Dear EUGridPMA and IGTF members,

The 37th EUGridPMA meeting is now over, and I would like to take this 
opportunity to again thank David Kelsey from the Rutherford Laboratory
and STFC for hosting us at the Coseners House!

I would like to share with you a few of the highlights of the meeting. Send
corrections and omissions if you spot them, since these have been taken
from my own scribbles and memory at
 https://www.eugridpma.org/meetings/2016-05/eugridpma-abingdon-notes-davidg.pdf
Slides with background of the Abingdon meeting are attached to the agenda at 
 http://www.eugridpma.org/agenda/37

Subsequent meetings will be:
** 38th EUGridPMA meeting, 19-21 September 2016, Geneva, CH, kindly 
   hosted by Paolo Tedesco at CERN
** 39th EUGridPMA meeting, January 2017, Florence, IT, kindly hosted by
   Roberto Cecchini of INFN and GARR
** 40th EUGridPMA meeting, May 2017, Ljubljana, SI, kindly hosted by
   Jan Jona Javorsek of IJS

and of course our affiliated meetings:
* REFEDS & TNC 2016: 13+14-16 June 2016, Prague, CZ
* I2 Technology Exchange and REFEDS: September 25-28, Miami, FL, USA
* Digital Infrastructures 4 Research: September 26-30, Krakow, PL

See all of you in Geneva, or at any of the upcoming meeting of the IGTF 
or elsewhere. Details on the Geneva logistics and the block booking at
the CERN hostel will be made available shortly. Please book before
August 15th.

	Best regards,
	DavidG.

	
Subject discussed and listed below
----------------------------------
* RCauth.eu and the AARC CILogin-like TTS Pilot for Europe
* Guidelines on Trusted Credential Stores
* IOTA minor update
* Implementation of the Generalised Assurance Profiles (and PKI Guidelines)
* New AP structure and GFD.169/review sheets
* Disaster Recovery and Business Continuity development
* Model implementations for video-supported vetting
* Recommendations on cyber-security programmes
* GFD.225 OGF Certificate Profile and OGF News
* Dissemination and impact
* Other updates: farewell to Jules Wolfrat; Concerns over future Hungarian
  R&E; Keeping more SAML auditing; The road to hell is paved with SAML
  Assertions (by Ioannis Kakavas); Darkmatter sets up PKI for Emirates;
  Evolution of SP800-63 assurance inspired by Vectors of Trust; More
  countries move to GEANT TCS; Self-audit and reviews completed; 
  Jisc Certificate Services for the UK; Chair re-elected - additional 
  contributions welcome!

All presentations are available on the agenda page:
  http://www.eugridpma.org/agenda/37
please review these as well as a complement to this brief summary. Much
information is contained therein and not repeated here.


RCauth.eu and the AARC CILogin-like TTS Pilot for Europe
--------------------------------------------------------
The AARC project is running a pilot with a bridging AAI solution based on
the Jim Basney's CILogon model to enable resources that use conventional
identity and attribute certificates for access control to be used by
researchers using exclusively federated credentials. While certificate-based
access is effective for many non-web (command-line) and brokered-access
(delegation) use cases, exposing this technology to a wide user base is seen
as a significant barrier. In this pilot a set of mutually-interconnected
third-party software components is composed to hide the technical details of
certificate-based access. 

Part of the scheme is an on-line CA that is (usually) connected to a 
managed credentil store (master portal) that manages credentials on behalf
of the end-users. The users use federated authentication (typically against
eduGAIN and specific IdPs operated by the research infrastructures) to 
obtain PKI credentials implicitly. Therefore the pilot includes an IOTA CA
that needs to be an accredited CA to permit the RIs and e-Infrastructures to
trust it. This is "RCauth.eu", the white-label IOTA CA for Europe. It is set
up by AARC and operationally supported by Nikhef and the Dutch National
e-Infrastructure coordinated by SURF. 

The policy has been reviewed by Reimer and Ursula against the IOTA 1.1
profile, and both reviewers have given positive recommendations. The CA
policy, details, and operational security controls were presented in the
meeting:
  https://indico.nikhef.nl/getFile.py/access?contribId=11&resId=0&materialId=slides&confId=418

Following the presentation, the EUGridPMA accredited by acclamation the
RCauth.eu IOTA CA, alongside the off-line DutchGrid CA Service Root - its
higher-level CA. They will be included in an upcoming IGTF distribution.

