Minutes for 2004-04-01 Approved minutes from Dublin Agreed agenda at http://www.eugridpma.org/agenda/fullAgenda.php?ida=a041 Present Christos Kanellopoulos Jules Wolfrat Jens Jensen Brian Coghlan Darcy Quesnel David O'Callaghan Sophie Nicoud Ursula Epting Ingrid schaeffner Roberto Cecchini Jozsef Kadlecsik Dave Kelsey Diego Lopez Milan Sova Licia Florio Tony Genovese Mike Helm Nikos (missed surname) Fotis Karayannis Ian Neilson Rafael Marco Lauri Anton Andi Hektor Charter Abstract conflicts with scope. Reduce to succinct description. Charter indicates we're being chartered. This is a constitution. But getting too late to change? Disagreement with American English definition. "for example" suggests the grid pki aspects are trivial. Change to "as its main activity" Where is Authority defined? not yet Locality Communities that have relations with European communities. Specify e-science or Grid communities. Hard to define external relations. Want to show relationships with external partners. scope of min reqs min reqs may govern any aspect of certificate issuance and reliance procedure contact through the chair -> move to section on functions of the chair objective to foster inter-organisational trust, taken from old abstract. excluded activities non-repudiation / digital signing --- does this exclude use of certs for S/MIME for inter-CA comms? Insert legal disclaimer: we are not responsible for liability... taken from CP/CPS. Not responsible for activities of member CAs. Membership Authority Members what about not-yet-members? attending meetings is not limited to members. ex-officion refers to representative from relying party. Americas PMA has members that are not CAs, but experts. Chair should be allowed to invite anyone. In voting section, all members are allowed to vote. Change so that membership consists of all representatives, but voting limited to one per org. authority "preferred that these communities SHOULD map one-to-one to nation states ... or treaty organisation". Goal is to stop proliferation of CAs. "Wherever possible these Authorities should map one-to-one to nation states" What about "Nordic CA" "Benelux CA" also "Catalan CA"? Geographic regions smaller or larger than a state. State the aims and decide case-by-case. Mike H: hopeless to argue against proliferation. We will have to revisit this. This comes from the state of the middleware. Relying Party Members How does PMA nominate relying parties? RPs should nominate reps. RP members should not exceed total number of AAs: this is to limit voting. Limit it in the voting? How many RPs will we see? RPs haven't asked to join Americas PMA. Ian: Why should they have a vote? if they don't like it they should setup another group! Tony: when group gets too big have an executive committee that does the voting. RPs are the reason we exist. Leave out limit, and decide later. Christos: what is a RP? If we do not state it in advance we must justify approvals. Fotis: NREN PC member from every NREN. Rejected proposal to have exec committee. Chair Who does the chair send his resignation to if he is the point of contact?! Chair is the external point of contact: he can inform the PMA. Responsibilities (now Responsibilities and Activities) Merge with Activities. Create separate Liability section. Guideline Documents Jens: If we are accrediting non-PKI CAs there must be a min reqs document for that. Christos: are we going to publish the minutes? Agenda, minutes, etc. will be documents of the group. Accreditation functions As defined in accreditation docs Repository Keep all versions of charter. Tony: add mail archive. but might want official list and discussion list. Introduced "common trust domain" without definition? Repository will be public. Might want mailing list private. Audit Authorities must be auditable. Limited release of audit info. Root cert validation Should we have an explicit reference to TACAR? Tony: Is validation a responsibility of the PMA? Yes. Diego: OK not to mention TACAR explicitly in charter. Publish list of trusted sources on EU Grid PMA site. Milan: can we provide a single authoritative root of trust to all relying parties? David G: if sources are out of sync which one is authoritative? Ian: But sources are always out of date. CA is the authoritative source. Accreditation Put in a seperate accreditation document. Bylaws Meetings At least twice a year? Voting Calls for a vote should be proposed and seconded. Should only be able to vote on items on the voting agenda? Each member organisation will have one vote. Mike: Vote over email: should f2f votes be extended over email? Ian: normally things don't become law until minutes are accepted at the next meeting, so objection could happen at any time between meetings. Minutes should be queried within 10 days. Doesn't make sense to wait several months to take actions. One month. Should quorum be for all members? No, if 100 RPs can decide that CAs should do X, should