Dear EUGridPMA and IGTF members,
The 38th EUGridPMA and IGTF All Hands meeting is now over, and I would like
to take this opportunity to again thank Paolo Tedesco and CERN for hosting us.
I would also like to share with you a few of the highlights of the meeting.
Send corrections and omissions if you spot them, as these have been taken
largely from my own scribbles and memory, but with great support from the
notes kindly taken by Emir Imamagic.
Slides with background of the Abingdon meeting are attached to the agenda at
http://www.eugridpma.org/agenda/38
Subsequent meetings will be:
** 39th EUGridPMA meeting, January 30 - Feb 1st 2017, Florence, IT
kindly hosted by Roberto Cecchini of INFN and GARR
** 40th EUGridPMA meeting, May 8-10 2017, Ljubljana, SI,
kindly hosted by Jan Jona Javorsek of IJS
(with September 2017 and January 2018 open if you are so kind as
to volunteer to host a PMA meeting)
and of course our affiliated meetings:
* TAGPMA24 in Hamilton, BM, on October 24-25. See for registration:
http://indico.rnp.br/conferenceDisplay.py?confId=234
* REFEDS, November 28, Geneva, CH hosted at CERN
https://eventr.geant.org/events/2520
* APGridPMA meeting, March 6, 2017 in Taipei, TW, colocated with ISGC
http://event.twgrid.org/isgc2017/
See all of you in Florence, or at any of the upcoming meeting of the IGTF or
elsewhere. Details on the Florence logistics will be made available shortly.
Best regards,
DavidG.
Subject discussed and listed below
----------------------------------
The presentations of the IGTF All Hands Open Day are a worthwhile
read for anyone, especially if you have not attended the meeting itself.
Review the slides for these great talks (https://eugridpma.org/agenda/38):
- Trusting External Identity Providers for Global Research
Collaborations - Mind the Gap! - by Jim Basney (NCSA)
- Trust and coordination of incident response information in a
federated world, Sirtfi - by Hannah Short (CERN)
- The HPCI Infrastructure and AAI Evolution - by Eisaku Sakani (NII)
- The AARC model: developing an architecture and trusted pilots to
support research - by Christos Kanellopoulos (GRNET)
IGTF and PMA business:
- Extended validity periods for networked-system credentials
- R&E Federation use of the Generalised Assurance Profiles
- Auditing guidelines and MICS checklist
- Business purpose of CAs and RAs: where is the risk?
- Video-supported identity vetting guidelines
- Disaster Recovery WG
- IPv6 readiness
- OGF/CAOPS
* Other updates:
clarification of identifier assignment in DOGWOOD
on applicant-provided (opaque) extensions in IOTA end-entity certs
continued use of sha-1 after sha-1 is broken - an analysis
accreditations, updates, and self-assessment reviews
- Attendance
All presentations are available on the agenda page:
http://www.eugridpma.org/agenda/38
please review these as well as a complement to this brief summary. Much
information is contained therein and not repeated here.
Extended validity periods for networked-system credentials
----------------------------------------------------------
[see http://wiki.eugridpma.org/Main/IGTFLoADraft1-1 for document]
Following requests by the several relying parties, the risk profile
associated with having longer (>13 months) credentials being issued
to servers (networked entities and the services they run) was
discussed. In particular, the longevity of hosts is not typically
constraint by staff turn-over (which was the main ingredient in the risk
analysis for personal credentials), and the stability of the operating
platform (e.g. in LIGO where the compute environment is preferably left
unchanged during operational science runs that last longer than one year)
leads to a preference for longer-lived host credentials.
This could also align with industry practice for server (SSL) certificates
in the public trust domain, where CABforum guidance for OV (and DCV)
validated certificates is limited to 39 months (~1200 days). The
consideration there balances the risk of key exposure (through its use)
against operational feasibility and de-registration of validated
information (like the domain name ownership) in organisation-validated (OV)
scenarios. There is obviously the example of short-lived DCV certs
from letsencrypt.org: 3 months.
