Minutes of the EDG CA Coordination Meeting (EDG-CACG)
30-31 August 2001, Amsterdam
Present:
Roberto Cecchini
Brian Coghlan
Jorge Gomes
David Groep
Dave Kelsey
Daniel Kouril
Pietro Martucci
Sophie Nicoud
Andrew Sansum
Lev Shamardin
Anders Waananen
The agenda as distributed by Dave and amended by Sophie has two
main issues: status on policies (CP/CPS assessments) and the operational
issues for Testbed 1 (TB1) in PM9. The minutes from the last meeting
are not causing any complaints. If these minutes do, you should react by
email to the mailing list <dg-eur-ca@services.cnrs.fr>.
Round table reports
-------------------
INFN:
An OID has been assigned to INFN by the IANA and is managed by
Roberto. It is not yet used, but will be included in the
certificates in the future. For the time being, the certs contain
in the nsComment field a reference to the CP/CPS version.
This is deemed a good practice by the group.
Ireland:
The CA is up and running in a secure fashion (off line, proper
pass phrase etc). Issued 30 certs and published a CRL that
can be reached from http://marianne.in2p3.fr/ A draft CP/CPS
will be put up soon (the draft is almost ready).
Russia:
Is now up for three weeks. No policy is defined at this point.
It is operated by a robot (i.e. online) with some RA-like
people sending the robot signed e-mails from the various
universities.
CERN:
A CPS has been drafted based on the one by Roberto. Also, the
CERN test bed now acknowledges all EDG CAs and has performed
successful interoperability tests as part of the HEP
testing activity (with Alice).
NIKHEF:
No significant changes. Currently issued approx 50 certs
Nordunet:
A 'chain-of-command' and been established and documented for
CA/RA operations. Currently busy preparing a CPS based on this.
Currently communication with the RAs is by phone. Issued
approx 20 certs
CNRS:
The current status was sent to the mailing list by Jean-Luc.
The CPS has changed slightly in view of the server certs (naming).
Roberto still has some questions left [see later].
UKHEP:
Running in production mode (about 2-3 requests per week), but a
CP/CPS is still to be finalized. Will be ready around next week.
One of the problems encountered was the email bit not being set
in nsCertType, which made the certs useless for e-mail exchange.
Is being corrected y reissuing the certs with this bit set.
The UKHEP CA has also been threatened: many hosts cert requests
might be sent. But this really seems unlikely to happen.
A colleague of Andrew is currently working on OpenCA (now in
pre-beta release). Maybe in the upcoming three weeks something
nice will evolve. Otherwise the effort will be relocated to other
CA related work.
The nsCertType bit for e-mail and for SSL client mode is important. Parts
of the WP6 site on marianne.in2p3.fr are protected using SSL and the
site uses user certs to identify "DataGrid" users. The same kind
of application can also be foreseen later for getting job output via https.
News from the World
-------------------
GGF2:
Dave was the only one to go there. It has been slightly restructured,
with "Area's" replacing the working groups, and the subgroups being
replaced with working groups. Within the security area there is now a CP
working group, whose working documents may be found at
http://www.gridcp.es.net/
The group just produced version5 of the CP draft for Grid use. This
draft CP defined four levels (rudimentary, basic, medium and high), where
even the lowest grade already needs considerable effort. Most of the levels
are likely to include external auditing.
From the EDG CACG it is considered important to participate in this effort.
This is even more necessary since staring PM9 the current Globus certs
are no longer to be supported within the EDG TB1. All our current CP/CPSs
seem to correspond to the "basic" level, excluding the auditing
requirements. Dave K will write a response to the GridCP working group.
Terena, Antalya:
The notes from the Terena EuroPKI meeting are available from
http://www.terena.nl/projects/pki/
The current level of interaction between the Terena PKI effort and the
GridCP effort is minimal and misunderstanding seems to exist within
the Terena PKI group about the Grid/GSI efforts.
Steve Tuecke:
Globus GSI might move towards the MS "PassPort" concept, the basic
idea being that most of the checking of credentials will always be done
at the authorization stage and thus the authentication stage is less
important. Basically, the name is the personal cert is not to be cared
about, as long at it will be unique.
For host certificates the situation is not very clear. Ideas are towards
a per-site certificate and then subsequent lower-level hierarchies
for hosts.
For now, none of these ideas are expected to result in immediate changes.
The CAS service system is slightly delayed (pre-beta demo foreseen in
October/November 2001).
Group usage of CAs
------------------
The Russian DataGrid CA is currently implemented as a distributed
set of trusted authorities that contact a CA signing robot using
signed e-mail. One such trusted authority is assigned per
institute/university.
