TERENA Certificate Service (TCS) 9 June 2011
Background › Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘ pop-up ’ problem). › Purchasing certificates directly from commercial CAs is expensive in bulk. Slide 2
Certificate Types › Five types of certificate available: › Server Certificate - for authenticating servers and establishing secure sessions with end clients. › e-Science Server Certificate - for authenticating Grid hosts and services. These are IGTF compliant. › Personal Certificate - for identifying individual users and securing e-mail communications. › e-Science Personal Certificate - for identifying individual users accessing Grid services. These are IGTF compliant. › Code-signing Certificates - for authenticating software distributed over the Internet. › Comodo is also offering free EV certificates for a limited period. Slide 3
Participants NREN/Country S P C NREN/Country S P C ACOnet AT LITNET LT - BELNET BE UoM MT - CARNet HR - - SURFnet NL Cyprus CY UNINETT NO CESNET CZ - PSNC PL UNI•C DK - FCCN PT - - FUNET FI - RoEduNet RO - RENATER FR - AMRES RS - GRNET GR - ARNES SI - - HUNGARNET HU - - RedIRIS ES HEAnet IE SUNET SE GARR IT - JANET(UK) UK - - IUCC IL - Slide 4
Delegated Responsibilities & Scaling
Built using contracts • scales well to large numbers of organisations and users • assurance requirements on subscribers ensure quality ID • bound through legal contracts
TCS Portal › Several NRENs decided to pool resources and operate common portal for personal certificates. › Hosted on resilient servers at Tilburg University under contract to TERENA. › Utilises Confusa software. › Each NREN community needs to operate at least one IdP, but multiple IdPs are supported. › Participants: › ACOnet (AT), BELNET (BE), FUNET (FI), GARR (IT), RENATER (FR), SUNET (SE), SURFnet (NL), UNI-C (DK), UNINETT (NO) Slide 7
Authenticating users via Subscriber and Federation NREN or Federation Operator User’s home organisation National research-education federations provide the basis for authenticating users and obtaining key attributes like a persistent unique identifier and including assurance level via service entitlements
Statistics (1 Jul 2009 - 31 Dec 2010) › Server Certificates › Since 1 Jul 2009 - 45,710 (most JANET(UK) with 9,321 ) › eScience Server Certificates › Since 1 Oct 2010 - 42 (most PSNC with 16) › Personal Certificates › Since 5 Feb 2010 - 1,169 (most 499 with CESNET) › eScience Personal Certificates › Since 5 Feb 2010 - 547 (most 332 with UNINETT) › Code-Signing Certificates › Since 1 June 2010 - 52 (most 13 with PSNC) Slide 9
TCS eScience - global recognition Meets the IGTF requirements for long-term integrated credential services and thereby has global recognition by all major e-Infrastructures
Reach of the TCS Personal service The TCS portals – trustworthy credentials in 3 clicks and 2 minutes dark-blue: eScience Personal deployed
Recommend
More recommend