that be binding? Tony: I'm representing my RPs David G: large projects like LCG, EGEE, SEEGRID, DEISA, have no single CA to represent them. Nikos: the filter is the vote for new RPs to join. Darcy: review Roberts Rules of Order http://www.constitution.org/rror/rror--00.htm Meeting needs to have a quorum so that consensus is clear. Minutes must record members. New CAs Pakistan Grid PK becomes a member with provisional status? Means they must show up at the next meeting otherwise they get removed. PROVISIONALLY APPROVED until the next meeting. Estonia Root key is valid for 10 years --- reduce to 5 Sub CA Required for political reasons. David G: no advantage with Globus: have to distrib all sub ca certs. Difficult to remove it from CP/CPS. David G: make it clear that sub CAs are not allowed in min reqs. Milan: sub CAs can set up easily: copy root CA docs. Christos: docs are the easy part. Milan: SubCAs must run according to root CAs practices so they won't be masters: they have to follow rules. Force all SubCAs to present seperately as new CAs. ID Cards provided by government. supports PKCS#11 Should exceed min reqs. Still need CA for server certs. NOT APPROVED pending changes to policy Hungary CP/CPS to mailing list next week Key length 4096 bits might be too long for some software Subject Alternate name Milan: alternate fqdn of the host. Following suggestions of OpenCA manual Put LDAP URLs in user alt name. Because existing LDAP tree is different. Milan: the cert is public but contains link to private data. Privacy issue which should be avoided! Milan: ca officers have control over this part of the LDAP tree. others manipulate another part of the tree. some parts are public others are not. no direct connection between parts. Another Hungarian CA has been proposed but has not started working. If they do they will not include private information. Proving possession of private key Using PIN to download certificate. PIN is valuable as it can be used to revoke the certificate. Not directly. User will be asked. Can the RA test that the requestor has the PIN? If not there is a man-in-the-middle attack Renewal of host certs should not be allowed with unexpired cert as private key is unencrypted. NOT APPROVED pending changes to policy TACAR Presentation from Diego Lopez Contacted by EuroPKI and certeval (?) with interest in using their evaluation software. PGP provides out of band web of trust. You could setup X.509 web of trust, but it would be more difficult. Nikos: it should be clearly stated that there is a difference between a trusted root and a trusted source. Need to be emphatic. PKCS#7 bundle can give the impression that they are all trusted. Mozilla asks for the first cert and approves the rest. New users to the grid, outside the usual physics field, may be using other AAI's and TACAR could provide a federated approach. Act as a trust clearing-house. Personal trust of person introducing new CA required. How do you verify, for example, credentials in a language you don't understand and from an institute that is not easily verifiable. Funding: may be possible to get some money from EGEE through RedIRIS. Not a long term solution. TERENA has no money! But will manage the repository. Changes, improvements (e.g. SSH info) may require funds. Brian: any way to separate EU Grid PMA certs from others. Diego: seperate list or a qualifier. Sophie: will TACAR distribute CRLs? David G: no, this is not a replacement for CA RPMs Ursula: what is the reason for registering? Diego: central point David G: in future may need to access resources outside Grid community. NREN certs, etc. Sophie: we have the full list at Marianne. Marianne has tools for the Grid authn. Diego: someone comes along with a cert on a card, how do you verify their CA CP/CPS? Have to search for it, and evaluate it. You can trust TACAR so that you get their CP/CPS. In a more open environment in the future, it will be necessary to add new CAs. Ursula: but then we have to do more work: send to EU Grid PMA, send to TERENA. Sophie: against French law to have CP/CPS outside France Diego: no, central copy, but not the master copy. Download from, say, CNRS, and check the URL and fingerprint matches the document. Licia: currently policies online, instead we will have links to CP/CPS. Diego: when we talk about users we mean sys admins. Tony: our CP/CPS is signed with my cert. Milan: so you have to trust your root cert to trust your CP/CPS! Nikos: TACAR plays the role of an RA. Acts as an extra layer of assurance for CA certs and policies. This is a useful service. ----- 2004-04-02 Accreditation Procedures Based on existing practices Do all new accreditations require a vote? No can be approved by consensus or by vote. Previously documents were changed, and announced to the list afterwards. Now we are demanding that changes are made in advance. Only major changes. Tony: we add appendices that don't change policy. Milan: some changes