Guidelines on Trusted Credential Stores
---------------------------------------
The guidelines on trusted credentials stores (TCredS) were last reviewed
in May 2013, and since then the use cases and environment have evolved 
significantly. In particular, TCredS are relevant for RCauth since the
master portals in the architecture need to be assessed for trustwortiness,
and the TCredS Guidelines are an appropriate reference for this.
Also the Private Key Protection Guidelines have emerged and partly overlap
with the TCredS guidelines, so alignment is needed.

Similar work on credential management has been taking place in the US, where
schemes like DirectTrust (for exchanging messages in the healthcare domain)
need to project their credential stores where users keep their PKI
credentials. Considerations in the USFedPKI have lead to the requirements
on protections on credential stores be /one assurance level step higher/
than the credentials protected in them. So to protect level-2 credentials,
the store itself must have level 3 (i.e. level 3 HSMs as well). This
may of course evolve with the upcoming SP800-63-v3 changes on decomposing
various assurance level aspects. [see presentation on SP800-63-3]
The work in AARC consideres both a decomposition option (entity-category
based) as well as an ISO29115 option for representing LoA. This is 
ongoing work there coordinated by Mikael Linden et al.

We should also consider that - by moving credential management to a central
place - we are likely to improve over any user-based credential management
for many use cases, given that users are not trained at protecting any
credentials. Yet we can apply the 'principle' that was used in e.g. the
USFedPKI by adding controls to the TCerdS guidelines.

As a start in this meeting, section 4 (Operational Requirements) was 
reviewed and edited in the Wiki document, which now also addresses virtualised
environments: 
  http://wiki.eugridpma.org/Main/CredStoreOperationsGuideline

The other sections still need more review and discussion - and alignment
with the Private Key Protection Guidelines.


IOTA minor update
-----------------
Minor changes (editorial and clarification) were made to the IOTA 
profile, resulting in version 1.1a. This version - published on the 
Guidelines pages, has been endorsed by the EUGridPMA and is deemed to be
of no material impact elsewhere (e.g. fixing 5820->5280, and dropping an
confusing byline):
  https://www.eugridpma.org/guidelines/iota/
We therefore consider the IGTF endorsement to remain valid.


Implementation of the Generalised Assurance Profiles (and PKI Guidelines)
-------------------------------------------------------------------------
Both the IGTF Levels of Authentication Assurance Guideline and the
PKI Technology Guidelines are now complete and published:

  https://www.eugridpma.org/guidelines/authn-assurance/
  https://www.eugridpma.org/guidelines/pkitech/

A minor change was done to the PKI Guidelines to address an omission that
we identified in placement of the subjectAltName. To section 3.2 was added:
  "If the credential has elements that allow direct contact to the subject,
  such as an email address, these elements should be included as
  subjectAlternativeName."

We note with appreciation that the TAGPMA has already revised the SLCS
and MICS profiles in October 2015 to refer to these two documents above
and change the PKI AP profiles to reflect just references. These
revised APs for SLCS and MICS are gladly endorsed by the EUGridPMA.
The EUGridPMA has similarly revised the Classic and IOTA Profiles:

  Classic v5.0: https://www.eugridpma.org/guidelines/classic
  IOTA v2.0:    https://www.eugridpma.org/guidelines/iota

The OID assignments and versioning have been updated in the repository. 
We invite the APGridPMA to endorse all revised APs (Classic, MICS, SLCS,
and IOTA). The LoA and PKI Tech Guidelines themselves have already been
endorsed.

We note that the intent and aim of the LoA generalisation process has been
to make the new rendering of the APs be materially equivalent to the
existing versions. The editorial process has been designed such that
the material content should match in the new renderings.
We hereby agree that the version 5.0 of the Classic profile is equivalent
to version 4.4, and that version 2.0 of the IOTA profile is equivalent to
version 1.1a.
There is thus no need for CAs that are currently accredited to review
or revise their own policies and practices.

Also the IGTF web site has been updated to fully reflect the new structure,
including the URL of the LoA document https://www.igtf.net/ap/authn-assurance/
and a list of URNs (OIDs) to designate these. All APs are now there in their
new format. Historic versions remain on the managing PMA web sites.


New AP structure and GFD.169/review sheets
------------------------------------------
For future self-audits and accreditations, the new scheme should be used.
There are no checklists or review speadsheets yet, and this means that
also the classic example in GFD.169 is now unusable.
It woul dbe good to have a document to record the mapping between the
LoA and PKI Tech guideline statements and the seciton in RFC3647 where 
these should or may appear. This can be done in an annotated version
of these Guideline documents (like we had an annotated Classic AP). Having
it in the same document will prevent divergence. Yet a sheet may
help reviewers to not miss items - als help do the 'whitespace check': 
ensuring that there are no contradicting statements.

