Notes on EUGridPMA meeting - Poznan - Sep 2005 ---------------------------------------------- Day 1 - Wed 28 Sep Roundtable Updates ------------------ Poland - nothing new. Will have new CPS at next meeting Hungary - Started in April 05. Issued ~50 certs Greece - creating a new CA - CP/CPS expected in December Estonia - nothing new. Issued 120 certs, 70 active CERN - no major changes. Changes to bootdisk approach REDIris - Spain - PKI is now starting (3 months) - will present this afternoon. GridKa - 1400 certs issued. More tomorrow. INFN - Report tomorrow Pakistan - report tomorrow Turkey - new CA - will present later. Armenia NorduGrid - not much new. Ist certificate to Iceland now issued. Moving to OpenCA France - Will close DataGrid CA at end of the year Cyprus - New representative LIP - nothing new Budapest - nothing new since Tallinn - soon will move to Hungary and KFKI will be an RA CESNET - successful migration to new software. Many unexpected users with users - they still try the old way UK - issues 4800 certs in 3 years. Under pressure to improve usability. Planning for key role over August (running OpenCA with lots of mods - working with Grid Ireland to separate out the country changes) (Anders reports that there will be a OpenCA workshop) Ireland - moving to OpenCA. Clones of machines are using same credentials as real machine - OK? DutchGrid - started process to move to outsource to SURFnet operations with same RA structure US DOE - ~7000 certs issued. Two new CAs - NERSC and Fusion Grid - will go to TAGPMA (active cred stores) Been funded to do pilot active cred store using smart card for access. Been looking at token use May use tokens for RA's during 2006 (based on CESNET experience) DOE moving still to smartcards - major impact on ESnet and major labs during 2006 Austria - reformated web portal. Next step - move to HSM. Will look at tokens and smartcards. EIROform - David Groep ---------------------- He attended meeting recently. Group of large EU labs. They asked about setting up new CA's. He convinced them to become RA's of existing national CAs. So CA's should expect contact from ESA, EMBL etc Jules reports that ECMWF runs a CA and will come here (short term credentials issued to holder of smartcards) Reports by mail --------------- Switch. Issue of reordering DN still open. Will be done in next 6 to 8 weeks Review of last meeting actions ------------------------------ Need to check that all PMAs have set up the "concerns" mailbox ACTION: Dave K to verify whether LCG users would accept nickname in the certs. Discussed in JSPG. Registration people want to keep the realname (some "false" assurance that real person) however, legal concerns about monitoring, accounting, auditing - hide the identity helps LOTS of discussion on this matter! Decision: DN's should contain a real Common Name. If certs are pseudonymous then must be identifiable as such via use of pseudonym field. "Security level of private key" working group now exists CESNET will say more about Rainbow tokens by end of year. Discussion of soon to be approved IGTF federation agreement ----------------------------------------------------------- This document will be agreed at a meeting of IGTF during the GGF meeting in Boston (next week) DOE/ESnet offered to delegate sub-branch of their OID space for IGTF. EU PMA agrees good idea. Document very close to agreement - will happen next week in IGTF meeting Private Key Protection WG Update -------------------------------- Milan, Jens, Ursula... Jens showed slides Milan - Certificate Policy - showed slides ------------------------------------------- Baltic Grid CA -------------- See slides by Lauri Anton. First presented in Tallinn but not ready then For all three states - Estonia, Latvia and Lithuania Lots of discussion about the need or otherwise for user to prove possession of private key CA approved. Turket CA --------- See slides by Asli Zengin Approved pkIRISGrid ---------- slides by Javi Masa Problems with form of DN. CN is of e-mail form (name@domain) but not necessarily a real e-mail address Concerns that the @ will cause problems with character strings. LCG requires real Common Name for VO registration process. Status update - Armenia ----------------------- See slides by Are. Day 2 - Thursday 29 Sep 2005 ---------------------------- Status Update INFN CA --------------------- See slides by Roberto. Used for general purposes still. Not just Grid. 3500 certs issued since 1999. 