For the IGTF Assurance Level (specifically CEDAR) the host/server
credential issuance can currently be tied to either domain ownership
(like in the CABforum BR), OR to the operational sysadmin capability by
a person who has administrative access to a machine. Extending the
host credential validity in the latter case is not desirable, since the
underlying association is akin to those of personal credentials.
Those present at the meeting agreed, and this will become accepted on
endorsement by the full PMAs, that:
- host credentials may be issued for up to 1200 days (39 mo) PROVIDED
that compensatory controls are in place. These controls align with the
basic DCV measures detailed in the CABforum BR section 3.2.2.4 items
1 through 4 (confirmation with registrar, WHOIS data, control over the
canonical 5 mail boxes).
- if only regular checks of sysadmin capability are done through an RA,
the validity REMAINS LIMITED to 400 days (13 mo)
It MAY be considered to NOT assert the TLSWebClient eKU in these extended-
validity host credentials, to prevent their inadvertent use as robots.
For credentials issued to individuals, the 13 months (400 day) period
is considered to remain applicable as it was before. Considerations include
the alignment with the yearly affiliation turn-over cycle, and the need
to remember training.
The relying parties present (EGI, WLCG, XSEDE, OSG) also consider this
to be of equivalent strength and usable under the current trust model.
The IGTF therefore proposes to AMEND the current BIRCH and CEDAR LoA
specification to permit the above mentioned extended validity subject
to the conditions.
This is incorporated in the Generalised LoA document - and because of
document structure split over two sections. Version 1.1 defines
"organisational sub-domain name ownership validation"
with the subset of elements from BR section 3.2.2.4 that the IGTF
considers applicable (and that are included directly into the document
in section 3.2), and then stipulates for Credential Validity (4.6):
Credential life time should be either
1. no more than 400 days if the credential is stored in a file and
is further protected with a single authentication factor. The
credential MAY be extended or renewed up to 4 times 400 days based
on the same data (or for the lifetime of the subject for biometric
data) if the credential is protected with at least two authentication
factors at least one of which is a hardware token; or
2. in the case of network and service entities for which the
organisational sub-domain name ownership has also been validated, no
more than 1200 days, without the possibility for extension or renewal.
The participants realise the new text is not excellent - suggestions remain
welcome.
This change proposal is being tracked at
http://wiki.eugridpma.org/Main/IGTFLoADraft1-1
and should come into force after all PMAs have endorsed the text. For the
EUGridPMA this will via mail in the usual way.
For the EUGridPMA, comments are requested before October 10, 2016 please!
R&E Federation use of the Generalised Assurance Profiles
--------------------------------------------------------
[see presentations on Tue and Wed at https://eugridpma.org/agenda/38]
The traditional assurance programmes, aiming to introduce NIST-style
LoA1 or LoA2 into the (academic and public) community, have failed to take
hold. Both InCommon and FICAM experience shows that even the institutions
that once certified against the requirements do not renew (VTech will not
renew InCommon Silver, and Google lapsed on FICAM LoA 1). One of the
key elements blocking adoption of certification in academia is certainly
the formal audit requirement - if 'audit' is mentioned, in the USA the
university audit office is called, and the entire process stops.
If only for that reason, we should probably refer to our 'audit' requirements
as 'assessment', since the IGTF model is base don the far more successful
peer-review and on self-assessments, which does get traction in R&E.
For InCommon, also the assertion of multi-factor is self-asserted, and
no checks are done by the federation beyond the organisation being 'in good
standing' (which is never really checked, and nobody has ever been evicted
from InCommon, which has very many members ...).
Given the failure of existing certification programmes, Jim - through the
REFEDS Assurance WG - is proposing the use of the BIRCH assurance profile
in combination with the peer review process, to get some of the IdPs that
are particularly relevant for e-Research (like the DoE labs in the US)
to sign up to the scheme. They materially qualify, and have done more
checks and assessments that most, but these never exactly matched the
NIST levels, so DoE labs never qualified for Silver. The per-IdP sign-up
model and compliance peer-reviewed-assertion with BIRCH mimics the model
that TCS has successfully used in Europe.
