Dear EUGridPMA and IGTF members, The 39th EUGridPMA meeting is now over, and I would like to take this opportunity to again thank Roberto Cecchini from INFN as well as the local hosts at the Galileo Galilei Institute for theoretical physics to host us in a sublime location. I would like to share with you a few of the highlights of the meeting. Send corrections and omissions if you spot them, since these have been taken from my own scribbles and memory at https://eugridpma.org/meetings/2017-01/notes-davidg-eugridpma39-florence.pdf Slides with background of the Florence meeting are attached to the agenda at http://www.eugridpma.org/agenda/39 Subsequent meetings will be: ** 40th EUGridPMA meeting, May 22-24 2017, Ljubljana, SI, kindly hosted by Jan Jona Javorsek of IJS --- NOTE CHANGE IN DATES --- --- Exact Monday start time to be determined (see below) --- ** and we're looking for a host for the 41st meeting, for which proposals are very welcome (thanks for considering it) in the beginning of September and of course our affiliated meetings: See all of you in Geneva, or at any of the upcoming meeting of the IGTF or elsewhere. Details on the Lubljana logistics will be made available shortly. Best regards, DavidG. Subject discussed and listed below ---------------------------------- * The IGTF to eduGAIN bridge * PRACE and authentication interoperability * Remote Vetting - experience and plans * IPv6 readiness * OGF and CAOPS-WG * Snctfi * Focus and topics for the EUGridPMA and its meetings * PMA operational matters, reviews, accreditations * Other updates * Attendance All presentations are available on the agenda page: http://www.eugridpma.org/agenda/39 please review these as well as a complement to this brief summary. Much information is contained therein and not repeated here. The IGTF to eduGAIN bridge -------------------------- As part of the AARC Pilots, following up from an idea from ChristosK, Ioannis Kakavas from GRNet has build an "IGTF - to - eduGAIN" bridge identity provider (idP0, that will allow entities to authenticate to an IdP using their credentials from an IGTF accredited authoroty and translate these to a SAML asertion that can be used within the eduGAIN set of federations. Because the IGTF assurance profiles (ASPEN, BIRCH, CEDAR, and also DOGWOOD) in themselves provide sufficient assurance to result in high-quality credentials in the eduGAIN context, and that the certificates contain a (good representation of) the real name of the entities, this becomes a IdP that can all the relevant trust marks as used by REFEDS: both Research and Scholarship (since it has the commonName attributes and appropriate validity), as well as Sirtfi (the indicent response trust framework) as the IGTF implement both traceability as well as revocation capabilities, and has the communications infrastructure in place to respond to and collaborate in incident response. The other elements needed for Sirtfi are covered in all CP/CPS document, and the release of attributes is implicitly OK since the bridge does not contain any state or user data, and each action is explicitly done incidentally by the end-user. The IGTF-eduGAIN bridge has been implemented in simpleSAMLpph, and added as a trusted IdP in the EGI CheckIn experimental environment. Once fully tested, it can be pushed ot eduGAIN by way of the GRNET federation (for the moment, until maybe the IGTF itself also operates as a registrar for eduGAIN in the future?) A subdomain of igtf.net has been assigned for this IdP and appropriate server credentials issued to it. The bridge will obviously re-sign the assertions (so the SAML blob is signed by the bridge. Ioannis is open for suggestion and extensions to the AuthProcess modules written for the bridge. Code is in github (so pull requests are even more welcome ;-) We note that now loops can be built in the AuthN systems, since RCauth is based on R&S+Sirtfi, and you can then Rcauth.eu credentials on the bridge ... PRACE and authentication interoperability ----------------------------------------- The PRACE security model and interoperability goals are clearly outlined in the presentation by Vincent to the PMA meeting (see agenda). There are a couple of concrete questions, the most important of which - as usual - are on non-web SSO and ssh access. Following the AARC Blueprint Architecture and in view of the applicable statements from the GEANT project on near-term viability of technologies, the recommendations on non-web SSO boil down to the use of bridges (IdP-SP proxies) and technologies like RCauth and OpenID Connect (OIDC). Esp. the use of OIDC is