may need to be applied as soon as possible. Need to define time limits. Christos: CP/CPS should contain only basic information. Appointment of Chair David Groep nominated and unanimously agreed. Round Table Status Update of Current CAs GridCanada CP/CPS Darcy: No substantive changes. No changes to policy. OID not changed. Ursula & Milan: minor number should be changed as technically it's a different document with different fingerprint. Mike: we change too frequently to keep up Dave K: at least we can know we haven't kept up INFN CA CP/CPS Change to allow service certs NERSC Trust Domain --- Grid Security Profiles Presentation by Tony Genovese & Mike Helm Profiles for different approaches (PKI, Site Integrated Proxy Service, Cred Stores) SIPS KCA *CA perhaps radius-to-proxy service Credential stores Too much mobility for traditional approach. Unhappiness about private keys stored on local fs. Not appropriate for digital signature applications. Christos: credential store or credential factory? Tony: In general, factory. Mike: treat these as a class, then we can make more progress. Christos: in EDG we already store private keys on public services in UIs. David G: every site will be an authority. Dave K: users of, say, FermiLab are from the universities. Tony: large labs in EU may see the success of the US Dave K: want to avoid a split between traditional and other approaches. Christos: in SIPS you want to move PKI deeper into the infrastructure. Hide the details and the fact of using PKI. Mike: some sites have delegated registration. Auditability is important. NERSC Use SecureID --- very secure compared to our existing systems. NERSC CA hosted at ESnet in same environment as DoEGrids CA Only MyProxy server (not the service) can contact the NERSC CA. Want to "suspend" certificates instantly when there is an incident using OCSP. Jules: weakest link is the NIM login server. Dave K: we're creating a trust domain, so we need to go back to the authentication/registration. Mike: KDC policy document, etc. Ian: need to present to RP how authn is done. For the KCA authn is delegated to projects. Human Resources do the authn. Non-trivial to present to a PMA. There isn't a DEISA connection to US labs. Each DEISA site has its own accounting software. Dave K: Supercomputer centers are fine. Worry about some physics department. So system would have to be authn for entire site. Set physical and access security bar really high! Interest in disclosure about access/accounting system. In which documents. Might be outside the scope of the CP/CPS. Ian: diagram missing user registration step. Minimum Requirements Replace CA Hierarchies with Distributed RAs or at least require separate acceptance of subordinate CAs. As far as we are concerned they are new CAs. Mike: on one hand there are economic reasons for avoiding sub CAs but in cases when they are convenient the software restricts us. David G: this is in our min req to make things work with the software we have. RAs are under the control of the CA. CA distributes CRL, certs, David G: One CA per region is a min req, and distributed RAs are a best practice. Mike H: Could we act as a bridge? David G: other advantage is that we don't need path-discovery, Mike H: Globus will fix things eventually, maybe XKMS. We're trying to deal with a practical problem, so we don't want to deal with lots of Sub CAs. But in the future it may be possible. Ian: should say country or international treaty organisation to agree with charter Nikos: this is not a "minimum" requirement. It is a specific restriction. What about size (est 5--20 million)? Remove numbers. Is there language on this in the charter? It is vague and we want to be more stringent. Diego: in Spain we may want multiple CAs. Have something about "wherever this does not conflict with political necessity". Who will resolve issues within a country? Dave K: might have the problem of the first CA from a country be approved and the next one rejected. Often the first may not be the most suitable for the whole CA. Christos: we have relied on this restriction, e.g. with Belgium. It may be difficult to reject sub CAs in the future if we are not so strict. Ian: what about catch-all CA? Tony: in the future we can't keep growing and we will want them to use existing CAs. Validate indentity of EE Jules: in the DEISA case there can be ways other than photo ID. Min Req says "Photo ID or Official Document". Jules: if the local CA does not accept this, there may be problems. CA Computer What is a secure environment and highly protected/monitored network? Aside Dave K: in the past we have left documents vague so that we can evaluate things on a case-by-case basis Ian: we have a feeling for contraversial issues and can harden these Dave K: and we modify the min reqs as we evaluate new CAs. Christos: CP/CPS have examples of secure environments. Dave K: you have to convince the PMA. Tony: Our CP/CPS doesn't contain the security