Docstoc

ARCS-SLCS

Document Sample
ARCS-SLCS Powered By Docstoc
					          ARCS SLCS CA



                Sam Morrison
Australian Research Collaboration Service (ARCS)
                (formally APAC)




                     Sam Morrison
What is SLCS?
•   Short Lived Credential Service

•   Lifetime < 1 million sec

•   Online CA

•   Authenticate using Identity Management
    system


                      Sam Morrison
Why SLCS?
•   Allow users to access HPC/Data/other
    via existing PKI infrastructure.

•   Users need know nothing about
    certificates, crls, private keys etc.




                       Sam Morrison
Identity Management
•   Shibboleth

•   Australian Access Federation (AAF)

•   Will include all universities in Australia
    (and NZ)

•   IdP = Identity Provider

•   SP = Service Provider
                       Sam Morrison
ARCS SLCS system
•   Semi Production

•   Two VMs

•   Switch SLCS server with Shibboleth SP

•   Online CA (ejbca)



                      Sam Morrison
Sam Morrison
DN Uniqueness
• Generate DN from values sent from the IdP
• /DC=au/DC=org/DC=arcs/DC=slcs/O=<Organisation>
• /CN=<commonName> <auEduPersonSharedToken>


• auEduPersonSharedToken is unique and persistent



                        Sam Morrison
Future
•   Write CP/CPS

•   Purchase dedicated server and HSM for
    online CA

•   Get Accredited




                     Sam Morrison
Proposed Network Structure




             Sam Morrison
Policy
•   Each IdP has agreement with the SLCS
    server (as well as federation agreement)

•   Need to make sure IdPs are well
    managed. Ensured by AAF policy.

•   CP/CPS under development



                     Sam Morrison
Level of Assurance (LoA)
•   All identities have a LoA

•   Some services don't require high LoA

•   Have 2 Online CAs

•   One for high LoA – IGTF (planned)

• One for other services – non IGTF

                     Sam Morrison
Delegating credential retrieval
•   Allow another SP to get a SLCS cert on
    behalf of a user

•   Key/cert stored on web server not on
    client

•   Security Concerns?



                    Sam Morrison
Sam Morrison
Questions?




             Sam Morrison

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:9/8/2011
language:English
pages:14