growing, and seems to overtake deployments of SAML-ECP (which would be the other relevant technology, even though adoption in Europe is very low despite it being in Shibv3 IdPs by default). With the joint EGI-EUDAT supported efforts around RCauth, this is obviously also very much open to PRACE using it. A collaboration between all eInfrastructures is useful here (and get some of the research infras as well, like ELIXIR). For attribute management and attribute aggregation/augmentation in the IdP-SP-proxy model, COManage is the tools that is most often used in the infrastructures and the AARC Pilots. It does mean that all the 'back-end' services inside the Infrastructure will have to trust the proxy to faithfully re-sign the incoming external assertions and attributes. Remote Vetting - experience and plans ------------------------------------- Based on prebvious discussions and the suggestions as given on the http://wiki.eugridpma.org/Main/VettingModelGuidelines Remote Vetting wiki guidelines, several experiment have been done. A test by CESNET between a few CA admins, attempting to validate a regular CZ identity card based on its security features, was not successful as the quality was too low to adequately assess them, and features like holgrams and such were not part of the card anyway. Based on this initial test (and even though remote vetting would be very welcome) this has not yet been proposed for adoption by CESNET. Yet at the same time, ChristosK particulated in a successful vetting test with a (professional) German bank account issuer: Just a few minutes ago, I was able to open a new bank account from the convenience of my home and to have my ID verified using a simple video call. I did not use any 4K cameras or any special equipment. The process allowed you to use either the computer or the mobile phone. In order to make sure that no high quality video was required, I opted in for the use of the mobile phone. The process was like this: - I registered with the bank, providing your personal information details including a mobile phone number - When registration is complete, I clicked to start a video call (it could be done either through the browser or the mobile phone, I chose the latter as I said) - A representative of the bank answered and asked you some questions to verify that I was the one who submit the request in step 1 (basically he asked about my e-mail address and my age) - He sent me an SMS to my registered phone number and asks me to verify it - He asks me to take photo of my face using the camera on the phone - Then he asked me show him your passport. For this step I had to turn on also the flash light so that he could verify the existence of the security features on the passport - For this purpose, he asked me to tilt my passport in front of the flashlight so that he check the security features. - He took a picture of the passport page with my picture and with my signature (He had to see all four corners of each page) Finally, he asked you to read to him the passport number, and that was that! [from Christos' description on the mailing list] At the same time, people are reminded of the UK Home Office guidance of identifying false documents: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/536918/Guidance_on_examining_identity_documents_v._June_2016.pdf What this basically means is that only a subset of document types will be suitable for remove vetting, and that the RA must avail over a set of references to check any documents presented. The document msut be whole (so including the corners) and maybe some of the older document with fewer security features are not suitable for remote vetting. Also, it reconfirms that RAs must be specifically trained to do this - so a central RA function is much preferred over allowing distributed RAs to 'just' do that by themselves: - whilelisting of permissible documents (and countries of issuance?) - existing out-of-band relationship must exists - contact an external sponsor for confirmation (organisation's HR?) In the future, an EIDAS-eduGAIN bridge might also help to do remote vetting, as that might give access to national ID schemes. At the moment, not all CAs are in a position to be permitted to connect to such a scheme (e.g. becaus ethey are not legally allowed to process social security numbers). It is decided that the results of remote vetting experiments and experience are to be attached to the Wiki page (see above). IPv6 readiness -------------- Ulf Tigersted on behalf of the HEPiX IPv6 working group continuously monitors IPv6 readiness of CRL distribution points at