2009
![Page 2: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/2.jpg)
TCS History● Fall 2005:
– TERENA opens a Call for Proposals;
– First contract with GlobalSign BV in 2006;
● SCS (Server Certificate Service)– NRENs participating would get SSL certificates against a
yearly flat-fee;
● Started with 8 NRENs (in 2006):– Now 19 NRENs participate;
– More than 15.000 SSL certifcates issued in Europe;
● March 2009:– As result of a new Call for Proposal, Comodo appointed as
new supplier;
![Page 3: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/3.jpg)
SCS -> TCS
● New SCS service– Expected start in May 2009
● Model– yearly flat fee per NREN
– TERENA contractual party
– dedicated TERENA sub-CA
– 20 NRENs
![Page 4: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/4.jpg)
SCS -> TCS (cont.)
● Optional add-on services– personal (S/MIME & TLS client) certs
– object signing certs
– extra flat fee
=> TERENA Certificate Service● work on progress
– testing certificate profiles
– writing CPS
![Page 5: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/5.jpg)
Operational model
● Comodo– CA operator (hosted CA)
● TERENA– contractual party
● NRENs– RA
● Organizations– subscribers
– approving agents
![Page 6: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/6.jpg)
BigOrg Model
● BigOrg pre-registers with its NREN– BigOrg identity
● name(s), address, proof of legal existence
– registered domain names
● NREN verifies the registration● BigOrg approves requests● compliance checked by the TCS frontend
![Page 7: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/7.jpg)
SmallOrg Model
● SmallOrg registeres with its NREN– SmallOrg identity
● name(s), address, proof of legal existence
● SmallOrgs issues request● NREN RA verifies & approves the request
● NRENs would prefer BigOrg model ;)
![Page 8: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/8.jpg)
Server Profile - Subject
● C required● ST (optional)● L (optional)● O required● OU optional● CN required● unstructuredName (optional)
![Page 9: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/9.jpg)
Server profile - Extensions
● basicConstraints (critical): – ca:false (no pathLenConstraint)
● keyUsage (critical):– digitalSignature, keyEncipherment
● extendedKeyUsage (non-critical): – id-kp-serverAuth, id-kp-clientAuth
● subjectAltName (non-critical): – dNSName (min 1, max 100 names)
![Page 10: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/10.jpg)
Server profile – Extensions (cont.)
● cRLDistributionPoints (non-critical):– URI:http://crl.tcs.terena.org/ssl_server.crl
● authorityInfoAccess (non-critical):– CA Issuer:
URI:http://crt.tcs.terena.org/ssl_server.crt
– OCSP: URI: http://ocsp.tcs.terena.org
![Page 11: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/11.jpg)
Server profile – Extensions (cont.)
● authorityKeyIdentifier (non-critical):– keyID:...
● subjectKeyIdentifier (non-critical): ...● certificatePolicies (non-critical):
– SCS policyID (no qualifiers)
![Page 12: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/12.jpg)
eScience Server Profile - Subject
● DC "org"● DC "terena"● DC "scs"● C required● O required● OU optional● CN required
![Page 13: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/13.jpg)
eScience Server Profile - Extensions● bacicConstraints (critical):
– ca:false (no pathLenConstraint)
● keyUsage (critical): – digitalSignature, keyEncipherment,
dataEncipherment
● extendedKeyUsage (non-critical): – id-kp-serverAuth, id-kp-clientAuth
● subjectAltName (non-critical): – dNSName (min 1, max 100 names)
![Page 14: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/14.jpg)
eScience Server Profile – Extensions (cont.)● cRLDistributionPoints (non-critical):
– URI:http://crl.tcs.terena.org/eScience_server_crl
● authorityInfoAccess (non-critical):– CA Issuer:
URI:http://crt.tcs.terena.org/eScience_server.crt
– OCSP – URI:http://ocsp.tcs.terena.org
![Page 15: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/15.jpg)
eScience Server Profile – Extensions (cont.)● authorityKeyIdentifier (non-critical):
– keyID:...
● subjectKeyIdentifier (non-critical): ...● certificatePolicies (non-critical):
– SCS policyID (no qualifiers)
– 1.2.840.113612.5.2.2.1 (no qualifiers)
![Page 16: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/16.jpg)
(eScience) Personal CA
● federated CA● front-end - portal(s) operated by NRENs● IdPs – RA functions
![Page 17: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/17.jpg)
Attributes - Authorization
● eduPersonEntitlement– “user vetted properly”
– “request approved by the Org”
![Page 18: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/18.jpg)
Attributes - Naming
● Common Name● Organization Name
– preregistered
● “unique ID” assigned by IdP– ePTargetedID, ePPrincipalName, whatever...
● email(s)– verified by IdP
static int
![Page 19: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/19.jpg)
Attributes - Naming
● Common Name● Organization Name
– preregistered
● “unique ID” assigned by IdP– ePTargetedID, ePPrincipalName, whatever...
● email(s)– verified by IdP
static int
![Page 20: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/20.jpg)
eScience Personal Profile -Subject
● DC "org"● DC "terena"● DC "scs"● C required● O required● OU optional● CN required● unstructuredName optional
![Page 21: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/21.jpg)
eScience Personal Profile - Extensions● basicConstraints (critical):
– ca:false (no pathLenConstraint)
● keyUsage (critical):– digitalSignature, keyEncipherment,
dataEncipherment
● extendedKeyUsage (non-critical): – id-kp-emailProtection, id-kp-clientAuth
● subjectAltName (non-critical):– rfc822Name (min 1, max 10 email addresses)
![Page 22: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/22.jpg)
eScience Personal Profile – Extensions (cont.)● cRLDistributionPoints (non-critical):● URI:
http://crl.tcs.terena.org/TERENAeSciencePersonalCA.crl
● authorityInfoAccess (non-critical):– CA Issuer:
http://crt.tcs.terena.org/TERENAeSciencePersonalCA.crt
– OCSP – URI:http://ocsp.tcs.terena.org
![Page 23: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/23.jpg)
eScience Personal Profile – Extensions (cont.)● authorityKeyIdentifier (non-critical):
– keyID:...
● subjectKeyIdentifier (non-critical): ...● certificatePolicies (non-critical):
– TCS policyID (no qualifiers)
– 1.2.840.113612.5.2.2.5 (no qualifier)
![Page 24: TCS - TERENA · TCS History Fall 2005: – TERENA opens a Call for Proposals; – First contract with GlobalSign BV in 2006; SCS (Server Certificate Service) – NRENs participating](https://reader034.fdocuments.net/reader034/viewer/2022050109/5f46bdbb27362d45802702a4/html5/thumbnails/24.jpg)
To be continued...