APAN 24 Middleware Session XiAn Aug 28 2007

APAN 24 Middleware Session, Xi’An Aug. 28, 2007 Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka, Kento Aida, Shinichi Mineo

OUTLINE 1. NAREGI Certification Service 2. UPKI Common Specifications 3. UPKI Enhancement of CA System 4. Grid Operation Center Plan 5. Issues 2

1. NAREGI-CA Certification Service 3

1 -1 Cyber. Science Infrastructure for Advanced Science (by NII) To Innovate Academia and Industry Cyber Science Infrastructure Virtual Organization For science Scientific Repository UPKI Human Resource Development and strong organization Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers 京都大学 ★ ★ 九州大学 ★ 大阪大学 北海道大学 ● ★ 名古屋大学 ★ ★ Global Contribution Industry Liaison and Social Benefit NAREGI Middleware 東北大学 ☆ ★ ＮＩＩ 東京大学 （東京 業大学、早稲田大学、高エネ ルギー加速器研究機構等） Publication of scientific results from academia 4

1 -2 NAREGI Certification Authority n n NAREGI (National Research Grid Initiative) PJ develops grid middleware. NAREGI CA is operated by NAREGI PJ, and it issues certificates for development and doing research using NAREGI grid middleware NAREGI CA is a member of APGrid - NAREGI CA is authorized by the APGrid PMA as a Production Level CA. - NAREGI PMA is a member of APGrid PMA. NAREGI CA issues certificates to NAREGI project members (National Institute of informatics, Institute for Molecular Science) 5

1 -3 NAREGI CA operation User site Certificate Users Host Administrators Account Registration Request NAREGI CA RA Administrator CA Operator Account Registration ①Preparation Application for bulk license ID License ID request Certificate request ②License ID request Receive request, Inspection ③Issuance request ④Revoke request ⑤Reissuance request Issuance of bulk license ID Receive request, Issuance/Revoke certificate ⑥Retrieve data for creating map file Retrieve data for Make data for creating map file 6

2. UPKI Common Specifications 7

2 -1 UPKI Architecture Open Domain Web ｻｰﾊﾞ Web Srv. PKI Campus PKI NII Pub CA S/MIME Webｻｰﾊﾞ Web Srv. S/MIME Auth, Sign, Encrypt. Auth, B Univ. CA S/MIME A Univ. CA 学内用 EE A Univ. NAREGI CA Proxy EEEE EE Server, Super Computer Student, Faculty Sign, Encrypt. 学内用 EE NAREGI PKI Sign, Encrypt. Other Pub CA B Univ. Grid NAREGI CA Proxy Server, Super Computer EEEE Computing EE Student, Faculty 8

2 -2 UPKI Activities Open Domain Web ｻｰﾊﾞ Web Srv. PKI Campus PKI NII Pub CA Server Certificates S/MIME Other Pub CA S/MIME Certificates ｻｰﾊﾞ S/MIME Web ｻｰﾊﾞ S/MIME Web Srv. S/MIME Auth, Sign, Encrypt. A Univ. CA Auth, B Univ. CA UPKI Common NAREGI-CA Pack EE学内用 Specification A Univ. NAREGI CA NAREGI PKI Proxy EEEE NAREGI-CA Enhancement EE Server, Super Computer Student, Faculty Sign, Encrypt. Eduroam 学内用 EE B Univ. Grid NAREGI CA Proxy Server, Super Computer EEEE Computing EE Student, Faculty 9

2 -3 UPKI Common Specifications Open Domain Web ｻｰﾊﾞ Web Srv. PKI Campus PKI NII Pub CA S/MIME Webｻｰﾊﾞ S/MIME ｻｰﾊﾞ Web Srv. Auth, Sign, Encrypt. UPKI Common Specifications 学内用 EE Auth, B Univ. CA A Univ. NAREGI CA NAREGI PKI Proxy EEEE EE Server, Super Computer Student, Faculty Sign, Encrypt. Other Pub CA Sign, Encrypt. 学内用 EE B Univ. Grid NAREGI CA Proxy Server, Super Computer EEEE Computing EE Student, Faculty 10