http://cvmfs-6.ndgf.org/ipv6/overview.php The following CAs currently have issues and should fix them: CNRS: already planned alongside the move to a new (govt. backed) hierarchy DigiCert/TCS: still issues with a CDN provider, TCS PMA (DavidG) will check UGrid: will be resolved in 2 months time (ISP will assign v6 space) For those that need to deploy IPv6 but do not have the local infrastructure capable of doing so yet, the presentation by Jim Basney on the use of CloudFlare as a CRL distribution mechanism might be helpful. The link is on the agenda page and on the TAGPMA web site. The following CAs are asked to report on IPv6 transition plans: CyGrid, DZeScience, IRAN-GRID, MaGrid, RDIG, ROSA David Kelsey will circulate the wLCG MB statement on migration to PSNC. From April 2017 onward, relying parties could start deploying IPv6-only processing systems. From April 2018 onward, systems that do not have any legacy-IP fallback can also be found in production. OGF and CAOPS-WG ---------------- OGF has working groups in a wide range of areas and with varying levels of activity. From very active (like OCCI, NSI) to less active. The latter now also includes CAOPS, now that GFD.225 has been published. Yet OGF provides a great place as an open-access pulbisher (the assignment of DOIs is being considered by OGF at the moment), and it can support plufgests and interoperability testing. CAOPS in particular has traditionally been the place to get external input from the wider community, and it would be a pity if such a channel were lost. Yet it needs active participants to keep the group aloe, and these should be found also beyong just the IGTF/PMA attendees. An option is to co-organise CAOPS sessions also at other meetings, like TIIME, I2GS and the I2TechX, or DI4R. Yet there is not easily a meeting to be found that attracts 'everybody' relevant to CAOPS - even if the remit of CAOPS is broadened as it includes new people. Abdorbing CAOPS into IGTF would deprive also the IGTF of its way to get external input. Any new structure should be tried first on the CAOPS list, on which (at least) those here are all subscribed. Jens will initiate the discussion on the CAOPS list, but it does need everyone to chime in. (and there's also a need fo a new Security AD< so if you're interested ...) Snctfi ------ For the discussion on Snctfi, the trust framework that can bind an ensemble of relying party services together and help them coordinate a policy that allows them to represent a coherent view of the ensemble to the 'rest of the world', we refer to the document and the AARC web pages at Focus and topics for the EUGridPMA and its meetings --------------------------------------------------- In the past few meetings, increasing attention has been given to topics related to generic trust and authentication for (R&E) identity federation, and integration of trust and assurance between IGTF and complementary activities in the research and collaboration area (REFEDS, eduGAIN, FIM4R, AARC Blueprint, Snctfi, and WISE). A pool amongst the participants present at this meeting indicates that the current belance of global IGTF topics and interoperability work is appropriate, even if not all topics are relevant to all people. In some cases, the attendance of the PMA meeting could be broadened to get people from other groups involved. Not in all organisations are IGTF and R&E federation topics part of the same set of people. The length of the meeting, related to the maturity of the EUGridPMA work, may also be revisited. It could help people (personally as well as for professional reasons) to not require travel on Sunday, and thus start on Monday early afternoon - allowing travel in Monday morning. Shorter meetings are not recommended, since people will then leave early (already on the second day) and the ratio of travel to meeting time worsenes. In general Monday afternoon til Wednesday afternoon is considered appropriate. The PMA takes not of the fact that some reseach infrastructures are looking for a 'home' to connect their infrastructure SPs (also those traditionally in NREN-based R&E federations) in a global manner, not bound to any particular country - given that the research infrastructure is also inherently transnational. Some have suggested that the IGTF takes on this role, and the EUGridPMA is positive towards such requests, within the constraints of feasibility. There are some issues that would need to be addressed first: the MD registration policy, and automated signing infrastructure (the current signing infrastructure is manual), and the likely need for a legal entity. Yet other