The relying parties in the US are willing to contribute to the peer-review,
thereby making this a viable option.
Discussion in the REFEDS community did highlight that there might still
be some technological bias in the way the BIRCH (and other) levels are
defined in the IGTF LoA specs. The presentation (Wed) lists some of these,
kindly brought to our attention by Tom Barton and Mikael Linden.
The detailed comments will be circulated to the IGTF under separate cover,
but it is worthwhile to review the wording and clarification in the LoA
document to make sure they are unequivocally applicable to many credential
types (SAML, username-password, Kerberos, PKI).
Auditing guidelines and MICS checklist
--------------------------------------
The GFD.169 guidelines for performing self-audits give (an old version of)
the classic AP as an example list of items to check. Unfortunately, this
list is out of date, and worse does not address newer assurance profiles
such as MICS. Work by Eisaku-san has resulted in a extensive MICS review
checklist (to be circulated shortly) that can be used for both (re)newed
accreditations as well as peer reviews.
[PDF will be posted to the IGTF list shortly]
One of the items conspicuously missing from the MICS profile is the
checks on the upstream IdPs, akin to what a peer assessment of IdPs would
be such as being discussing for Sirtfi (checking from the outside if the
expectations are met), and as we do internally with the RATCC challenges.
Checking of IdPs can also take the form of heuristics, by which we can
make a guesstimate as to how the IdP is operating. In recent events, a
full check of all service use for a MICS CA was done, in which heuristics
based on the issued IdP assertions was able to match all but four of the
~3400 certificates issued (these four were cleared by explicit check later).
Business purpose of CAs and RAs: where is the risk?
---------------------------------------------------
Reviewing the threat profile based on recent (2011+) incidents in the
public CA providers points clearly to RAs being the weakest link in the
assurance chain. Without discarding any risks associated with the CSP
credentialing process, we should devote more effort (time) in
defining acceptable RA processes. The RPS template details all the
necessary elements (but may be considered over-complicated by some), yet
we should develop a base of confidence. The MICS discussion [above] pointed
in the same direction. On boarding of new RAs should be easy, but yet have
a provable documented process behind it.
At this moment, the IGTF has no explicit guidance on on boarding RAs, leaving
it to be described in the CP/CPS (and thus different for all CAs and in
all regions). A new guideline on best practices for on boarding RAs would
be welcome and increase trust. A starting point would be to collect current
practice and thus provide good examples.
The documented process is especially important for large authorities, where
the registration agents are 'more disjoint' from the authority itself.
An area on the (members-only part) of the EUGridPMA Wiki will be created
to facilitate collection of practices. All authorities are invited to
upload any processes they wish and are able to share!
Video-supported identity vetting guidelines
-------------------------------------------
[see http://wiki.eugridpma.org/Main/VettingModelGuidelines]
Following the introduction by Eisaku-san, the set of requirements and
compensatory controls that would permit the proposing of video-supported
remote vetting was discussed. Although it should be noted that even
the in-person process was never rigidly defined by the APs (it was
originally proposed because it was the 'easiest' method to describe), it
is understood that many see in-person as the default preferred option, if
it is reasonably possible. But when in-person checking is not a realistic
option (too great distances, no useful notary public system, extremely
expensive, or otherwise), then the advances in HD video technique now
enable vetting to a level that could be considered equivalent to
in-person checking of identity - provided that other compensatory
controls are put in place.
The approach taken should consider the management of the end-to-end risk,
and offset that against the acceptable level that RPs are willing to use.
It should be noted that - in order to be inclusive for their user communities
and in order not to insert complex obstacles for usage of RP services,
the RPs present (EGI, WLCG confirmed) are stongly in favour of a process that
would be inclusive of all users, including those in locations without an
in-person capability.
Based on the earlier draft from the Abingdon meeting
https://wiki.eugridpma.org/Main/VettingModelGuidelines
further guidance was developed. The risk most discussed was to guard against
the identity document being faked or not belonging to the applicant (and
thus issuing credentials to the wrong entity or in the wrong name).