2 -4 UPKI Common Specifications n. UPKI Common Specifications Ø Campus PKI procurement guidelines Ø Campus PKI CP/CPS templates n. Campus PKI model -To promote Campus PKI deployment -To reduce cost -To keep multi-university cooperativity Ø Two outsource models and one insource model n. Developed and Published for outsource model Ø https: //upki-portal. nii. ac. jp/upkispecific/specific Only available in JAPANESE! 2006 2007 2008 2009 -Deployment of campus PKI at each universities -Connecting universities - Federation of applications Campus PKI Spec. Outsource model Insource model Multi-university cooperative model Campus CP/CPS templates Outsource model Insource model Multi-university cooperative model 11

2 -5 Operation Models of CA CP/CPS Full outsource provider Univ. RA IA IA outsource provider Univ RA IA Insource Univ RA IA 12

3. UPKI Enhancement of CA System 13

3 -1 Enhancement in UPKI Enhancement for actual operation of CA/RA at universities; 1. 2. 3. To split and delegate RA. To provide staffs/students means to apply by themselves. To issue grid certificate by identification of campus certificate. 14

3 -2 Enhancement in UPKI (1), (2) 1. To split and delegate RA. - 2. Created RA/LRA operator authorities split from RA administrator authorities. Secure delegation by using IC card. Delegation to hierarchized institutions in universities for actual operation. To provide staffs/students means to apply by themselves. - Easy application of registration, issuance, and revocation from the web. Secure application by using challenge PIN. Reduced burden of RA operation. 15

3 -3 Enhanced Procedure To Issue Certificate CA RA Apply License ID CA Administrator License ID RA Administrator Identify License ID Local RA User License ID Issue Certificate CA RA Application Server (web) RA Administrator Challenge PIN CA Administrator Delegate IC Card Apply Identify Approve User RA Operator Management Server (web) Challenge PIN Issue Certificate 16

3 -4 Enhancement in UPKI (3) To issue grid certificate by identification of campus certificate. 3. - Cooperation of Grid CA and Campus CA. - Reduced burden of RA operation. - Any certificate can be issued for other AP. 17

3 -5 Campus-Grid PKI Federation Campus PKI Grid PKI NAREGI CA Campus. CA Super Computer Issue Certificate LDAP Super Computer NAREGI RA Request Certificate (Use IC Card as credential) Super Computer Access Certificate for Grid System IC Card User Grid System 18

4. Grid Operation Center Plan 19

4 -1 Grid Operation Center Plan n GOC CA issues certificates to authorized members of CSI using grid Operation will be compliant with APGrid policies Cooperate with many universities and research institutes 20

4 -2 Operation models of GOC n GOC will operate three models. (1) LRA in GOC operates registration; GOC will inspect user documents, and face to face identification. (2)LRA in university operates registration; University will inspect user documents, and face to face identification. (3)Use Campus certificate as an identification to issue grid certificate; University will inspect user documents, but skip face to face identification. 21

5. Issues 22

5 -1. Issue 1 - User Identification - APGrid PMA minimum CA requirements; “In order for an RA to validate the identity of a person, the subject must contact the RA personally and present photo-id and/or valid official documents showing that the subject is an acceptable end entity as defined in the CP/CPS document of the CA. ” - Campus PKI CPS template; “The information of students or faculties will be collected on admission and stored in database in universities. Campus PKI CA will issue campus certificate by using and trusting the collected information in the database” -> Is it proper and feasible to use Campus certificate as an identification for issuing grid certificate? -> Add a following term to Campus PKI CPS template? “photo-id and/or valid official documents in the case of using campus certificate as an identification for grid certificate. ” 23

5 -2. Issue 2 On revocation of campus certificate; - For the grid certificate that has issued by identifying with campus certificate -> Keep the grid certificate valid? -> Revoke the grid certificate? How? Check CRL of campus certificate? 24

5 -3. Issue 3 Audit - GOC： APGrid PMA will do mutual audit - LRA in universities: GOC will audit? - CA for campus PKI in universities: Need audit? and who? 25