non-NREN federations or various sorts and types are now part of eduGAIN, so having the IGTF there would not be out of place. This line of thought will be pursued with the relevant research and e-Infrastructures first before concrete steps are done. Interested people could include Scott Koranda (unconfirmed), as well as Scott Rea, Dave Kelsey, and DavidG. FIM4R seems a good place to discuss this further. PMA operational matters, review, and accreditations --------------------------------------------------- - The DarkMatter issuing CAs that are part of the QuoVadis hierarchy are subject to the existing QV policy and practices, and follow the global identity vetting process (using in-person local trusted agents and the TrustLink system) for authentication of individual and organisational entities. As such, the DarkMatter QV-rooted ICAs will be distributed under the (already accredited) QV CP/CPS. This will happen in release 1.81. The NEW DarkMatter self-rooted CAs will follow a new policy and practice statement (although still also compatible with the QV ones during the transitional period), and need an independent accreditation and review. At the moment, there is no policy or practice that actually describes the authentication (sec 3) and related elements. Scott Rea will review the CP/CPS and circulate a new version to the assigned reviewers (Feyza, Jens, DavidG, CC Reimer). - The PMA reiterates it position towards authorities that do not respond to communications challenges within a reasonable amount of time. The Accreditation Guidelines give specific terms after which suspension will follow. The PMA reconfirms that in the concrete case here, following this period suspension will follow without further need for endorsement thereof. The suspension review subcommittee will be kept informed, and Ursula will issue a dedicated RAT communications challenge. - The following CAs presented their self-audit during the meeting, and the requisite reviewers have been assigned: * GermanGrid (KIT): review by ScottR and IanN * CyGrid: review by Pawel and JanC * UGrid: review by Ursula and IanN - based on new v1.5 CP/CPS * UKeScience CA repurposing: DavidG + open call - The JUNET CA, following several years of suspension, will be removed from the membership list since all contact has been long since lost. - For the pending self audits: * IRAN-GRID is complete now, the new CP/CPS is fine and new root in production * DZeScience, RDIG, and ArmeSFo are waiting for replies by their respective CA administrators - we note that the use of CRL issuance processe by pre generating CRLs and rollling back state in case of recovations is discouraged Other updates ------------- - Jens confirms the willingness of RAL/STFC to co-host any RCauth.eu signing keys and HSMs on behalf of EUDAT as appropriate based on the outcome of the RCauth.eu sustainabiloty discussions in Europe. - re-purposing of existing CAs between different assurance profiles is a non-trivial exercise, and requires (for reluing party consistency) a 'cooling off' period of at least one release between withdrawal and re-insertion. Also the CA alias name must change in order to not upset package management systems. Of course, a new profile means a sufficiently different CP/CPS so that the review is akin to a new accreditation. It cannot be a 'silent' in-place update. - it should be considered to re-issue intermedate cAs with SHA-1 as (new) SHA-2 CAs also without revocation of the root. That will get rid of browser warnings and monitoring errors, and improve usablity. Even if that means that youn vulnerable to 'old' self-signed roots out there that could be inappropriately used to verify the old SHA-1 intermediates. - TACAR updates should still go to Licia as usual, when necessary mediated by the TI (DavidG) - the next meeting should have a session/discussion on how PKI can support blockchain technology and help the identification of end-points in a permissions management infrastructure using distributed ledgers and append-only logs. "When Making Things Better, there's always a Risk of Making Things Worse" (Jens Jensen, Soapbox) Attendance ---------- We would like to thank the following members for the in-person attendance: Scott Rea, David Kelsey, Walter de Jong, Vincent Ribaillier, Roberto Cecchini, David Groep, Jan Chvojka, Jana Kejvalova, Pawel Wolniewicz, Sergii Stirenko, Oleg Alienin, Marc Turpin, Ursula Epting, Ian Neilson and for their extensive presence in the videoconference: Javi Masa, Christos Kanellopoulos, Miroslav Dobrucky, Maria Podeva, Nuno Dias, Lidija Milosavljevic, John Kewley, and Jens Jensen.