= Introduction = Round-table CA's / RP's Representative BG.ACAD CA Stanislav Spasov (BG.ACAD/IPP-BAS) BG.ACAD CA Luchesar Iliev (BG.ACAD/IPP-BAS/ISTF) OSG Bob Cowles (SLAC) ArmeSFo Ara Grigoryan (ArmeSFo) AP GridPMA Yoshio Tanaka (AIST) DOEGrids/TeraGrid Tony Genovese (ESnet/LBNL) AEGIS CA Dusan Radovanovic (University of Belgrade) SWITCH CA Kaspar Brand (SWITCH) SWITCH CA Christoph Witzig (SWITCH) CESNET CA Milan Sova (CESNET) LIP CA Nuno Dias (LIP) CyGridCA Yiannakis Ioannou (UCY) Baltic Grid CA Hardi Teder (EENet) Romanian Grid CA Cosmin Nistor (Romanian Space Agency (ROSA) CERN CA Emmanuel Ormancey (CERN) HellasGrid CA / SEE-GRID CA Christos Triantafyllidis (AUTH/GRNET) Spain Javi Masa (RedIRIS) pkIRISGrid CA PK-GRID-CA Usman Ahmad Malik (NCP) PK-GRID-CA Sajjad Asghar (NCP) GridGermany CA Reimer Karlsen-Masur (DFN) UK e-Science Jens Jensen (RAL) NorduGrid CA Anders Wäänänen (NBI) AustrianGrid CA Willy Weisz (Universität Wien) DutchGrid CA David Groep (NIKHEF) GridKA CA Ursula, Ingrid LCG David Kelsey (CCLRC-RAL) = AP PMA = Presenter: Yoshio Status * 9 Accredited CAs * 1 New CA ** CNIC (China) * 2 CA Under review ** NECTEC (Thailand) ** NGO (Singapore) * 1 CA will be ready soon ** Pragma * Planning: ** ThaiGrid (Thailand) Note: * KISTI CA needs serious updating otherwise will be removed from the list of accredited CA's. = TAG PMA = Presenter: Tony Note: Brazil CA almost ready == Round table updates == Presentation of changes to their online CA system by DFN. == AEGIS == Currently 5 Grid site including CPU scavenging sites. Involvement: * SEE-GRID * SEE-GRID 2 * EGEE II Namespace: C=RS, O=AEGIS Offline CA == BG.ACAD == Bulgarian CA Bulgarian Grid Infrastructure: 5 sites in Sofia Established by Bulgarian NREN - September 2006 Single root CA - no subordinates Key size: 4096 Lifetime: 3 - 10 years "Private key is changed periodically" Discussion about valid certificates with identical subject during renewal. Milan raised a problem with IPv4 addresses in subject of host certificates. = The AAI Integration Roadmap: research and education federations = Difficult - try to participate integrate in national AAI initiatives. Problem with fine granularity with NIST quality assurances = SWITCH-aii, federation, and identity vetting discussion = Discussion about subject name for virtual home institution Milan initiated a discussion about the architecture of the SWITCHslcs - in particular the communication. Milan: Problems with persons with multiple DN's = TACAR updates = New web interface for downloading and uploading certificates = Root CA's = Need to "trust" higher level CA's, but no "accreditation". Define policies in subordinates CA's in accredited CA's policies in order to have implicit trust. Conclusion: Need a document for Root CA's - work will continue. = = Mailing lists suffer from cross-posting. Darcy will be asked to fix this. = MICS Profile = Members Integrated Certificate Service Derived from the "classic" and "slcs" documents. Leverage local sites native identity management to the Grid. Examples: * LDAP * Kerberos * Windows * Shibolleth Accountability set for 3 years after the certificate expires. Guarantee uniqueness of DN over the lifetime of the service. If tracability is lost the DN must never be reissued. MICS CA is an online system. Discussions about improving the MICS document... We need federations in order to handle the MICS. = OGF CAOPS-WG Open Session = == OGSA AuthN WG and IGTF == * IGTF and OGSA AuthN WG needs to interact * BOF at next OGF in North Caroline in order to start a common working group to get the groups to talk together == Certificate profile document == Sections discussed: * Serial Number text update in case of CA certificate changes * Issuer and Subject names * SerialNumber should be disconnected from device numbers * keyUsage, ... * cRLDistributionPoints: Guidance for download load generated by hosts and users. Preferably no redirection, as it is not normally followed by clients or Squid caches