HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

UK e-Science Certification Authority

Status and Deployment

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

Structure of CA

CA

RA

User Request

ApprovedRequest

Certificate

RA = RegistrationAuthority

CA = CertificationAuthority

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

Certificate

• The string is the Distinguished Name, which can be used to uniquely identify the user (i.e., the owner of the corresponding private key)

• The public key correspond to the users private key (RSA)

• Other stuff specifies lifetime of certificate, issuer, etc. • Extensions specify e.g. which things the certificate

can be used for.

A certificate ties together a string, a public key, some other stuff and extensions

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

The Distinguished Name

• Contains the user’s name (verified by RA)• Also identifies the RA that approved the original

request• No project information in the DN

– Must not authorise based on DN alone

• BUT: The name establishes only reasonable identity of the user (more than one Joe Smith?)

• BUT: (ideally) the name should be used for authentication only, not identification– Should be seen as a string tied to the key– Every time someone connects with this string, you can be

assured it’s the same user

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

The Registration Authority

• RAs are trusted to approve (or reject) requests from users

• Therefore it was felt that RAs should be formally appointed

• RAs are local to users

More about RAs and appointment later.

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

Identification of users

• Users must show photo ID to RA.• The reason for this is:

– We promise to verify the name in the DN

– We aim to be (are) a medium assurance CA as defined by the latest GridForum policy draft (v6)

– We aim to be (are) a medium level CA according to the DFN (Deutsche Forschungsnetz)

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

External Policies and Recommendations

Strong policy• Harder to get

certificate• But easier to have

certificates accepted by Relying Parties

Weak policy• Easy to get

certificate• Harder to persuade

admins to accept certificate for authentication purposes

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

Status

• New e-Science CA being deployed• UKHEP CA will be terminated• UKHEP certificates will be allowed

to expire• UKHEP still issues certificates for

users not yet covered by new CA

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

25 November 2002

• 170 certificates• 10 RA managers + 15 operators• Issuing 50 certs /month• Adding 3 RAs / month• Adding 6 RA operators /month

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

What’s done

• Software (OpenCA based) installed• Keys generated• Some RAs appointed, certificates

issued• CA staff trained• Close-to-final CP/CPS issued• Physical security implemented

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

What’s currently being done

• New RAs being appointed and trained

• CP/CPS being updated to reflect proposed change in extensions

• RA and CA procedures being reviewed - must ensure that they conform to CPS

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

What else must be done

• Must issue final CP/CPS• Approval as DataGrid CA

(December)• Take over RAs from UKHEP

• Then - announce deployment!

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

Renewal

• Should send email reminder to user 30 days before expiry (with instructions)

• Procedure doesn’t exist yet• Easy with OpenSSL but how to do it

with the web interface?• Must issue certificate with same DN

as an existing certificate...

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

(Proposed) extensions

• basicConstraints (critical): not CA• keyUsage (critical) [interpretation sometimes woolly!]:

– nonRepudiation - used to verify digital signatures in repudiation services

– digitalSignature - private key is used for signatures (not certificates or CRLs!!), e.g. SSL client, entity authentication

– keyEncipherment - public key is used for key transport, e.g. email encryption, SSL server

– keyAgreement - used to agree e.g. a symmetric key between client and server

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

More (proposed) extensions

• certificatePolicies: policyIdentifier (OID)

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

RA structure

Manager

Operator Operator

Head ofDepartment

= Appointment

Department

Operators verify users’ requests

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

RA Appointment 1

• Agree Name with CA (manager)

• OU and L identify the RA, not the project

OU=Institution, L=Department in which the RA is appointed

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

RA Appointment 2

RA Manager is appointed by Head of Department

The Manager is responsible for the operations of the RA

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

RA Appointment 3

RA Manager appoint RA Operators.

Operators approve requests for Users

Operators must have certificates

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

RA Appointment 4

Grid Support Centre offers training courses for RA Operators

RA Operators are expected to know the system and to be able to advise Users

Next training course: 18th December 2002

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

RA Appointment 5

RA Operators then approve requests from Users

HEPSYSMAN UCL, 26 Nov 2002

Jens G Jensen, CLRC/RAL

Contacts

• Web site: http://www.grid-support.ac.uk/ca/

• Training courses– Alistair Mills a.b.mills@rl.ac.uk

• Setting up RAs– Alistair Mills a.b.mills@rl.ac.uk

– Jens G Jensen j.jensen@rl.ac.uk

– David Boyd d.r.s.boyd@rl.ac.uk

• Anything else– Jens G Jensen j.jensen@rl.ac.uk– ca-manager@grid-support.ac.uk