The main comment on the presentation is the strong suggestion to
take the robot part out. It violates the minimum requirements as
laid out in previous meetings.
Without the robot, the system is compliant, with the trusted persons
as RA's. The script used for signed email and email verification
are extremely useful and should be distributed amongst the group.
It would be a good alternative for OpenCA. The URL will be mailed by Lev.
CRL publication
---------------
A push mechanism for CRL distribution is presented, based on submission
of Globus jobs to participating nodes in a hierarchical way.
Mush discussion ensues, with the main arguments it being too intrusive
and too heavy-weight. The two main problems addressed by this
method are:
- spreading the word of cert revocation
Maybe a signalling functionality would be nice, causing
sites to subsequently pull the new CRL from the original location
Such a mechanism might possibly be implemented on top of the WP3
monitoring system using a subscribe to last change date. It
is unclear to the CA group whether WP3 would support this.
Anyway, this will not be there for PM9
- load distribution of the CA web site
Conventional mirroring techniques like Round-Robin DNS are probably
better suited for this. It will certainly not be an issue in the
near future, since web servers are really fast. For periodic
retrieval of CRLs from a crontab-run script, a random-wait
may be useful to spread the load round the "obvious" times like
midnight sharp.
A thing to remember is the new modular CA scheme of Globus 2.0. In the
new release, CAs can be packaged as RPMs, with the ca-signing-policy
specified on a per-CA basis in a file named after the hash. This
makes it easier to install new CAs and prevents confusion in the
policy file about overlapping domains of authority.
Grid Acceptable Use Policy
--------------------------
The DataGrid Acceptable Use Policy is a standard document to be signed
(electronically) by the DataGrid collaborators who want to use resources
on the DataGrid test bed. It is currently at version 6, to be mangled by
the CERN lawyers. It details a set of rules, loosely inspired on
CERN circular No 5, but in the end national laws will still be applicable.
But the user will never know which law that will be :-)
The latest version (in French) is available from
[temporary location http://www.nikhef.nl/~davidg/grid/aaa/charte-draft-V6.pdf]
Globus certs in TB1
-------------------
Globus CA support is to be discontinued after PM9. After that date,
US individuals can get certificates from the CERN CA, that will
act as a catch-all solution. This will not work as-is for host certs.
Maybe an RA network could be set up in the US to sponsor applications
from hosts there, to be signed by a EDG CA.
It is decided that the matter will be discussed as part of WP6 with
our Globus security contact Steve Tuecke.
Naming schemes
--------------
The Datafrid-fr problem signing "/*" has been resolved (it will now
sign "/C=FR/*" and "/C=IT/O=ESA/*" only).
As part of Globus-2 the ca-signing-policy file has been split in a
per-CA fashion, preventing future problems with CAs signing overlapping
name spaces (although this is still strongly discouraged)
Object IDs for CP/CPS identification
------------------------------------
You can get these for free from IANA [http://www.iana.org/]. Roberto
will send more information to the list. The OIDs can be used
in a generic fashion.
Beware that only one OID is allowed per organization. The DataGrid
project as such can apply for an OID (for WP1/WP3 LDAP schema work),
maybe individual grid sub-projects can do the same.
CP/CPS review
-------------
At this time only UKHEP and NorduGrid are still missing a CP/CPS document.
The one by Andrew is due RSN (about 1 week).
The latest CNRS CP/CPS was circulated by Jean-Luc. Some comments
were raised:
- in 3.1.7 (method to prove possession of private key), the stated
practice does not verify possession after the receipt of the request by
the CA. The GGF draft GridCP requires this check. Besides, the
wording of paragraph 2 hints at key pair generation by the CA, which
is not intended but gives a bad impression
BTW: neither OpenSSL not Netscape have a clean and easy solution
to the proof-of-possession problem. The main problem (man-in-
the-middle attack) can probably only be solved in a secured
transactional scheme.
- in 4.2: the statement is contrary to 2.8
- 4.4.9: the working might give the impression the CRL generation
is automatic (and thus on-line and without a password). It is
suggested to make this paragraph more realistic.
- 6.1.4: "secure" is not meant to mean "secure" as in "secure connection"
- 3.1.9: it is proposed to make the procedure more clear and state
explicitly that and what kind of phone conversation is conducted
With regard to the LIP draft:
- the CP/S states that the user private key should be at least 8
characters. After a short discussion it is concluded that such user
guidance is good, and the wording could be refined by also adding "strong".
The current state of the CP/Ss in all its variety is left as is for
TB1. Maybe later in the project we will standardize on the GGF draft.