It would be good to have some demonstrators of a remote vetting process,
in which both real and fake documents are used to try both working and
'abuse' cases - and see how the RAs that would be permitted to perform
remote vetting for that RA would react.
It should be considered to only accept those forms of PhotoID with which
the RA is very familiar and for which the RA has been trained to recognise
(visual) authenticity features.
All other compensatory controls are in the guideline text above. There are
controls of various 'strength' listed, and a weighting system may be
considered by reviewing PMAs to make sure the combination of controls
proposed by the CA actually meets or exceeds a minimal level (e.g. based
on a points ranking).
This can realistically be done by having the CAs that propose to use this
process actually try it and present the results of such a vetting test
(in particular the authenticity of photo IDs is interesting).
The guidelines, over which rough consensus was reached by the IGTF AHM,
define a process by which the PMAs will assess requests by authorities
to implement a remote identity vetting process. The PMAs shall - based
on these guidelines - asses sufficiency of process and - when the proposed
process is endorsed - will permit the authority to use the proposed process.
Of course, an authority can only start issuing credentials based on
remote vetting under an accredited CA AFTER the PMA has endorsed its
proposed process!
It should also be noted that the method involving notary publics is
already approved and can continue to be used and included as-is. At
least in countries where notary-publics are a useful option ...
Disaster Recovery WG
--------------------
Shahin presented the combined work on the D/R working group, including
earlier work presented by Jan Chvojka in Abingdon. The balance to
strike for nxm control of the backup key pair also depends on staff
turn-over rates (with long-term permanent staff, 2 of 3 may be better,
in case non-IT-aware taff is used, or rollover is higher, 3 of 5 might
be a better choice).
Also the use of printed material can be considered, esp. if it's only
for D/R (and gets rid of media aging).
IPv6 readiness
--------------
The availability of CRL downloads over IPv6 is now continuously
monitored by Ulf Tigersted for the HEPiX working group on IPv6. The
current and historic status can be inspected at
http://cvmfs-6.ndgf.org/ipv6/overview.php
which also poinjts to a few important points:
- if a CA provides a AAAA record, IPv6 really ought to work, or clients will
suffer long download delays or will fail
- the number of CRLs that can only be downloaded over legacy IP is going
down, but not fast enough. There are still 54 broken CRL endpoints
APGridPMA members have already committed to have all CRLs available over
IPv6 by the end of 2016. This is doable for all CAs, especially since a
service like CloudFlare can be used to offer this for free and is
dual-stack by default. CRL downloads (being small) easily fit in the free
tier of CF:
http://indico.rnp.br/getFile.py/access?sessionId=5&resId=0&materialId=0&confId=217
For all IGTF authorities, we expect IPv6 capability BY THE END OF 2016,
with status to be reviewed at the 39th meeting (Jan 30).
OGF/CAOPS
---------
The GFD.225 OGF Certificate Profile document is 'almost ready', but Jens
will be doing a bit more editing to fix references. It will then depend
on the availability of the OGF Editor AndreM to push it to the document repo.
Work on the updated GFD.169 document can progress in CAOPS.
Those of us in CAOPS willing to participate in the OGF-relevant ISO process
can do so by way of OGF, which is represented at a country-equivalent
position but without voting rights. It should be noted that normally
ISO documents are closed licensed material, but because of the OGF
copyright the oGF document content will always remain open.
Considering the ISO process is relevant only when government or industry
is the target of the specification.
Other updates
-------------
- in matching the needs of the EUDAT B2ACCESS service against the IOTA
profile (as part of a suitability assessment of RCauth.eu for replacement
of the current internal CA), it was found that the wording on
identifier assignment was confusing. Where it states that it should
"identify the identity management system via which the identity
of this person was vetted"
in case of a multi-layered IdM system this applies to the top-level
IdM, i.e., the IdM that provides the assertions to the issuing authority.
This IdM is then by itself responsible for retaining sufficient
information to trace through to its own downstream IdP, e.g. by
propagating its own unique identifier (ePUID, ePPN, ...) to the
issuing authority service provider.
In case of B2ACCESS, the "O" field in the credential issued by RCauth
would be "B2ACCESS", and the unique identifier one provided by EUDAT.
