Alternative CA software Jens G Jensen UK eScience

  • Slides: 20
Download presentation
Alternative CA software • Jens G Jensen • UK e-Science CA • Rutherford Appleton

Alternative CA software • Jens G Jensen • UK e-Science CA • Rutherford Appleton Laboratory Jens G Jensen UK e-Science

A talk in three parts • Part one being about Baltimore uni. Cert •

A talk in three parts • Part one being about Baltimore uni. Cert • Part two, being the second part, about py. CA • Part three, being the third and final part, about the Java based solution that we’re working on Jens G Jensen UK e-Science

Part one Baltimore uni. Cert Jens G Jensen UK e-Science

Part one Baltimore uni. Cert Jens G Jensen UK e-Science

Baltimore uni. Cert • Spent a day talking with Baltimore techies • We haven’t

Baltimore uni. Cert • Spent a day talking with Baltimore techies • We haven’t actually tested it yet… • …so presentation will be salvo errore et omissione… • You can get more information from the Baltimore web site (but will have to register to get it ) • And we also know people you can ask… Jens G Jensen UK e-Science

uni. Cert, technical requirements • Root CA is online – works with FIPS 140

uni. Cert, technical requirements • Root CA is online – works with FIPS 140 level 3 or 4 HSM • Must use Oracle as underlying database (comes with licence) • CA Operator (see later) must run on Microsoft Windows • All other parts of the CA run on Solaris (two boxes required) Jens G Jensen UK e-Science

uni. Cert, terminology • “CA” – refers to online signing system • “RA” –

uni. Cert, terminology • “CA” – refers to online signing system • “RA” – refers to online request management system • “RA Operator” (“RAO”) – the (human) RA • “CA Operator” (“CAO”) – the signing module • “ARM” – advanced registration module – sort of an “automated RAO” Jens G Jensen UK e-Science

Schematics CMP CA CAO SQL CMP Cert Status Service d. B RA ARM SQL

Schematics CMP CA CAO SQL CMP Cert Status Service d. B RA ARM SQL d. B RAX Web RAO Web interface User Jens G Jensen UK e-Science

uni. Cert, additional comments • Can modify contents of certificates easily • Point-and-click CA

uni. Cert, additional comments • Can modify contents of certificates easily • Point-and-click CA “policies” – also very easy to manage sub-CAs with different policies • Can have different policies for different RAs • Can do automatic renewal (on old keys) • Cannot do automatic re-key (i. e. re-key is like initial request – have to go through RAs again) Jens G Jensen UK e-Science

Baltimore Tech • I quote: “Full development roadmap and commitment” • Standard protocols used

Baltimore Tech • I quote: “Full development roadmap and commitment” • Standard protocols used whenever possible (CMP, OCSP, LDAP, SQL) – not for RAO, though • 30 day evaluation licence available • (of course this requires 30 consecutive days of my time…) Jens G Jensen UK e-Science

uni. Cert in e-Science? • We decided not to evaluate it for now… •

uni. Cert in e-Science? • We decided not to evaluate it for now… • …too much work to migrate from existing solution (uni. Cert mostly assumes you start from scratch) • …too much work to adopt “weird” UK namespace requirements (OU and L identify RA) – may be possible with ARM but will probably be a lot of work Jens G Jensen UK e-Science

Part two py. CA Jens G Jensen UK e-Science

Part two py. CA Jens G Jensen UK e-Science

Overview • • • Written in python Runs as CGI programs under Apache Front

Overview • • • Written in python Runs as CGI programs under Apache Front end to Open. SSL LDAP support http: //www. pyca. de/ Not being actively developed at the moment – the author “does not have time but will bugfix” Jens G Jensen UK e-Science

(Default) Certificate Hierarchy ROOT CA Email CA Auth CA Server CA Code Signing CA

(Default) Certificate Hierarchy ROOT CA Email CA Auth CA Server CA Code Signing CA Email certs Auth certs Server certs Code signing Jens G Jensen UK e-Science

Part three UK e-Science Java solution Jens G Jensen UK e-Science

Part three UK e-Science Java solution Jens G Jensen UK e-Science

Overview • Submits request to our current Open. CA system • Written in Java

Overview • Submits request to our current Open. CA system • Written in Java as signed applets • Crypto based on the Bouncy. Castle and jcetaglib libraries http: //www. bouncycastle. org/ http: //jcetaglib. sourceforge. net/ • Still under development Jens G Jensen UK e-Science