The reviewers of the next-to-be-accredited CA should develop the
preferred mechanism for review and - if needed - develop new sheets.
It is likely that the Darkmatter UAE CA will be next (with DavidG, Jens,
and Feyza). Coordination with and contributions by TAGPMA are appreciated.
We note that the 'current' sheets by TAGPMA are from 2007-2009 ...


Disaster Recovery and Business Continuity development
-----------------------------------------------------
Both Jens Jensen and Jan Chvojka presented disaster recovery strategies
for CAs. The plan developed by CESNET includes periodic testing and is
well developed. Jens - for the UKeScience CA - also developed a
comprehensive plan, which is validated by having two-person exercises and
operational runs in which redundency is tested with specific administrators.
Regular operators are not normally supposed to display creativity in
'fixing' issues, since that has a large risk of creating incidents.
The DutchGrid CA Root faced a similar issue when deciding on activation
data fragmentation: increase the number of people holding a fragment
of the private key, or have activation data in whole (but separate from
the key materials) held by just two people - enough for redundancy, but
sufficiently limited to assign security-trained experts.

shared during the meeting - are private and confidential. This does not
help the community in developing better disaster recovery plans. It is
decided to revitalise the Disaster Recovery WG, tasked to develop
guidelines for the structure and for topics to be addressed by the
disaster recovery section of both the CP/CPS and in private specific
plans. It can take some guidance from existing section 5.x in the
CPS, but should take more inputs. 
Scott points out that there are also cheap mechanisms to enforce
multi-person control, like embedded locked boxes inside larger safes, as
Most of the material on disaster recovery - including the materials
long as only tamper-evidence is needed.

The guideline will be developed on the EUGridPMA (members-only) wiki,
it should in the end be a public document with public guidance, and when
there is sufficient content we can decide how to distribute this
material: as an IGTF Guideline, as a white paper, a scholerly publication
(like for SCI), or as an OGF Information Document.

The WG members will be extended and include Jens, Jan, Scott, Reimer,
DavidG, and of course Shahin.


Model implementations for video-supported vetting
-------------------------------------------------
The currently permitted vetting models for BIRCH and CEDAR assurance state
that vetting "should be based on a face-to-face meeting and should be
confirmed via photo-identification and/or similar valid official documents. "
and continues to describe three models, one of which is that identity 
"be validated using notary-public attestations and/or official government
data sources and supported by remote live video conversation".

There are very mixed experiences with notaries public depending on country,
and they may do nothing more than just asserting that a copy of a 
document looks the same as the document copy would look. They are not
necesary stating that the ID document belongs to the claimant, or that the
ID document is in fact an authentic photo-ID. 
There are also notaries, e.g. in the Commonwealth of Virginia, that can
make these attestations over video themselves, so you just get two 
video chat sessions instead of an in-person meeting.
Note that in SP800-63-v3, colleting full copies of photoID documents is
no onger allowed, not even in the US. Many European countries don't
allow making and retaining copies even today.

To facilitate the process, soe CAs including HPCI, TR-Grid, but also
others, are looking at alternative but equivalently rigourous processes 
to support video-vetting. 
The aim should be to stay within the 'bandwidth of trust' described in the
current text: between the (possibly worthless) notary-public attestations,
and the more trusted real in-person hand-shake vetting. A model that
is between these currently allowed extremes should be and is good enough 
for the relying parties and compatible with the current BIRCH/CEDAR LoA.

Following discussion, it is considered appropriate to develop guidance
on the Wiki:
  https://wiki.eugridpma.org/Main/VettingModelGuidelines
that can explore the permissible options. It is inspired by the 
model used for remote vetting for qualified US and Adobe Document
Signing certificates at LoA2+ (stored on hardware tokens), and the
HD-video supported vetting that is permissible for those qualified certs.

If appropriate compensatory controls are in place and we can protect
same-person cotinuity (non-reassignment) as well as traceability, it 
should be viable. Compensatory controls have some 'hard' requirements
in the model process described in the Wiki above (mainly: exchanging
a nonce during a videochat, high quality video, tracability of the user,
liveness, and exchanging scans of visibly made signatures), and a set
of controls that can be considered to make the process acceptable
for accreditation by a PMA.

It is important that this be described and reviewed in each case, so
the proposal is that "The following is also considered to be an
acceptable process for implementing method 2 - if so acceptably documented
in the CP/CPS and endorsed by the accrediting PMA [description follows].

For additional compensatory controls to be considered by the specifically
trained RA or trusted agent, see the Wiki. The aim to demonstrate "duty
of care" by the RA/TA.