This is also how EGI is doing this (providing its own ePUID.
[see Jens' Soapbox presentation]
- The EUDAT/B2ACCESS system uses proprietary extension in the end-entity
certificates (not RFC3820 proxies) to convey additional information used
for authorization by its own services. In practice, an extension contains
a SAML blob as an octet-stream.
It was suggested that an (IOTA) CA could accept incoming extension
requests, treat them as opaque blobs, and permit specific requester agents
(actors on behalf of the applicant as well as on behalf of a RP collection)
to insert extensions with OIDs exclusively assigned to these agents.
This way, an approved EUDAT agent system could request that EUDAT
specific OIDs (like the one with the SAML blob) be included, if the
request comes from EUDAT. The user data is then taken from the original
user IdP (home org, not EUDAT).
[currently this is out of scope of any accredited IOTA (or other) CA]
[see Jens' Soapbox presentation]
- For a discussion and analysis on the continued use of SHA-1 in validation
after SHA-1 is broken (so when collisions are feasible), refer to Jens'
document at https://cert.ca.ngs.ac.uk/sha2migration/sha2migration-1.6.pdf
- The DarkMatter CA, serving initially the UAE natl. PKI and also developed
in a way so as to be able to support the Ankabut e-Research efforts, was
presented by Scott Rea. It is currently operating on own hardware hosted in
a partner infrastructure, but is expected to move on-site early 2017.
Given the relatively large number of CP/CPS documents, as well as the
ancillary documents and agreements that have to be reviewed, ChristosK has
been added as a forth reviewer, besides Jens, Feyza, and DavidG.
The option is held open to - in the future - run also a retail service that
can serve the national or even global community.
- The EGI "Catch-All" service will move to an on-line service with a
dedicated back-end. There's also the inclusion of a distributed IdP system
that will increase the reach of the catch-all, especially in those
countries where the NREN failed to sign up to TCS and that service is
thus not available (and no alternative exists). The new CP/CPS is
expected in Oct 2016. Reviewers will be Ian Neilson and Ronald Osure.
The use of existing (R&E federated) IdPs will necessitate agreements with
each specific IdP (like TCS today), which will include pushing down
the CP/CPS compliance requirements on these IdPs. EGI SSO can be used
to augment the identity, e.g. providing LoA data in case of linked accounts
- The self-audit reviews are progressing, but slowly. The continued prodding
of peer reviewers by our self-audit office Cosmin remains necessary.
Pending peer-reviews include ArmeSFo (CPS in place, S/A docs sent this
week); IRANgrid (Miroslavs comments will be addressed first); DZeScience
(pending peer review); RDIG; AustrianGrid (we strongly encourage the
AustrianGrid CA to move forward with its migration plans, expecting news
by the next meeting).
Grid-FR will do a report based on the old CA in january, the project to
move to a new national CA is slow in progressing.
Authories due for an urgent reviewed self-assessment, or overdue in-person
appearance, can inspect their status on the membership status page.
The upgrade plan for the UK (a completely new hierarchy) is OK.
Attendance
----------
We would like to thank the following members for the in-person attendance:
Paolo Tedesco, Eric Yen, Rahim Bouchra, Ian Neilson, Christos Kanellopoulos,
Jim Basney, Shahin Rouhani, David Kelsey, Cosmin Nistor, Jana Kejvalova,
Jan Chvojka, Eisaku Sakane, Jan Jona Javorsek, Marc Turpin, Emir Imamagic,
Derek Simmel, Scott Rea, David Groep, Vincenzo De Notaris;
as well as Romain Wartel, Hannah Short and Maarten Litmaath on the Open Day.
and for their extensive presence in the videoconference:
Javi Masa, Roberto Cecchini, Vladimir Dimitrov, Miroslav Dobrucky,
Ara Grigoryan, Reimer Karlsen-Masur, Nuno Dias, Lidija Milosavljevic,
Mariam Pilikyan, Ronald Osure, Jens Jensen, and John Kewley.
(and to Thomas Baron for continuously monitoring Vidyo operations)