ARCS SLCS CA

1
ARCS SLCS CA

• Sam Morrison
• Australian Research Collaboration Service (ARCS)
  (formally APAC)

2
What is SLCS?

• Short Lived Credential Service
• Lifetime lt 1 million sec
• Online CA
• Authenticate using Identity Management system

3
Why SLCS?

• Allow users to access HPC/Data/other via existing
  PKI infrastructure.
• Users need know nothing about certificates, crls,
  private keys etc.

4
Identity Management

• Shibboleth
• Australian Access Federation (AAF)
• Will include all universities in Australia (and
  NZ)
• IdP Identity Provider
• SP Service Provider

5
ARCS SLCS system

• Semi Production
• Two VMs
• Switch SLCS server with Shibboleth SP
• Online CA (ejbca)

6
(No Transcript)
7
DN Uniqueness

• Generate DN from values sent from the IdP
• /DCau/DCorg/DCarcs/DCslcs/OltOrganisationgt
• /CNltcommonNamegt ltauEduPersonSharedTokengt
• auEduPersonSharedToken is unique and persistent

8
Future

• Write CP/CPS
• Purchase dedicated server and HSM for online CA
• Get Accredited

9
Proposed Network Structure
10
Policy

• Each IdP has agreement with the SLCS server (as
  well as federation agreement)
• Need to make sure IdPs are well managed. Ensured
  by AAF policy.
• CP/CPS under development

11
Level of Assurance (LoA)

• All identities have a LoA
• Some services don't require high LoA
• Have 2 Online CAs
• One for high LoA IGTF (planned)
• One for other services non IGTF

12
Delegating credential retrieval

• Allow another SP to get a SLCS cert on behalf of
  a user
• Key/cert stored on web server not on client
• Security Concerns?

13
(No Transcript)
14
Questions?