Presentaci

1
Status of the Validation and Authentication
service for TACAR and Grids.
2
Summary

• OCSP Requirements for Grids
• CertiVeRs features
• OCSP Client
• OCSP Service
• Future
• Questions

3
OCSP Requirements for TACAR

• Centralized OCSP service for all the hierarchies
• Centralized root certificate management
• The service should be able to sign the response
  for each CA with an authorized certificate
  (Authorized responder mode)

4
OCSP Validation for Grids

• Grids special requirements for OCSP services
  discoverable, fault tolerant, low latency, CA
  interoperability, etc.
• GGFs CAOPS-WG has been working in the document
  OCSP Requirements for Grids.
• Such document provides information on
• OCSP Client Requirements,
• OCSP Responder Requirements,
• CA/Certificate Issuer Requirements and
• OCSP Service Architecture.

5
Client current status
6
OCSP Client requirements for Grids

• Revocation source requirements
• Several sources (OCSP, CRL, AIA) and query order.
• Fault-tolerant requirements
• Multiple service invocation.
• Caching of OCSP Responses.
• Security requirements
• Nonce usage.
• OCSP Request signing.
• Adoption of http and https.
• Error handling (i.e. Try Later, Respond with
  final status, etc.)
• OCSP Extension handling.
• Unknown status code handling for Proxy and
  Non-Proxy Certificates.

7
GridOCSP Client API - features

• Open source code for Globus TK 4 about to be
  released.
• Implements a XML-based OCSP Policy that supports
• The policy file used by our client allows for the
  definition of per-Issuer rules or a default
  behavior for each feature.
• Each VO could place such file on a specific URI
  for all its clients

A.1 Several revocation sources OCSP only , others 4Q 05
A.2 Adoption of http and https Yes
B.1 Multiple service invocation Yes
B.2 Caching of OCSP Responses 4Q 05
C.1 Nonce usage Yes
C.2 OCSP Request signing Yes
D Error handling Yes
E Extension handling Yes
F User proxy certificate handling Yes
8
GridOCSP Client policy definition e.g. (I)

• lt?xml version"1.0" ?gt
• ltocsppolicygt
• ltissuerdn name"AC CertiVeR" dn"CES,OCertiVeR,C
  NAC CertiVeR" hash"o6MjoB5y4b2cNvILPcBxWafHs7k"
  gt
• ltrevsourcesgt
• ltsource order1" type"ocsp"
  location"http//aai.certiver.com"
  trusttrusted" timeout"3600" /gt
• ltsource order2" type"crl" location"c//confi
  g//myrevlist.crl" signingcert"c//config//ACcerti
  ver.crt" /gt
• lt/revsourcesgt
• ltunknownstatus action"revoked" /gt
• ltproxycertgt
• ltunknownstatus action"good" /gt
• lt/proxycertgt

9
GridOCSP Client policy definition e.g. (II)

• ltrequestgt
• ltsignrequest value"true" /gt
• ltusenonce value"true" /gt
• ltprotocol value"https" /gt
• lt/requestgt
• ltresponsegt
• ltcachegt
• ltstatus value"true" /gt
• ltsize value"1000" /gt
• ltlifetime value"36000" /gt
• lt/cachegt
• lt/responsegt
• lterrorhandlergt
• ltaction order"1" type"trylater"
  maxretries"1" /gt
• ltaction order"2" type"setfinalresponse"
  value"revoked" /gt
• lt/errorhandlergt
• lt/issuerdngt
• lt/ocsppolicygt

10
ServerCurrent Status
11
OCSP Responder requirements for Grids

• Performance
• Scalability
• To cover for growth in terms of
• Client requests.
• Revocation sources.
• Use of cryptographic hardware.
• Flexibility
• Revocation source requirements.
• Support different operation modes
• Transponder mode.
• Trusted Responder mode.
• Authorized Responder mode.
• Coverage of proxy certificates revocation is a
  recommended feature.
• Reliability
• Fault-tolerance is a recommended feature.

12
OCSP Serviceclient scalability and reliability

• Intrasite
• Using balanced NAT
• Extrasite
• Using balanced DNS with very low persistence

13
OCSP Service revocation source scalability

• CertiVeR v4 can set N Updater processes in order
  to push DeltaCRLs from the CAs

CAs
?CRL
CRL Updater
Cert Status Database
CRL
Cert Status
OCSP Responder
14
OCSP Service Flexibility

• Courtesy of CAOPS-WG

15
New CertiVeR service available !

• A new service - CertiVeR v4 - has been
  implemented covering the required features for
  Grids. Such service has just passed the Beta
  tests and it is available at
• http//globus-grid.certiver.com
• http//tacar.certiver.com
• Current features of the new service

A.1 Scalability Limited during pilot
A.2 Use of cryptographic hardware Not during pilot
B.1 Revocation source requirements Yes
B.2 Operation mode (Trusted, Authorized and Transponder) All except Transponder mode during pilot
B.3 Coverage of proxy certificates Yes
B.4 Extension handling Yes
C.1 Fault-tolerance Not during pilot
16
The next steps...

• Release of client open source code
• Dissemination and Validation of the service
• Provision of pilots for Grid and Tacar CAs
• Technical improvements
• Addition of servers in order to improve
  scalability and fault-tolerance
• Use of cryptographic hardware
• Setting up of Transponder connections
• DeltaCRL push mechanism to be directly provided
  to each CA

17
For information about revocation services, try
our demo at http//www.certiver.com