The discussion can continue on the list and in the Wiki. Feyza will 
contribute (and we hope also Eisaku Sakane-san), with the target of
adoption of this model later this year by updating the LoA or by
giving explicit guidance for interpretation of "should".


Recommendations on cyber-security programmes
--------------------------------------------
Getting tration for security with the leaders and researchers in smaller
research projects can be challenging. The CTSC has developed a training
and guide on how to communitate effectively with such projects and PIs.
The key is to be engaging: "we're here to help you" - and then propose
security and avaiability measures to protect valuable workflows.

The example training presented by Bob Cowles will take an hour to
present to intended audiences, followed by discussion:
  https://indico.nikhef.nl/getFile.py/access?contribId=0&sessionId=0&resId=2&materialId=slides&confId=418

It may also be good to highlight current risks to the research community: the
rise of ransomware, for instance.
In some caes, the security of researchers is 'offloaded' by the
infrastructure, in particular for PRACE where it is all done by the
home sites, and there is no real role for the PI. In other 
infrastructures (OSG, but also most of EGI and wLCG) there is an active
role for the VO/community in developing a security function.

For EGI there are good lessons here for training material. Also the
CTSC work is good for application in the WISE community, esp. policy
templates and helping communities write their policy, instead of expecting 
that to magically happen.


GFD.225 OGF Certificate Profile and OGF News
--------------------------------------------
The new "Interoperable Certificate Profile" GFD.225 is now complete and
https://redmine.ogf.org/dmsf_files/25 has the final version of March 23rd.
The final action is on OGF (Greg Newby) to publish.

Other OGF updates:
- OGF contributes to security (for clouds and federation) via the 
  ISO/IEC JTC1 SC38 working groups 3-5, who liaise with SC27 for security.
  This may help in the sense that OGF can propose standards and documents,
  and can help steer existing ones (yet cannot vote). 
- OGF is sloce to offering certificates for those that really cannot get
  it otherwise - at marginal cost - by becoming a reseller of the
  DigiCert Grid CA. There are some (e.g. commercial parties and companies
  in the cloud development area) that have no access to R&E operated CAs.
- the HLCA document should be moved to the IGTF EUgridPMA Wiki.

We request that OGF speed up its publication process so that publishing
via the OGF is a viable option. Jens will care for this.


Dissemination and impact
------------------------
We do have a story to tell, but in practice we're not telling it. Looking
at the IGTF web site, the <https://www.igtf.net/press/> section contains
old material, and is not well focussed. It is also not clear what the
communications targets are (what do we want to achieve by communicating)
nor what the target audiences are (general public, funding bodies, ...).

Potential target audiences include: general public, funding bodies, 
emerging and existent research infrastructures (new relying parties),
other (federated) identity providers (e.g. to expose the assurance 
levels that have been co-defined by the current RIs and e-Infrastructures),
and other researchers.

Some of these are served by writing academic papers or contribute to
scholarly journals -- which also helps those members in the IGTF whose
careers benefit from publications. Yet also white papers, blogs, and glossy
flyers can help spread the message.
There are some emerging and existing journals: Journal of Cloud Computing
(with Craig Lee as the editor), the new "Computing and software for
data-intensive [physics] Science" (a publisher rep was at the HEPiX 
conference). Ther are also many existing blogs, and contributing to
ones that are well read may help - maybe better than starting our own.
If we were to start a blog, we should at least use a general blog platform,
and have multiple people contribute. Writing a good blog (like those by
DFN-CERT, by GridPP Storage, or on programming by Walter) easily take a
day to compose.
It would be even better to have some expert help from people experienced
in how to communicate coplex subjects to a wider audience (although the
members would still have to provide the content). Experts like Sara from
EGI and the SURF PR people would be great.

Worthwhile topics in the short term would be:
- the new assurance level specification - Jens
- the onboarding of new CAs, like Darkmatter and RCauth - DavidG/LiciaF
- new use cases and RIs that use the LoA levels

AT least Jens, Ian, and Jules are willing to help with (some of) 
these efforts. Other concrete actions for volunteer pick-up:
- white paper on the assurance model (or more)
- create a Wikipedia entry for IGTF (it's only mentioned now in a 
  lemma on federation written by Rainer Hoerbe)

*** and we should update the IGTF entry on the REFEDS Wiki! ***


Other updates
-------------
- the PMA highly appreciates the important work done by Jules Wolfrat of
  SURFsara and DEISA/PRACE since the beginning of the EUGridPMA in 2004. 
  His presentation on "High Performance Trust" reminds everyone of the 
  importance of collaboration and of the human factor that is so essential
  for creating a trusted community. We thank Jules for his important 
  work and joyful participation over all these years!
  Look at the Retrospect and Future presentation of Jules for insight.
  From now on, Walter de Jong, introduced to the PMA in September last
  year and again in Abingdon, will - jointly with Vincent Ribaillier of
  IDRIS - represent PRACE in the EUGridPMA.

