17th EUGridPMA meeting, Berlin September 14-16th 2009 --------------------------------------------------------------------- Monday 14.09.2009 --------------------------------------------------------------------- 09.45 Updates from the APGridPMA (Yoshio) * 2 new regions joining: ThaiGrid and Mongolia * IGTF communication test at APGridPMA: - 54% responded within 1 day - 46% responded after 2nd message 10.15 Updates from the TAGPMA (Scott Rea TBC) * 2 CAs pending accreditation, 2 more proposed & active * 10th TAGPMA F2F and OGF and IGTF all hands meeting at Banff, CA 10.45 IGTF Risk Assessment Team report (Jim Basney) * More people are welcome to join with RAT: Contact igtf-rat@eugridpma.org to join and help with the risk assessment process * CRL issues - Reputation risks: - not updated CRLs infects also other IGTF CAs - if users do not take CAs seriously, they do not let us know about the security incidents - RPs are not happy too - It is important, if some problems appears the CA should send a notice about what happened to PMA mailing list and CA should also propose the solutions for avoiding the situation happens again. * SHA1 -> SHA2 - grid middeleware is not ready for using SHA2 now * Null-prefix attacks 11.45 Report-out from the self-audit review teams (https://www.eugridpma.org/review/selfaudit-review) * Jens: sent hes comment about IUCC self-audit: pending * Mike: comments about CERN CA: oid issues * DavidO&DavidK: PolishGrid CA: Pawel needs to fix several issues * Cristos about BalticGrid: pending - IGTF suggestions for version 2 CRL extensions 12.00 The TERENA TCS e-Science CA Service (Jan Meijer) * TERENA Certificate Service (TCS) * people need certificates ... not CA :) * What is the point of participating countries to keep the grid CA whether there is the TCS eScience CAs? - NRENs are not at EUGridPMA and there will be "two" grid certificate providers per country. - Grid CAs will be replaced by TCS RAs and there will be less members at EUGridPMA - National Community should decide whether to create its own grid CA or join with TERENA's CA. * Long discussions: whether there will be only one CA per Europa and no need for EUGridPMA 14.30 The TERENA TCS e-Science CA Service (Jan Meijer) * More information and contract templates - http://www.terena.org/activities/tcs/repository/ - CPS document presentation - DaveK: where is CP? * Confusa demo by Hendrik Austad - https://beta.confusa.org/confusa/ 15.30 New CA presentation: South Africa (Tarirai Chani) * CP/CPS in progress * reviewers: Jens, Willy, Roberto * future plans: get accredited on next EUGridPMA meeting --------------------------------------------------------------------- Tuesday 15 09:15 â 17:30 --------------------------------------------------------------------- 09.15 The TERENA TCS service for host certificates (Milan Sova) * Jens will review the CA during 2009 * Additional comments by Milan: - CESNET changes the CA management software to EJBCA 09.45 Self-audit 2: LIP CA (Nuno Dias) * new cpcps for next meeting: Jan 2010 10.15 The CheckCerts GFD.125 compliance test suite (David OâCallaghan) * Plans Extend coverage tests * implemented on-line check * https://grid.ie/eugridpma/wiki/CheckCerts 11.15 Private Key Protection: guidelines document (DavidG et al.) * http://agenda.nikhef.nl/materialDisplay.py?contribId=10&materialId=0&confId=735 11.15 Naming of robot certificates (Jens Jensen, Alexey Tselishchev, et al.) * CERN CA robot certs (Alexey) - wants replace the requester name with the Team name because people change teams frequently - who has access to the private key? ... the key is in the HW Token. - shared private key do not make warm and fuzzy feeling for Relying Parties * no conclusion * Robot certificates names (Jens) - robot should be name after what-it-is/what-it-does 14.30 OpenID, Shibboleth integration, and the DoEGrids CA (Dhiva) * 15.00 IUCC implementation of the audit findings (Aviyah Peri) * New CA manager * Jens is reviewer: sent his comments couple of days before the meeting ... not implemented 15.30 Self-audit 4: UKeScience CA (Jens Jensen) * reviewers Willy and Alexey 17.25 Presentation of the Next Meeting in Dublin, 18-20 January 2010 (David OâCallaghan) --------------------------------------------------------------------- Wednesday 16 09:15 â 13:00 --------------------------------------------------------------------- 09.45 On Policy Operations (Gabe, Darthmouth) * really nice tools for managing and studying policies * PKI Policy builder - easy and clear way to make a policy coping and pasting the parts from other policies * Policy reporter ... makes statistic on policies * Policy mapper: mapping policies from 2527 to 3647 * more info: - http://cts3.sourceforge.net - http://pkipolicy.appspot.com * CAs should update their .INFO files, because the links in in the files are not working - there might be automated test for checking the links in the .info files TACAR updates (Milan) * funded in GEANT * if there is any idea how the TACAR should act/operate, please send your ideas to list and then it might be possible to write them in the GEANT-3 proposal 10.15 Jensâ Soap Boxes Ltd. (Jens Jensen) * there were some pre soap-boces like: - do not send big files (i.e cpcps) to list ... send a link * and some real soap boxes like: - Questions in Quixotic Quest for Quotidian and - Qui Quis Ubi Quibus Cur Quomodo Quando Auxilio * look the slides: - http://agenda.nikhef.nl/materialDisplay.py?contribId=24&materialId=slides&confId=735