A server certificate service

Transcription

1 A server certificate service Towards large-scale use of affordable popup-free server certificates for the European Research & Educational community Amsterdam, 16 Februari 2005 Jan Meijer

2 A What? A service (NOT a PKI, NOT a CA) to provide popup free x.509 server certificates for a flat rate for the NREN (and the site?) to the servers' admins with as little hassle as possible 2

3 European NREN PKI history There for ~6 years Uptake not that large (unfortunately) Usually PCA with CAs at each site 3

4 Current real certificate usage On a larger scale: Grids (closed community) Webservers (popup-free and popup) 4

5 Current certificate usage On a (much) smaller scale VPNs s/mime Middleware AAI services 5

6 Anticipated increase in use AAI middleware services A-select, Feida, Papi, Shib, radius Eduroam Webservers Webbased/accessed e-learning apps Webmail Webservices 6

7 Why server certificates? To enable ubiquitous encrypted SSL/TLS channels towards the end user without harassing that that end user with the nitty gritty details: PKI as an enabler for these ubiquitous encrypted channels Because these are what sites are willing to implement, at this point in time Solve half the problem space today and create goodwill for solving the other tomorrow 7

8 Vision thing To make it normal to use a server certificate, as normal and easy as it is to setup a webserver Read: to make it lame to not use encrypted channels where you should To make it normal to use this security tool it needs to be easy and readily available 8

9 Problem one: The dreaded popup 9

10 Problem2: cost Large scale use of server certificates quickly runs into large sums Cheapest server-cert currently EUR 40 without special certificate attributes 10

11 Possible ways to get where we want Ubiquitous popup-free encrypted (and/or authenticated) channels against reasonable cost NREN PKI (popup problem bad, cost good) Own CA (popup problem bad, cost good) Commercial CA provider (popup problem good, cost bad) 11

12 NREN PKI Cost good (is it?) Popup problem bad Fix by getting root certificate in root repositories Requires webtrust audit Expensive for an individual NREN PKI (~ first time, annual ~ for the audits, plus all the costs to do things exactly according to guidelines) --> CA hierarchy adds to cost! Is running our own CA that interesting? Own CA for smaller communities: same problem 12

13 Solution: Commercial CA provider Outsourcing the 'get in root repository problem' Outsourcing the 'stay webtrust audited problem' Outsourcing the keeping the CA private key private problem Outsourcing running the CA Cost! 13

14 Enter the server certificate service Consortium of consolidators (NRENs) Don't do your own CA, focus on the RA and make it easy on your community Buy the server certificate service from a commercial provider ('corporate SSL') The consolidator 'issues certificates' The NREN takes care of its local RA subdelegation Combine buying power to get a good rate: as flat-rate a fee as we can get One technological platform branded multiple times (SURFnet cert service, Switch cert service) 14

15 Server certificate service How to get flexibility in certificate profiles LCS, VPN, 802.1x Build the flexibility in the contract but let it evolve in practice First use the already available commercial services and infra, improve in partnership Maybe...we'll get a good deal :) 15

16 Technical Architecture 16

17 Financial model Fixed annual fee per participating NREN One-time fee for joining the service is acceptable setting up things, training people etc. Start with equal shares, differentiate when the need arises, or not -> How NREN recovers cost is up to the NREN We would probably make it a one-time joining fee for admin overhead and no per certificate fee 17

18 Organization of consortium Under the TERENA umbrella In the consortium for 20K each: ACOnet CARnet CRU CESnet DFN RedIRIS SURFnet Switch 18

19 Timelines Februari/March: finalize consortium Februari/March: start procurement process June/July: award contract August: start service So where are we now? 19