- the PMA is seriously concerned about the recent plans of the 
  Hungarian government regarding the future of NIIF and the position
  of research and educational networks and services in Hungary. 
  Coordinated activities (including those at the policy level by our
  large organisational members, such as via Fabiola for CERN) should be
  considered in consultation with Tamas (if only because of the Wigner DC)

- to increase response capabilities, CAs using federed (SAML) assertions
  are encouraged to log the entire incoming assertion (i.e. including
  the raw XML and the signature) - so that even at a later date one can
  centrally check these signatures (and not only the attribute values). 
  This is specifically relevant also for the RCauth.eu Pilot ICA.
  Given that eduGAIN has limited operational capability for logging and
  response, independently making (daily) archives of the complete
  meta-data aggregate of eduGAIN is recommended (maybe in a central 
  place by the PMA as well).
- the PMA appreciates the work done by Ioannis Kakavas, and refers to
  "The road to hell is paved with SAML Assertions":
    http://www.economyofmechanism.com/office365-authbypass.html

- Darkmatter, represented by Scott Rea at the PMA meeting, introduced
  themselves and discussed the research and education landscape in the
  United Arab Emirates. With the continued rapid growth of R&E in the
  Emirates, and with a new national PKI being established to be based 
  entirely within the UAE and with public trust, there is an excellent
  opportunity to join efforts to also serve the R&E community with 
  credentials that are both publicly trusted and IGTF accredited. 
  This could also support (existing) relationship with the European 
  e-Infrastruture (including EGI). Discussions with Ankabut on this
  issue are planned in the immediate future.
  Scott Rea will shortly submit a specific CA from the UAE for consideration
  as a Classic CA, inspired by that of an existing accredited CA in the
  EUGridPMA.  The target for completion is the end of 2016Q2.
  Assigned reviewers are Feyza Eryol, Jens Jensen, and David Groep. 

- The SP800-63 NIST publication is evolving, and comments are now invited
  on the draft of version 3. This version takes a new approach, likely
  inspired by the Vectors of Trust (VoT) work in IETF, in explicitly
  acklowledging different assurance aspects, and incorporating federation
  and attributes as entities in their own right. 
  Input is welcome and encouraged (but don't expect to change the
  concept drastically, since NIST internally will have reviewed it 
  already). Commenting can be done via GitHub
    https://indico.nikhef.nl/getFile.py/access?contribId=0&sessionId=0&resId=1&materialId=slides&confId=418

- several CAs are moving most of their issuance towards the GEANT TCS,
  including NorduGrid, pkIRISgrid, INFN/GARR, and of course DutchGrid.
- The self-audit peer review was completed for MARGI and TR-GRID. The
  Belnet CA will be discontinued entirely on January 10, 2017.
- ArmeSFO presented their self-audit report, which will be reviewed
  by Jan Chvojka and Jens Jensen. For the UK eScience CA a major change
  is still upcoming, and once federated authentication would be used
  to communicatei with applicants and users a new CP/CPS would need a
  detailed review. This is foreseen for the September (Geneva) PMA meeting,
  and reviewers will be assigned then.
- plans in the UK with respect to the use of the JCS for research 
  purposes have been presented by Simon Cooper from Jisc in coordination
  with Jens Jensen - please refer to the presentation for details. 
- David Groep was re-elected as Chair of the EUGridPMA.
  The ongoing contributions from our self-audit coordinator Cosmin
  Nistor and from the RATCC coordinator Ursula Epting, are much appreciated
  and acknowledged. It would be jolly good if contributions to the agenda
  building and note-taking could be shared by a wider group than just
  the chair...
  More roles (vice-chair, secretary) can be added if that helps get
  more effort and more people - it may help folk to gain support within 
  their own organisations.


Attendance
----------
We would like to thank the following members for the in-person attendance:
 David Kelsey, Jens Jensen, Jan Chvojka, Feyza Eryol, Bob Cowles, Tamas Maray,
 Reimer Karlsen-Masur, Marc Turpin, Ian Neilson, Cosmin Nistor, Jules Wolfrat,
 Walter de Jong, David Groep, Scott Rea, and Simon Cooper;
and for their extensive presence in the videoconference:
 Anders Waananen, Javi Masa, Roberto Cecchini, Vladimir Dimitrov, Miroslav
 Dobrucky, Ara Grigoryan, Mariam Pilikyan, Narine Manukyan, and Nuno Dias.