Obligatory Diagram Private key Request Applet Online Open. CA Web User interface Cert Applet

Obligatory Diagram Private key Request Applet Online Open. CA Web User interface Cert Applet Offline signing system cert & key User’s computer thingy CA Jens G Jensen UK e-Science

PCKS#12 • Problems using Key. Store class from applet – not from java application

PCKS#12 • Problems using Key. Store class from applet – not from java application – Applet complains of invalid signature on provider – Problem is with JCE 1. 4, works with 1. 3 • The Key. Store class is used to generate the PKCS#12 file Jens G Jensen UK e-Science

Browser support • Browsers generally come equipped with JCE 1. 1 or similar •

Browser support • Browsers generally come equipped with JCE 1. 1 or similar • Currently users must install 1. 4 Jens G Jensen UK e-Science

Portability • Not very… • Written to take some of e-Science’s peculiarities into account

Portability • Not very… • Written to take some of e-Science’s peculiarities into account – Namespace: OU and L, requirements on name forms • Written to submit requests into Open. CA • In the (near) future, can provide more generally useful CA software Jens G Jensen UK e-Science

Future developments • Need to review the code, and clean it up • Can

Future developments • Need to review the code, and clean it up • Can replace Open. CA: since applets provide the user friendly interface, no need for Open. CA – Plan to replace system with a simpler Apache/mod_ssl/Perl-CGI/Open. SSL system using a Postgre. SQL database • Produce general non-e. Science software? Jens G Jensen UK e-Science

Interaktivitet Jens F Jensen u Jensen Jens FInteraktivitet Jens F Jensen u Jensen Jens F
Interaktivitet Jens F Jensen u Jensen Jens FInteraktivitet Jens F Jensen u Jensen Jens F
AHRCEPSRCJISC ARTS AND HUMANITIES ESCIENCE INITIATIVE eScience ResearchAHRCEPSRCJISC ARTS AND HUMANITIES ESCIENCE INITIATIVE eScience Research
eScience Session 1 Collaborative Environments 3 rd eScienceeScience Session 1 Collaborative Environments 3 rd eScience
UK eScience Programme Neil Geddes PPARC Director eScienceUK eScience Programme Neil Geddes PPARC Director eScience
ESocial Science What is eScience EScience and eSocialESocial Science What is eScience EScience and eSocial
EPSRC eScience Network Digital Repositories in eScience DReEPSRC eScience Network Digital Repositories in eScience DRe
The future of eScience Talk Catherine Gater eScienceThe future of eScience Talk Catherine Gater eScience
Oxford University eScience Centre eScience the Grid andOxford University eScience Centre eScience the Grid and
Southampton Regional eScience Centre eScience is about globalSouthampton Regional eScience Centre eScience is about global
UK eScience CA and JCS Migration Status JensenUK eScience CA and JCS Migration Status Jensen
UK eScience CA update Jensen EU Grid PMAUK eScience CA update Jensen EU Grid PMA
UK eScience CA Update J Jensen STFC 31UK eScience CA Update J Jensen STFC 31
Jens Lindstroem de Kaeptn Keks www Jens LindstroemJens Lindstroem de Kaeptn Keks www Jens Lindstroem
Historiedidaktik Jens Pietras Jens Aage Poulsen red HansHistoriedidaktik Jens Pietras Jens Aage Poulsen red Hans
Jens Fischer Sabine Fischer Julia Fischer Jens VormittagJens Fischer Sabine Fischer Julia Fischer Jens Vormittag
Er landmndene IPMklar Landskonsulent Jens Erik Jensen VFLEr landmndene IPMklar Landskonsulent Jens Erik Jensen VFL
INDIVIDUAL DIFFERENCES Jensen Shoes JENSEN SHOES What perceptualINDIVIDUAL DIFFERENCES Jensen Shoes JENSEN SHOES What perceptual
JENSEN ACKLES SUMMARY OF THE MAIN Jensen RossJENSEN ACKLES SUMMARY OF THE MAIN Jensen Ross