Upload
austen-wood
View
212
Download
0
Embed Size (px)
Citation preview
1Assuring e-Trust alwayswww.certiver.com
Status of the Validation and Authentication service for
TACAR and Grids.
2Assuring e-Trust alwayswww.certiver.com
SummaryOCSP Requirements for GridsCertiVeR’s features
– OCSP Client
– OCSP Service
FutureQuestions
3Assuring e-Trust alwayswww.certiver.com
OCSP Requirements for TACAR
Centralized OCSP service for all the hierarchies
Centralized root certificate management The service should be able to sign the
response for each CA with an authorized certificate (Authorized responder mode)
4Assuring e-Trust alwayswww.certiver.com
OCSP Validation for Grids Grids special requirements for OCSP services:
discoverable, fault tolerant, low latency, CA interoperability, etc.
GGF´s CAOPS-WG has been working in the document “OCSP Requirements for Grids”.
Such document provides information on:– OCSP Client Requirements,– OCSP Responder Requirements,– CA/Certificate Issuer Requirements and– OCSP Service Architecture.
5Assuring e-Trust alwayswww.certiver.com
Client
current status
6Assuring e-Trust alwayswww.certiver.com
OCSP Client requirements for Grids
A. Revocation source requirements:1. Several sources (OCSP, CRL, AIA) and query order.
B. Fault-tolerant requirements:1. Multiple service invocation.2. Caching of OCSP Responses.
C. Security requirements:1. Nonce usage. 2. OCSP Request signing.3. Adoption of http and https.
D. Error handling (i.e. Try Later, Respond with final status, etc.)
E. OCSP Extension handling.F. “Unknown” status code handling for Proxy and
Non-Proxy Certificates.
7Assuring e-Trust alwayswww.certiver.com
GridOCSP Client API - features Open source code for Globus TK 4 about to be released. Implements a XML-based OCSP Policy that supports:
The policy file used by our client allows for the definition of per-Issuer rules or a default behavior for each feature.
Each VO could place such file on a specific URI for all its clients
A.1 Several revocation sources OCSP only ,
others 4Q 05
A.2 Adoption of http and https Yes
B.1 Multiple service invocation Yes
B.2 Caching of OCSP Responses 4Q 05
C.1 Nonce usage Yes
C.2 OCSP Request signing Yes
D Error handling Yes
E Extension handling Yes
F User proxy certificate handling Yes
8Assuring e-Trust alwayswww.certiver.com
GridOCSP Client – policy definition e.g. (I)<?xml version="1.0" ?>
<ocsppolicy>
<issuerdn name="AC CertiVeR" dn="C=ES,O=CertiVeR,CN=AC CertiVeR" hash="o6MjoB5y4b2cNvILPcBxWafHs7k=">
<revsources>
<source order=“1" type="ocsp" location="http://aai.certiver.com" trust=“trusted" timeout="3600" />
<source order=“2" type="crl" location="c://config//myrevlist.crl" signingcert="c://config//ACcertiver.crt" />
</revsources>
<unknownstatus action="revoked" />
<proxycert>
<unknownstatus action="good" />
</proxycert>
9Assuring e-Trust alwayswww.certiver.com
<request>
<signrequest value="true" />
<usenonce value="true" />
<protocol value="https" />
</request>
<response>
<cache>
<status value="true" />
<size value="1000" />
<lifetime value="36000" />
</cache>
</response>
<errorhandler>
<action order="1" type="trylater" maxretries="1" />
<action order="2" type="setfinalresponse" value="revoked" />
</errorhandler>
</issuerdn>
</ocsppolicy>
GridOCSP Client – policy definition e.g. (II)
10Assuring e-Trust alwayswww.certiver.com
Server
Current Status
11Assuring e-Trust alwayswww.certiver.com
OCSP Responder requirements for GridsA. Performance:
1. Scalability:To cover for growth in terms of
• Client requests.• Revocation sources.
2. Use of cryptographic hardware.
B. Flexibility:1. Revocation source requirements.2. Support different operation modes:
1. Transponder mode.2. Trusted Responder mode.3. Authorized Responder mode.
3. Coverage of proxy certificates revocation is a recommended feature.
C. Reliability1. Fault-tolerance is a recommended feature.
12Assuring e-Trust alwayswww.certiver.com
OCSP Serviceclient scalability and reliability Intrasite
– Using balanced NAT
Extrasite– Using balanced DNS with very low persistence
13Assuring e-Trust alwayswww.certiver.com
OCSP Service – revocation source scalability
OCSPResponder
Cert Status Database
CAs
∆CRL
CA/RA
CRLUpdater
LDAP
CRL
CertStatus
CertiVeR v4 can set N Updater processes in order to push DeltaCRLs from the CAs
14Assuring e-Trust alwayswww.certiver.com
OCSP Service – Flexibility
Courtesy of CAOPS-WG
15Assuring e-Trust alwayswww.certiver.com
New CertiVeR service available ! A new service - CertiVeR v4 - has been implemented covering the required features
for Grids. Such service has just passed the Beta tests and it is available at:– http://globus-grid.certiver.com – http://tacar.certiver.com
Current features of the new service:
A.1 Scalability Limited during pilot
A.2 Use of cryptographic hardware Not during pilot
B.1 Revocation source requirements Yes
B.2 Operation mode (Trusted, Authorized and Transponder)
All except Transponder mode
during pilot
B.3 Coverage of proxy certificates Yes
B.4 Extension handling Yes
C.1 Fault-tolerance Not during pilot
16Assuring e-Trust alwayswww.certiver.com
The next steps... Release of client open source code Dissemination and Validation of the service
– Provision of pilots for Grid and Tacar CAs Technical improvements
– Addition of servers in order to improve scalability and fault-tolerance
– Use of cryptographic hardware– Setting up of Transponder connections– DeltaCRL push mechanism to be directly
provided to each CA
17Assuring e-Trust alwayswww.certiver.com
For information about revocation services, try our
demo at:http://www.certiver.com