CERN Certificates platform - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

CERN Certificates platform

Description:

CERN Certificates platform http://ca.cern.ch Ruben Gaspar On behalf Emmanuel Ormancey / Anatoly Gladkov IT/IS HEPIX Fall 2005 Agenda Cern Certification Authority ... – PowerPoint PPT presentation

Number of Views:86
Avg rating:3.0/5.0
Slides: 15
Provided by: Emmanuel53
Category:

less

Transcript and Presenter's Notes

Title: CERN Certificates platform


1
  • CERN Certificates platform
  • http//ca.cern.ch
  • Ruben Gaspar
  • On behalf
  • Emmanuel Ormancey / Anatoly Gladkov
  • IT/IS
  • HEPIX Fall 2005

2
Agenda
  • Cern Certification Authority overview
  • Architecture
  • User, Host, Enrollment certificates
  • Certificate usage
  • Web sites
  • SmartCards
  • Project status

3
CERN Certification AuthorityArchitecture
  • Offline Root CA
  • Run on Virtual PC.
  • Root CA Server image on removable disks.
  • Root will be trusted by default inside CERN.
  • Online Issuing CA
  • User request for software certificates (client
    certificates)
  • Enrollment station for SmartCard certificates
    (authorized user on authorized desktop only can
    issue certificates on smartcards), i.e. Card
    Service.
  • User request for Host certificates.
  • Allow users to map existing certificates (i.e.
    Grid,CACert,Thawte) to their account.

4
CERN Certification AuthorityCertificate Request
Internet Explorer or Mozilla browsers can handle
automatically certificate request.
A manual procedure with OpenSSL is also provided.
  • Software (client) certificates are requested by
    Users.

5
CERN Certification AuthorityEnrollment Station
  • Smartcard certificates can be issued only by
    users with a valid enrollment agent certificate
    installed on dedicated machine.

6
CERN Certification AuthorityHost Certificates
and Certificate mapping
  • Users can request Host certificates for CERN
    Hosts they manage, and any non-CERN host (not
    already certificated).
  • Users can map an existing certificate to their
    account for authentication (i.e. Grid
    certificates).

7
Certificate usage
  • Short term
  • Authenticate to IS Websites (Win, Web, Mail,
    Terminal services, etc)
  • Provide a common authentication interface for all
    CERN services sort of Single Sign On
  • Sign and encrypt mails
  • Medium to long term
  • Provide Windows and Linux desktop authentication
    using Smartcard certificates.
  • Embed SmartCard chip to CERN Access card.

8
Websites authentication
  • Certificate can be installed in any browser, on
    any platform.
  • Certificate is mapped to user account
  • Several certificates can be mapped.
  • Authentication done automatically
  • Popup for selection if several certificates
    installed multiple identity supported.
  • If no client certificate
  • Move to forms authentication
  • Useful if using a public computer, but can be a
    security issue.
  • Policy to be defined force client certificate
  • User must always use their own computers,
    increased security but accessibility issue.

9
IT/IS Websites authenticationOverview
Opening a website
If several client certificates matching server
requirements are found, browser asks to choose.
Certificate authentication complete.
Cancelled or no certificate installed
10
Email signing and encrypting
  • In Outlook 2003

11
SmartCards for Desktop authentication
  • Medium to Long term achievement
  • Integrate SmartCard ship to CERN Access card
  • Use SmartCard to authenticate Windows or Linux
    desktop session.
  • Use software (client) certificates for alternate
    accounts authentication (in browser).
  • No more passwords typed in
  • Passwords can be set to random string not known
    even by the user, and can be reset automatically
    very often.
  • Policy to be defined keep alternate password
    authentication ?

12
SmartCardsfor cross platform authentication
  • Use the same SmartCard for
  • Windows desktop (and laptop)
  • Browser authentication
  • Linux desktop
  • Browser authentication
  • Mac OS X desktop
  • Browser authentication
  • Remote windows
  • Windows Terminal Services
  • Remote Linux
  • Putty (to be defined, possible with OpenSC)
  • OpenSSH (to be defined, possible with OpenSC)
  • Exceed (to be confirmed)

13
Project status
  • CERN Certification authority
  • CERN CA is up and running.
  • All described functionalities are available.
  • Grid specifications taken into account (EUGridPMA
    specification).
  • Software (client) certificates
  • Available for SSO on IT/IS Websites, planned to
    be extended on all web sites.
  • CERN Certificate issuing available to all CERN
    users.
  • Alternate Certificate mapping available,
    including Grid certificates.
  • SmartCards
  • Test cards have been issued, testing on Windows
    and Linux in progress.
  • Hardware vendors being evaluated with TS dept. to
    provide next generation of CERN Access cards
    (Smartcard Mifare contact less card Magnetic
    stripe Photo printed).
  • Estimated cost 5 / card, 15 to 25 / card
    reader (USB or PCMCIA).

14
  • Questions ?
  • http//ca.cern.ch
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "CERN Certificates platform" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!