architecture. Is it necessary to add it? Christos: PMA decides on sec. arch. based on some document. Tony: We should document our architecture, although not necessarily in detail. Don't want to make it all public. Nikos: most commercial CAs produce security report, disaster recovery plan, etc. These are confidential and can be reviewed by the PMA. Tony: we could require a security document for accreditation. Nikos haw a table of contents for such a document. Policy Identification Ian: "announced for approval" allows certs to be signed before approval. Policy can be identified by date. CA Certificate 5 years max lifetime is too short for root CA. Or say "lifetime of CA cert for CAs issuing EE certs" Brian: then we need to specify min lifetime for root CAs as well. Milan: why do we want a max lifetime? Originally it was because we didn't think the infrastructure would last. Tony: ours says 10 but by policy we will change in 5. Darcy: CAs should have to go through rekeying for the experience. Nikos: security assessment could take place first? Dave K: since 2048 seems like the "best" keylength maybe we should tell applying CAs somehow. Mike: lot of overhead in rekeying and ensuring that the right things are distributed. Brian: could Mike write a best practices document? CRLs want to overlap CRLs to allow for outages Records How to do logging for CA on ROM? On paper? CA Key Changeover The CA private key must be changed allowing an overlap of the maximum length of an EE cert Old CA key must be available for signing CRLs. Ian: has anyone succeeded to do a new cert release XXXXXX.1? (No) Name Uniqueness name must be unique for an end entity. subject can be reused for same EE after cert expiration or revocation. Communications with CA Diego: when talking about SSL, specify mutual authn EE Key Cannot ensure passphrase length. Educate users. Jens: if we have proof that passphrase is too short we can remove accreditation from the CA. We can write: The CPS must specify that the pass phrase is at least 12 characters long. Then if the CPS doesn't meet the min reqs it can be rejected. Brian: this means that CA cannot be held liable once the user has been educated. EE cert single network entity To limit exposure of host certs. policy id OID, date or other appropriate means: could hash CP/CPS but reasonable to limit it to OID and date. smart cards: cannot enforce passphrase. specify "if private key is extractable from its medium, lifetime must not be longer than 1 year"? Update min reqs when we approve first smart card. Tony: should be produced as an info document for GGF. Dave K: what about applying these to existing CAs? Especially the requirement for having a CP/CPS. David G: requirement for audit now helps us focus on complying with min reqs. GGF Info OCSP Document in progress Virtual Organisation Ops WG to setup Looking for a European co-chair Have a preliminary charter Signed CA Applets --- Darcy Quesnel Jens: difficult part is installing Java security policy file. www.grid.nrc-cnrc.gc.ca The name BouncyCastle throws people off! Ian: how does the user verify the signature on the applet? Dialogue box from Java security. Well known developer or deployer can sign the applet with X509 cert. Are there users? Small community internal to NRC. eIRG --- Brian Coghlan coordinated presentations at high level. Want endorsement of high-level statement. suggested statement is this too vague, or not vague enough? There is strong support within eIRG (from EGEE, DEISA, the NRENs) General consensus that such a statement should be brought forward. Licia: what's the differences whether or not they endorse it? It would be a little embarassing if we were not, but we will continue anyway. Diego: plan for federated academic AA system similar to shibboleth. Will use PKI for interactions between sites. Will still find something like Grid PMA and TACAR useful. Remember EU Grid PMA is just for Grid authn Dave K: present this as something we're doing anyway, but an oppportunity for EU to do something bigger later. EU Grid PMA --- Dissemination Authorities www.eugridpma.org/members define list of authorities propose reps for LCG, DEISA, EGEE, SEEGRID Name: accepted Logo: Diego has a friend who will design it. TACAR: add as "community" member Mail archive available to subscribers. Setup a closed list for PMA members. (Done) Setup a document repository? Use EDMS for versioning? Don't want the CERN branding. Provide versioning on the web page. Phone conferences for users/RPs? just for big partners. Journal of Grid Computing EDG Paper (I will insert some notes later) Catch-all CA To be presented at the next meeting Next Meeting Possibly September. Append meeting to GGF in Brussels? Ask Belnet to host. Or could attach it to EGEE, but we will get caught with special EU presidency price hikes in the Netherlands! Should we have a longer meeting? If it's tacked onto GGF it will be too long for those people attending both.