59 RAs Uses RT for tracking tickets. All transactions are tracked. Visible to operators only. But user knows ticket number. Planning support for h/w tokens. Legal issues. RA's do not store personal data. Difficult to ensure same person renewing Status Update GridKa -------------------- See slides by Ursula 1416 certs issued 31 RA's Some changes to the CP/CPS Status Update PK-Grid-CA ------------------------ Slides shown by Sajjad Issued 22 certificates Planning to use HSM in future DEISA/UNICORE Status/Plans -------------------------- Jules Wolfrat showed slides on behalf of Michael (on phone/VRVS) Unicore has simple security requirements. All users are individuals. No distributed groups. All sites must allocate same UNIX id to users. For global file system GPFS. DEISA uses EU Grid PMA CA's. Just started to tackle problem of user-level accounting between sites. Status Update Cyprus -------------------- Kyriakos shows slides Namespace constraints --------------------- Current signing policy file is too complex and the software that parses this is broken (c=ch except o=cern is the example that does not work) No other middleware uses this signing policy. Hence aim for a GGF document on this. David G presents the current draft. Do we need such a policy? Lots of discussion! Agreed we do need such a policy. CA's cannot contain in Namespace Constraints as the policy belongs to IGTF not each CA. Document describes the requirements. Authentication Profile for traditional CA's ------------------------------------------- New V4.0 document based on V3.2 minimum requirements Went through 12 issues in detail. Several longish decisions Delivery of CSR and integrity checking CN should contain real name. Pseudonyms not yet addressed CRL update frequency left as is Functional Test of CA Monitoring -------------------------------- Jan shows slides Aiming for better service availability - mostly CRL problems Uses Nagios - complements Min Tsais cron based monitoring Discussion about packaging (as impacts monitoring) Agreed that general aim is to move to packages where individual CAs do not change version number if there is no change in that CA. The means to get there needs to be discussed with IGTF and relying parties as this has to be coordinated. ESnet RAF and eduroam --------------------- Tony shows slides 19 countries and 350 institutions in eduroam Uses radius authentication routing ESnet has a RAF (radius authentication fabric) Could load all IGTF root certificates The user certs could then be used for roaming To enable Grid scientists to join eduroam. This has policy problem with reciprocity - IGTF has no serviceto share Potential interest in this with HEP. (but CERN has its own policy and has not joined eduroam) To enable access to the Grid while roaming Tony is looking for interested customers Day 3 - Friday 30 Sep --------------------- Migration to HSM ---------------- Willy (Austria) asks as to what technical details need to be followed for an HSM signing machine. Discussion resulted in agreement that the signing machine should not have HTTP. The HTTP machine used by users should be separate and fire-walled from the signing machine. Next meeting ------------ Willy looks forward to welcoming us to Vienna. 24 to 27 January. Information will be available well ahead of time. University of Vienna is in the centre of the City. Possible to fly either to Vienna or Bratislava (and then by bus). Guarantees that the weather will be too cold to wear shorts in the street! Future meetings --------------- 22 to 24 May 2006 (Budapest) 27 to 29 Sep 2006 (tentative - location to be decided) OCSP report - Milan ------------------- Need a policy change to allow OCSP Even to test the infrastructure need the info in the certs and hence the new CP So advice is to create an experimental CP for testing purposes. Then after a year aim to create a new official policy (from either the experimental or the old CP) Milan suggests would be useful for all CA's testing OCSP to use the same experimental CP He shows draft V0.1 of the policy - sending to the list as well. Strongly recommends two responders for each CA Responder gets info from the CRL. Should not be older than 30 minutes. What does responder do if CRL is not available? This must be defined. Recommends HSMs on responders as have to be online. Not during test and not necessarily FIPS level 3. Responder certificate should be short-lived, perhaps two hours? Then don't need revocation. Would need signing machine online and key activated. No archiving or backup of private key of responder. Generate new one if lost. Will send policy to list and welcomes comments and suggestions. Aiming for PMA approval of experimental policy in Jan 2006 GGF is working on document which will recommend to relying parties how to use OCSP e.g. what to do if no answer. Willy: RFC says use CRL if OCSP does not respond. For experiment - would like relying parties to try and comment but not "rely" on it See agenda page links for info about Spanish Certiver company and their work. Willy: important to have provision for time stamp (mentioned in RFC) Coffee break - I leave so no more notes