Minutes of the EDG CA Coordination Meeting (EDG-CACG) 30-31 August 2001, Amsterdam Present: Roberto Cecchini Brian Coghlan Jorge Gomes David Groep Dave Kelsey Daniel Kouril Pietro Martucci Sophie Nicoud Andrew Sansum Lev Shamardin Anders Waananen The agenda as distributed by Dave and amended by Sophie has two main issues: status on policies (CP/CPS assessments) and the operational issues for Testbed 1 (TB1) in PM9. The minutes from the last meeting are not causing any complaints. If these minutes do, you should react by email to the mailing list . Round table reports ------------------- INFN: An OID has been assigned to INFN by the IANA and is managed by Roberto. It is not yet used, but will be included in the certificates in the future. For the time being, the certs contain in the nsComment field a reference to the CP/CPS version. This is deemed a good practice by the group. Ireland: The CA is up and running in a secure fashion (off line, proper pass phrase etc). Issued 30 certs and published a CRL that can be reached from http://marianne.in2p3.fr/ A draft CP/CPS will be put up soon (the draft is almost ready). Russia: Is now up for three weeks. No policy is defined at this point. It is operated by a robot (i.e. online) with some RA-like people sending the robot signed e-mails from the various universities. CERN: A CPS has been drafted based on the one by Roberto. Also, the CERN test bed now acknowledges all EDG CAs and has performed successful interoperability tests as part of the HEP testing activity (with Alice). NIKHEF: No significant changes. Currently issued approx 50 certs Nordunet: A 'chain-of-command' and been established and documented for CA/RA operations. Currently busy preparing a CPS based on this. Currently communication with the RAs is by phone. Issued approx 20 certs CNRS: The current status was sent to the mailing list by Jean-Luc. The CPS has changed slightly in view of the server certs (naming). Roberto still has some questions left [see later]. UKHEP: Running in production mode (about 2-3 requests per week), but a CP/CPS is still to be finalized. Will be ready around next week. One of the problems encountered was the email bit not being set in nsCertType, which made the certs useless for e-mail exchange. Is being corrected y reissuing the certs with this bit set. The UKHEP CA has also been threatened: many hosts cert requests might be sent. But this really seems unlikely to happen. A colleague of Andrew is currently working on OpenCA (now in pre-beta release). Maybe in the upcoming three weeks something nice will evolve. Otherwise the effort will be relocated to other CA related work. The nsCertType bit for e-mail and for SSL client mode is important. Parts of the WP6 site on marianne.in2p3.fr are protected using SSL and the site uses user certs to identify "DataGrid" users. The same kind of application can also be foreseen later for getting job output via https. News from the World ------------------- GGF2: Dave was the only one to go there. It has been slightly restructured, with "Area's" replacing the working groups, and the subgroups being replaced with working groups. Within the security area there is now a CP working group, whose working documents may be found at http://www.gridcp.es.net/ The group just produced version5 of the CP draft for Grid use. This draft CP defined four levels (rudimentary, basic, medium and high), where even the lowest grade already needs considerable effort. Most of the levels are likely to include external auditing. From the EDG CACG it is considered important to participate in this effort. This is even more necessary since staring PM9 the current Globus certs are no longer to be supported within the EDG TB1. All our current CP/CPSs seem to correspond to the "basic" level, excluding the auditing requirements. Dave K will write a response to the GridCP working group. Terena, Antalya: The notes from the Terena EuroPKI meeting are available from http://www.terena.nl/projects/pki/ The current level of interaction between the Terena PKI effort and the GridCP effort is minimal and misunderstanding seems to exist within the Terena PKI group about the Grid/GSI efforts. Steve Tuecke: Globus GSI might move towards the MS "PassPort" concept, the basic idea being that most of the checking of credentials will always be done at the authorization stage and thus the authentication stage is less important. Basically, the name is the personal cert is not to be cared about, as long at it will be unique. For host certificates the situation is not very clear. Ideas are towards a per-site certificate and then subsequent lower-level hierarchies for hosts. For now, none of these ideas are expected to result in immediate changes. The CAS service system is slightly delayed (pre-beta demo foreseen in October/November 2001). Group usage of CAs ------------------ The Russian DataGrid CA is currently implemented as a distributed set of trusted authorities that contact a CA signing robot using signed e-mail. One such trusted authority is assigned per institute/university. The main comment on the presentation is the strong suggestion to take the robot part out. It violates the minimum requirements as laid out in previous meetings. Without the robot, the system is compliant, with the trusted persons as RA's. The script used for signed email and email verification are extremely useful and should be distributed amongst the group. It would be a good alternative for OpenCA. The URL will be mailed by Lev. CRL publication --------------- A push mechanism for CRL distribution is presented, based on submission of Globus jobs to participating nodes in a hierarchical way. Mush discussion ensues, with the main arguments it being too intrusive and too heavy-weight. The two main problems addressed by this method are: - spreading the word of cert revocation Maybe a signalling functionality would be nice, causing sites to subsequently pull the new CRL from the original location Such a mechanism might possibly be implemented on top of the WP3 monitoring system using a subscribe to last change date. It is unclear to the CA group whether WP3 would support this. Anyway, this will not be there for PM9 - load distribution of the CA web site Conventional mirroring techniques like Round-Robin DNS are probably better suited for this. It will certainly not be an issue in the near future, since web servers are really fast. For periodic retrieval of CRLs from a crontab-run script, a random-wait may