Building an Economical Academic Infrastructure
Detailed Specification of the Next Certificate Issuing Service and its Pricing System
by Akinori Mizumoto, Academic Infrastructure Division, NII
Mr Mizumoto outlined the existing certificate issuing service through Gakujutsu (academic) Scheme; the needs of academic communities; merits of providing a certificate issuing services by NII. He then summarised what the architecture of the next generation service would be.
Gakujutsu Scheme is a system that allows NII and universities to conduct assessment for issuing certificates, which is otherwise done by a commercial Certificate Authority (CA). Through this scheme, NII has increased the credibility, improved efficiency, and reduced the costs for participating institutions. So far, 323 institutions have joined the scheme and about 19,000 UPKI Open Domain certificates have been issued (as of the end of 2013). NII has been issuing Organisation Validation (OV) certificates to university domains free of charge. The certificate is valid for 25 months. The cost reduction achieved through the Gakujutsu Scheme counts for 180 million yen per year compared to issuing certificates one by one.
As the scheme came close to the end of the project period, NII received a lot of inquiries and requests from users asking for the continuation of the service. The advantages of NII’s continuing the service can be argued as follows. For universities, the scheme has already become an integral part of their infrastructure. It not only bears the burden of security and credibility, but also provides the same convenience as having an internal CA. The feedback showed that the universities want NII to continue the certificate issuing service even if there are associated charges. For NII, it is important for it to play the role of a trust anchor for university’s services by providing a certificate issuing service. Also, the scheme cannot be replaced by a commercial service.
There are also expectations for the expansion of the services. In terms of Server Certificates, for example, the requests from institutions included Extended Validation (EV), which has a higher level of credibility compared to the existing OV. There are also requests for Client Certificates, which are currently purchased or issued by individual universities. Another request was for issuing Code Signing Certificates, which can be used by universities to publish and distribute their services while ensuring that users use their services without ignoring the warning. Overseas organisations such as the US InCommon Certificate Service and the European TERENA Certificate Service have a similar scheme as the Gakujutsu Scheme and are issuing OV, EV, Client certificate and Code Signing certificates with charges.
The basic pricing policy for new services was introduced. It will be a fixed price per year (the price will depend on the scale of the institutions) with OV, Client, and Code Signing certificates to be issued without a limit. More specifically, OV certificates will be charged by the unit of domains. EV certificates will be charged per issue separately but at a price that is cheaper than commercial providers. Client and Code Signing certificates will be issued free of charge for the time being. The pricing may be reviewed in a few years time.
Though NII will issue Client Certificates, it will be up to each university to create a system to utilise them. Mizumoto showed a few examples of how the certificates could be used. For example, they could be stored in applications (e.g. mobile devices) and IC cards (e.g. Type B) or they could be used in collaboration with such as FCF (FeliCa). The browsers that are compatible with Server Certificates include Microsoft Internet Explore 8 or above, Firefox 24.0 or above, Google Chrome 34.0.1847.116 or above, etc, as well as mobile phones that were sold in Japan after January 2009 and which are compatible with Route Authority Certificate’s key-length RSA2048bit. The web servers that are compatible are Apache (mod ssl) 1.3 and 2.0, Apache-SSL (1.3.33+1.55), Microsoft IIS 6.0~8.5, IBM HTTP Server6.0.2 and Tomcat 5~7. The environments that are compatible with Client Certificates include Microsoft Internet Explore 8 or above, Firefox 24.0 or above, Google Chrome 34.0.1847.116 or above, etc. NII is going to adopt SHA2 following the Microsoft Security Advisory 2880823.
The schedule for the new services is as follows. The current system will stop issuing Server Certificates at the end of December 2014 and then shift to the new system. The new system will start issuing Server Certificates from January 2015. It is planned that Client Certificates and Code Signing Certificates will start to be issued after April 2015. Further details are to be confirmed.
A Plan for Collectively Procuring Access Lines for SINET5
by Tadato Yamamoto, Academic Infrastructure Division, NII
SINET requires high speed access lines in order to connect its nodes and participating institutions. By collectively procuring access lines, we can together reduce the cost through economies of scale. Mr Yamamoto explained how they collectively procured access lines for the existing SINET4; how they are planning to do so for SINET5; and what each institution has to prepare and adjust in order to join the collective procurement scheme for SINET5.
For SINET4, NII invited institutions that require high speed private lines of over 1Gbps to join the collective procurement scheme. The target lines were either 1Gbps or 10Gbps and the package included monitoring and maintenance (24 hours and 365 days monitoring as well as supports for problems). They procured twice collectively, resulted in a total of 30 participating institutions and 37 lines. They also achieved cost savings. For example, 1Gbps-worth of private lines were constructed for the price of 100Mbps. The super fast 10Gbps lines were also built without incurring much additional cost. It should be noted, however, that the price may become higher depending on distance, as amplification is necessary.
SINET5 will include the access lines for the former node institutions as well. One institution can also apply for several lines (e.g. connect between multiple campuses). The contract period will be by the termination of SINET5 (the end of 2021). If an institution was to join the collective procurement, they need to decide the location, the line speed (i.e. currently planed to be either 1Gbps/10Gbps/40Gbps/100Gbps), and whether they require an increase in speed (i.e. additional interface).
The access line for SINET5 will be a set of fibres and WDMs with interface modules, and include an administration for monitoring and maintenance. The differences compared to SINET4 will be as follows: the number of calls for joining the scheme may be more than one (e.g. there were two for SINET4); the contract period will be for 6 years; the line speed will include 40Gbps and 100Gbps in addition to 1Gbps and 10Gbps; and there may be a line-removal cost after the contract (although this is not likely to be included in the initial cost).
The schedule is as follows: the institutions need to decide whether they want to join by the end of March 2014; call for contractors to bid will be in April 2014; construction work will be completed during the year of 2015; and the service will be available from April 2017 coinciding with the launch of SINET5.
Yamamoto outlined further details including the points that still need to be discussed and finalised as follows. 1) The nodes (i.e. institutions that are directly connected to SINET5) will become data centres (DC) and will be located in every prefecture (the specific locations to be decided and published in the New Year). 2) They may allow lines connecting campuses of one institution to be included in the collective procurement scheme (technical and administrative aspects to be considered and the final decision to be made in the near future). 3) They may allow multiple institutions to join as a group with one institution acting as a hub (although there is no issue technically, administrative issues such as contract terms must be discussed with line providers). 4) The line will be provided by a line provider who has won the bid (this is not provided by NII). 5) Institutions must choose which type of WDM they require at the point of application (WDM is transmission equipment that allows multiple wave length on single optical fibres; however, there are some that do not transmit multiple wave lengths). 5) The specification will be standardised in order to achieve the economies of scale; however, certain specifications can be added if they will benefit other participating intuitions.
To conclude, Yamamoto outlined what each institution has to do to prepare and adjust for joining the collective procurement scheme. First, institutions should consider their network usage with the projection of an 8-year time scale, as the SINET5 launches in 2 years time and lasts for 6 years. They need to estimate the change of traffic during the life span of SINET5, and apply for line speed accordingly. SINET Usage Promotion Office can provide information on the current usage of participating institutions (Contact: support@sinet.ad.jp). It is expected that transmissions via access lines connected to SINET will increase with the promotion of cloud computing. Therefore, each institution should estimate the bandwidth of access lines that are suitable for the planned future environment. The collective procurement scheme also includes the interface. So institutions should adjust their network equipment accordingly. If they are considering the renewal of network equipment, it is advised that they choose those that are compatible with the SINET5’s access line.
