International Symposium on Grid Computing 2008 An Experience in Developing Common Certificate Policy 9 April 2008, Academia Sinica, Taipei, Taiwan Shinichi Mineo (RIKEN)
Outline � MOTIVATION � FEATURES OF RFC3647 � A CASE IN NAREGI � DRAFTING A COMMON CP � OPEN ISSUES � SUMMARY
MOTIVATION � Preparation for CA operations based on RFC 3647 � NAREGI CA plans to restart operation with a new CP/ CPS � Deployment Plan of Grid CAs by UPKI � Increasing complexity for trust federation � CP Sensitive Application � Possibility of flexible authorization for Grid Applications
UPKI as a basis of Cyber Science Infrastructure UPKI as a basis of Cyber Science Infrastructure Fut ur e pl an Si gn, Encr pt . NI I O t her O penDom ai n Pub C A Pub C A PKI W ebサ ー ハ ゙ S/M I M E W ebサ ー ハ ゙ S/M I M E W ebサ ー ハ ゙ S/M I M E W ebサ ー ハ ゙ S/M I M E W eb Sr v. S/M I M E W eb Sr v. S/M I M E Aut h, Si gn, Encr pt . Aut h, Si gn, Encr pt . C am pus A Uni v. B Uni v. C A C A PKI 学内用 学内用 学内用 学内用 EE EE G r i d C om put i ng A Uni v. B Uni v. G r i d NAREGI C A NAREGI C A PKI Pr oxy EE Pr oxy EE Pr oxy EE Pr oxy EE Pr oxy EE Pr oxy EE Ser ver , Ser ver , St udent , St udent , Super C om put er Super C om put er Facul t y Facul t y
FEATURES OF RFC3647 (1) � Easy to transform CP/ CPS based on RFC 2527 to RFC 3647 � (7) “Comparison to RFC 2527” � Just adding (4.9) “Other Business and Legal Maters”, etc � It’s OK, but… � Another idea is to develop a new CP split from CPS
FEATURES OF RFC3647 (2) � CP is a named set of rules that indicates the applicability of a certificate to a particular community and/ or class of application with common security requirements, and CPS is a statement of the practices which a certification authority employs in issuing certificates.(1.1) � A CP generally applies to multiple CAs, and a CPS applies only to a single CA. (3.5) � CP and CPS have the same structure and ordering of topics, thereby facilitating comparisons and mappings among these documents (3.7) � Document framework is the same in CP and CPS, but their objectives are different.
A CASE IN NAREGI (1) � A traditional X.509 Public Key CA � issues long-term credentials to end- entities � conforms to the Asia Pacific Grid Minimum CA Requirements � An Analysis of the documentation structure regarding to accreditation of ApGrid PMA
An Analysis of Documentation Structure [5] RFC3820, “Internet X.509 Public Key [8] GWD-C Infrastructure (PKI) Grid Proxy Certificate Profile” Certificate Profile [4] RFC3280, “Internet [9] Asia Pacific [3] RFC 2459, "Internet X.509 Public Key Grid Minimum X.509 Public Key Infrastructure Certificate CA Infrastructure: Certificate and Certificate Requirements and CRL Profile" Revocation List (CRL) Profile” [7] Authentication Profile for Classic X.509 Public Key Certification [6] Global Grid Forum Authorities with secured Certificate Policy Model infrastructure Version 4.1 (4.0) [1] RFC 2527, "Internet [2] RFC 3647,”Internet X.509 Public Key X.509 Public Key [10] Infrastructure Certificate Infrastructure Certificate Guidelines for Policy and Certification Policy and Certification auditing Grid Practices Framework" Practices Framework” CAs NOTE) Arrows show relations of conformity to each other
A CASE IN NAREGI (2) � Why split CP from CPS? � Grid CAs can concentrate on designing CPS based on the common CP, which will save money and time. � The regional PMA can concentrate on analyzing CPS to accredit Grid CAs, which will decrease a lot of work load. � The Grid CAs can enforce mutual audit based on the common policy, which will make the work simple and efficient.
