From tim at ripe.net Wed Dec 2 18:26:54 2009 From: tim at ripe.net (Tim Bruijnzeels) Date: Wed, 2 Dec 2009 18:26:54 +0100 Subject: [ca-tf] Next phase in testing certtest.ripe.net Message-ID: <06A1001C-3ED7-48E8-8B71-3C8D3AFA5318@ripe.net> Dear ca-tf members, please see the message below that we just sent to the certtest at ripe.net mailing list. I am sending it here because I know not everyone in the ca-tf is on that list. In any case I don't want to repeat the email here, you can read it below. The short version is: - certtest.ripe.net now works with HSMs - certtest.ripe.net now lives on new hardware What I *would* like to do especially is invite everyone on this list to have a look at this as well. To do so you will need to do the following: - log in to LIR Portal as admin - enable the certification role for your account - log in as yourself and if you haven't got one, generate a client certificate for yourself under the X.509 PKI menu item - now you should be able to access certtest through the link in the lir portal We are still working on the CPS detailing all the gory details of key management and processes we have been working on (chapter 6). We will be contacting you about this as soon as we have something for you. Currently myself and my colleagues are working on this, as developers. But we want to do am internal review with our CTO and security officer before wasting your time on stuff that they can easily pick out. Because of the oncoming holidays this will most likely be early January. As far as tester involvement is concerned: We plan to launch a new effort to get testers on board after the christmas holidays. If you are not on the certtest mailing list, but want to be please let me know and I will make sure you are added. Having said that the platform to reach testers may change next year. It is likely that we will want to use a forum on ripe labs for this and possibly promote the test application on the LIR Portal welcome screen. Please let us know if you have any questions and or comments. Kind regards, Tim Bruijnzeels ========== Dear colleagues, The certification portal at https://certtest.ripe.net/ has been upgraded today. This release includes two major security improvements: 1- The RIPE NCC (test) trust anchor is now handled by a completely separate (offline) system We have updated the validation tool to support the new type of trust anchor. The readme file in the download link on the welcome page has more details on how to use the validator for these trust anchors. 2- All persistent keys are now handled by Hardware Security Modules (HSMs) Because of this fundamental change in key pair management it was not possible to migrate your current test CAs. So please log in again to re-activate your CAs. The reason for this is that previously software generated keys were used and stored in a database. This was never intended as the final solution but enabled us to already develop the user interface and functional components of the system -- such as periodic publication, and member managed CAs with ROAs. The new system uses HSMs that protect the private keys (one can use them though the HSM device, but never get the private key out). As such the current system introduces major security improvements. Functionality wise you will not see much of a difference as a test user of the system though. Apart from the security improvements we have also deployed the certtest application to new hardware. This allows us to test the infrastructure we plan to use for the real production release that is planned in 2010. We invite you once again to log in and give your feedback. Feel free to discuss any issues on this list as well. We plan to launch a new effort to get more people to look at the test deployment starting in January 2010. This way we hope to get more people involved and more discussion going in time for the next major development stint which is planned from Q2 2010 onwards. Regards, The RIPE NCC certification team. Known issues: - An ugly error message shows when you try to access certification but do not have a LIR portal X.509 PKI client certificate. Go to the LIR portal and generate your PKI certificate to solve this. - Single sign-on is not yet fully integrated with the LIR portal. - Data entered during the beta test will not be migrated to the full production release. -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.ripe.net/ripe/mail/archives/ca-tf/attachments/20091202/fdfa8879/attachment.html