Many of the TB site operators will look to the CACG for guidance on which CA
certificates to include. For this to work, we as a group will have to
evaluate all the CP/Ss in some consistent way. Since the GGF classification
will provide the solution only in the long term, we should devise a
classification scheme (possibly inspired by the GGF drafts, using the
same levels but taking out the requirement for auditing to have a better
level of granularity for this purpose).
The checking and "grading" of CP/Ss should be public. In this case,
gentle pressure is applied to "rudimentary" CAs and at the same
time the reviewers will experience some pressure to actually do the
grading. The evaluation matrix will be drafted by Brian and put up on
http://marianne.in2p3fr/. The draft matrix design should be ready
in Frascati, the complete evaluation certainly before the March 2002
Paris meeting.
Operational Issues for TB1
--------------------------
* nice to have an and-user information guide. The current
situation is quite confusing
* a per-country Globus configuration is needed to configure
grid-security.conf. Anders has a RPM scheme, with one RPM
per CA with a hash file and a signing policy file (for Globus2).
Then add one country-specific RPM with the proper grid-security.conf
and configure. Anders will put the sources online at
http://www.nbi.dk/~waananen/trusted_ca/
* all TB1 sites are now covered by a national CA. The Americans are
a WP6/TB1 issue
* every CA should write user instructions a.s.a.p, but
certainly within 2 weeks
and send these to Sophie [mailto:Sophie.Nicoud@urec.cnrs.fr]
MDS-2.1-alpha certificates
--------------------------
* Globus has the fundamental notion of per-service certs. So not
only MDS certs (ldap/*), but also host certs for GSI-ftp (host/*)
are needed. The gatekeeper certs have just the hostname, but
source code inspection reveals it had almost been "gatekeeper/*"
* the problem is in the number of certs, not in the policy
* some feedback will go back to the Globus team, since we are
not entirely happy with this prospect.
CRL retrieval
-------------
Several packages now exist. fetch-dg-crl has a nice autoconfig
capability, but will not check the CRLs for validity against the
installed CA certs. Some functionality from the GetCerts
package should be merged in.
Note that the writing of a ca-signing-policy will no longer be
needed in Globus2.
Besides, UKHEP will start issuing a CRL, although an empty one
for the time being.
The INFN CA certs can now only be obtained from a secure http
site via a form. Problems with validation of certs will always be
there, and can be countered either by distributing from only one
trusted site or by distributing from a multitude of sites.
For now, Roberto will put up a PEM copy in a public place,
but this location will not be publicly advertised.
Authorization working group
---------------------------
* for the authorization scheme to work properly, each CA must operate
an LDAP directory service publishing the user certs by
either subject DN or by a more flat scheme like CN only.
* each VO has one LDAP directory, containing a hierarchy
with groups and individuals, where the individuals
are linked from one or more groups
* the VO LDAP service contains user cert pointers, subject names
and pointers to "authorization certs"
* the authorization cert is issues for a definite lifetime
(independent of the authentication cert validity), after the
user has agreed to the DataGrid AUP. This "cert" need not
take the form of a cert, but might as well be a token
signed by a authorization-delegate (possibly automated).
* for CAs an LDAP cookbook from Janus Liebregts is available
from the web [http://ldap.gigacorp.nl/pkildap.html]
* A program will generate grid-mapfiles based on a set of LDAP
authorization directories. This program will check the
validity of the authorization cert (not the user cert!)
* replication of this service is not foreseen for PM9, but
will be resolved if needed by WP6
* TB1 does not (yet) have a recommendation as to the update
frequency of the grid-mapfile.
* Roberto has a sample package with schemas and configuration
files to set up a CA LDAP service. Samples will be mailed.
* DO IT NOW, and publish all valid certs
Roles and multiple certs
------------------------
An imminent problem exists from persons acting on TB1 in
multiple roles (e.g., individual for analysis, developer and
production manager). Although in the future the CAS service
should provide all support for this, for the time being
CAs will issue multiple certs to those expert users that
require one and know how to handle the associated problems.
With regard to naming these certs, BCP seems to be to add
the role within brackets at the end of the CN
[example: "..../O=nikhef/CN=Jeffrey Templon (alice production)"]
The names to appear within the brackets should be coordinated,
using the mailing list mailto:dg-eur-ca@services.cnrs.fr.
Any Other Business
------------------
* all notes, references and documents will be available
from the CA website at http://marianne.in2p3.fr/
* Next meeting will be in December at CERN, exact date to be fixed
* The CA approval matrix draft will be presented in Frascati
* Dave will propose to the PMB to delay the PM12 security
deliverable from WP7, since the effort only starts in PM13!
* We should start now to collect the user requirements for this
document
* a new security WG is to be established, as approved by the PTB.
Those interested are invited to join.