A CASE IN NAREGI (3) � A Trial to design a Common CP � Collection of common security requirements for Grid applications � excluding descriptions peculiar to CAs or organizations. � The CP demands a CA to describe individual information in CPS � the Demands themselves are treated as a part of the Certificate Policy � For items with no special requirements either in CP or CPS, “No requirements” is described � These items can be described at discretion of the CA
DRAFTING A COMMON CP � We have analyzed all the sections of RFC3647 framework, and classified them into groups of: � CP: To be described in CP � CPS: To be described in CPS conforming to the requirements of this CP � None: No Requirements
A Table of Classification (1) RFC 3647 secti on RFC 25 I G TF C l assi cAP C P C PS 1 I ntroducti on 1 1 1. 1 O vervi ew 1. 1 2 レ レ 4. 2 1. 2 D ocum ent Nam e and I ndenti f i cati on 1. 2 4. 2 レ レ 1. 3 PKI Parti ci pants 1. 3 1. 3. 1 C er t i f i cati on authori ti es 1. 3. 1 2 レ レ 1. 3. 2 Regi strati on authori ti es 1. 3. 2 2 レ レ Subscri bers 1. 3. 3 レ 1. 3. 3 1. 3. 4 Rel yi ng parti es 1. 3. 3 レ 1. 3. 5 O ther parti ci pants N/A 1. 4 C ert i f i cate usage 1. 3. 4 1. 4. 1 Appropri ate C erti f i cate Uses 1. 3. 4 レ レ 1. 4. 2 Pr ohi bi tes C erti f i cate Uses 1. 3. 4 1. 5 Pol i cy Adm i ni strati on 1. 4 1. 5. 1 O r gani zati on Adm i ni steri ng the D ocum ent 1. 4. 1 レ レ 1. 5. 2 C ontact Person 1. 4. 2 レ レ 1. 5. 3 Person D eterm i ni ng C PS Sui tabi l i t y f or the Pol i cy 1. 4. 3 レ レ 1. 5. 4 C PS Approval Procedures 8. 3 レ レ 1. 6 D ef i ni ti on and Acronym s N/A レ レ Publ i cati on and Reposi tory Responsi bi l i ti es 2. 1. 5, 2. 2 6 2. 1 Reposi tori es 2. 6. 4 6 レ レ 2. 2 2. 6. 1, 8. 4. 2 レ レ 2 4. 3 Publ i cati on of certi f i cati on i nf orm ati on 4. 4 6 2. 3 2. 6. 2, 8. レ Ti m e or f requency of publ i cati on 2 2. 4 Access control s on reposi tori es 2. 6. 3 レ
A Table of Classification (2) RFC 3647 secti on RFC 25 I G TF C l assi cAP C P C PS 3 I dent i f i cati on and Authenti cati on ( I &A) 3 3. 1 Nam i ng 3. 1 3. 1. 1 Type of Nam es 3. 1. 1 レ 3. 1. 2 Need f or Nam es t o be M eani ngf ul 3. 1. 2 4. 3 レ 3. 1. 3 Anonym i t y or Pseudonym i ty of Subscri ber s 3. 1. 2 3. 1. 4 Rul es f or I nt er preti ng Vari ous Nam e For m s 3. 1. 3 3. 1. 5 Uni queness of Nam es 3. 1. 4 3 レ 3. 1. 6 3. 1. 5, 3. Recogni ti on, Authent i cati on, and Rol e of Tradem arks 1. 6 3. 2 I ni t i al I denti ty Val i dat i on 3. 1 3. 1 レ 3. 2. 1 M ethod to Prove Possessi on of Pri vate Key 3. 1. 7 3. 1 レ レ 3. 2. 2 Authenti cati on of O rgani zati on I denti ty 3. 1. 8 レ 3. 2. 3 Authenti cati on of I ndi vi dual I denti ty 3. 1. 9 3. 1 レ レ Non-Veri f i ed Subscri ber I nf or m ati on 3. 2. 4 N/A レ 3. 2. 5 Val i dati on of Aut hori ty 3. 1. 9 レ 3. 2. 6 C r i t er i a f or I nteroper at i on 4. 1 レ 3. 3 I &A f or Re-key Requests 3. 2, 3. 3 3. 3. 1 I dent i f i cati on and Authenti cati on f or Routi ne Re-Key 3. 2 3. 2 レ レ I dent i f i cati on and Authenti cati on f or Re-Key Af ter Revocati on 3. 3. 2 3. 3 レ 3. 4 I &A f or r evocat i on request s 3. 4 レ レ The rest is omitted.
CertifatePolicies EXTENTI ON in ASN.1 NOTATI ON CertifatePolicies EXTENTI ON ::= { SYNTAX CeritificatePoliciesSyntax I DENTI FI ED BY id-ce-certificatePolicies } CertifiatePoliciesSyntax ::= SEQUENCE SI ZE( 1 ..MAX) OF PolicyI nform ation PolicyI nform ation ::= SEQUENCE { PolicyI dentifier CertpolicyI d, PolicyQalifiers PolicyQualifierI nfo} CertPolicyI d ::= OBJECT I DENTI FI ER PolicyQalifierI nfo ::= SET { pointerToCPS-Qualifier pointerToCPS, noticeToUser-Qualifier noticeToUser OPTI ONAL) } pointerToCPS ::= { POLI CY-QUALI FI ER-I D id-qt-cps QUALI FI ER-TYPE CPSuri } I d-qt-cps OBJECT I DENTI FI ER ::= { id-qt 1 } CPSuri ::= I A5 String
OPEN ISSUES � Future Capability of the common CP � If this CP is proved operational and effective, it is worth to commonly used in the Grid community accredited by ApGrid or IGTF. � CP Sensitivity � If the Grid application can recognize Certificate Policies, a Grid CA can issue certificates of different policies, with which Grid service providers will be able to change authorization decisions according to their service policies. � Legal Matters � Legal matters tend to be different in nations. We need consensus on general conditions for Grid certificates.
An Example: CP Sensitive AuthZ Service SAML 2.0 profile of XACML v2.0
Recommend
More recommend
