TERENA Certificate Service (TCS)

9 June 2011

Slide 2

› Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘pop-up’ problem).

› Purchasing certificates directly from commercial CAs is expensive in bulk.

Background

Slide 3

› Five types of certificate available:

› Server Certificate - for authenticating servers and establishing secure sessions with end clients.

› e-Science Server Certificate - for authenticating Grid hosts and services. These are IGTF compliant.

› Personal Certificate - for identifying individual users and securing e-mail communications.

› e-Science Personal Certificate - for identifying individual users accessing Grid services. These are IGTF compliant.

› Code-signing Certificates - for authenticating software distributed over the Internet.

› Comodo is also offering free EV certificates for a limited period.

Certificate Types

Slide 4

NREN/Country S P C NREN/Country S P C

ACOnet AT LITNET LT -

BELNET BE UoM MT -

CARNet HR - - SURFnet NL

Cyprus CY UNINETT NO

CESNET CZ - PSNC PL

UNI•C DK - FCCN PT - -

FUNET FI - RoEduNet RO -

RENATER FR - AMRES RS -

GRNET GR - ARNES SI - -

HUNGARNET HU - - RedIRIS ES

HEAnet IE SUNET SE

GARR IT - JANET(UK) UK - -

IUCC IL -          

Participants

Delegated Responsibilities & Scaling

Built using contracts

• scales well to large numbers of organisations and users• assurance requirements on subscribers ensure quality ID• bound through legal contracts

Slide 7

› Several NRENs decided to pool resources and operate common portal for personal certificates.

› Hosted on resilient servers at Tilburg University under contract to TERENA.

› Utilises Confusa software.

› Each NREN community needs to operate at least one IdP, but multiple IdPs are supported.

› Participants:

› ACOnet (AT), BELNET (BE), FUNET (FI), GARR (IT), RENATER (FR), SUNET (SE), SURFnet (NL), UNI-C (DK), UNINETT (NO)

TCS Portal

Authenticating users via Subscriber and Federation

National research-education federations provide the basis for authenticating users and obtaining key attributes

like a persistent unique identifier andincluding assurance level via service entitlements

User’s home organisation

NREN or Federation Operator

Slide 9

› Server Certificates

› Since 1 Jul 2009 - 45,710 (most JANET(UK) with 9,321 )

› eScience Server Certificates

› Since 1 Oct 2010 - 42 (most PSNC with 16)

› Personal Certificates

› Since 5 Feb 2010 - 1,169 (most 499 with CESNET)

› eScience Personal Certificates

› Since 5 Feb 2010 - 547 (most 332 with UNINETT)

› Code-Signing Certificates

› Since 1 June 2010 - 52 (most 13 with PSNC)

Statistics(1 Jul 2009 - 31 Dec 2010)

TCS eScience - global recognition

Meets the IGTF requirements for long-term integrated credential services and thereby has global recognition by all major e-Infrastructures

Reach of the TCS Personal service

The TCS portals – trustworthy credentials

in 3 clicks and 2 minutes

dark-blue: eScience Personal deployed