be useful to spread the load round the "obvious" times like midnight sharp. A thing to remember is the new modular CA scheme of Globus 2.0. In the new release, CAs can be packaged as RPMs, with the ca-signing-policy specified on a per-CA basis in a file named after the hash. This makes it easier to install new CAs and prevents confusion in the policy file about overlapping domains of authority. Grid Acceptable Use Policy -------------------------- The DataGrid Acceptable Use Policy is a standard document to be signed (electronically) by the DataGrid collaborators who want to use resources on the DataGrid test bed. It is currently at version 6, to be mangled by the CERN lawyers. It details a set of rules, loosely inspired on CERN circular No 5, but in the end national laws will still be applicable. But the user will never know which law that will be :-) The latest version (in French) is available from [temporary location http://www.nikhef.nl/~davidg/grid/aaa/charte-draft-V6.pdf] Globus certs in TB1 ------------------- Globus CA support is to be discontinued after PM9. After that date, US individuals can get certificates from the CERN CA, that will act as a catch-all solution. This will not work as-is for host certs. Maybe an RA network could be set up in the US to sponsor applications from hosts there, to be signed by a EDG CA. It is decided that the matter will be discussed as part of WP6 with our Globus security contact Steve Tuecke. Naming schemes -------------- The Datafrid-fr problem signing "/*" has been resolved (it will now sign "/C=FR/*" and "/C=IT/O=ESA/*" only). As part of Globus-2 the ca-signing-policy file has been split in a per-CA fashion, preventing future problems with CAs signing overlapping name spaces (although this is still strongly discouraged) Object IDs for CP/CPS identification ------------------------------------ You can get these for free from IANA [http://www.iana.org/]. Roberto will send more information to the list. The OIDs can be used in a generic fashion. Beware that only one OID is allowed per organization. The DataGrid project as such can apply for an OID (for WP1/WP3 LDAP schema work), maybe individual grid sub-projects can do the same. CP/CPS review ------------- At this time only UKHEP and NorduGrid are still missing a CP/CPS document. The one by Andrew is due RSN (about 1 week). The latest CNRS CP/CPS was circulated by Jean-Luc. Some comments were raised: - in 3.1.7 (method to prove possession of private key), the stated practice does not verify possession after the receipt of the request by the CA. The GGF draft GridCP requires this check. Besides, the wording of paragraph 2 hints at key pair generation by the CA, which is not intended but gives a bad impression BTW: neither OpenSSL not Netscape have a clean and easy solution to the proof-of-possession problem. The main problem (man-in- the-middle attack) can probably only be solved in a secured transactional scheme. - in 4.2: the statement is contrary to 2.8 - 4.4.9: the working might give the impression the CRL generation is automatic (and thus on-line and without a password). It is suggested to make this paragraph more realistic. - 6.1.4: "secure" is not meant to mean "secure" as in "secure connection" - 3.1.9: it is proposed to make the procedure more clear and state explicitly that and what kind of phone conversation is conducted With regard to the LIP draft: - the CP/S states that the user private key should be at least 8 characters. After a short discussion it is concluded that such user guidance is good, and the wording could be refined by also adding "strong". The current state of the CP/Ss in all its variety is left as is for TB1. Maybe later in the project we will standardize on the GGF draft. Many of the TB site operators will look to the CACG for guidance on which CA certificates to include. For this to work, we as a group will have to evaluate all the CP/Ss in some consistent way. Since the GGF classification will provide the solution only in the long term, we should devise a classification scheme (possibly inspired by the GGF drafts, using the same levels but taking out the requirement for auditing to have a better level of granularity for this purpose). The checking and "grading" of CP/Ss should be public. In this case, gentle pressure is applied to "rudimentary" CAs and at the same time the reviewers will experience some pressure to actually do the grading. The evaluation matrix will be drafted by Brian and put up on http://marianne.in2p3fr/. The draft matrix design should be ready in Frascati, the complete evaluation certainly before the March 2002 Paris meeting. Operational Issues for TB1 -------------------------- * nice to have an and-user information guide. The current situation is quite confusing * a per-country Globus configuration is needed to configure grid-security.conf. Anders has a RPM scheme, with one RPM per CA with a hash file and a signing policy file (for Globus2). Then add one country-specific RPM with the proper grid-security.conf and configure. Anders will put the sources online at http://www.nbi.dk/~waananen/trusted_ca/ * all TB1 sites are now covered by a national CA. The Americans are a WP6/TB1 issue * every CA should write user instructions a.s.a.p, but certainly within 2 weeks and send these to Sophie [mailto:Sophie.Nicoud@urec.cnrs.fr] MDS-2.1-alpha certificates -------------------------- * Globus has the fundamental notion of per-service certs. So not only MDS certs (ldap/*), but also host certs for GSI-ftp (host/*) are needed. The gatekeeper certs have just the hostname, but source code inspection reveals it had almost been "gatekeeper/*" * the problem is in the number of certs, not in the policy * some feedback will go back to the Globus team, since we are not entirely happy with this prospect. CRL retrieval ------------- Several packages now exist. fetch-dg-crl has a nice autoconfig capability, but will not check the CRLs for validity against the installed CA certs. Some functionality from the GetCerts package should be merged in. Note that the writing of a ca-signing-policy will no longer be needed in Globus2. Besides, UKHEP will start issuing a CRL, although an empty one for the time being. The INFN CA certs can now only be obtained from a secure http site via a form. Problems with validation of certs will always be there, and can be countered either by distributing from only one trusted site or by distributing from a multitude of sites. For now, Roberto will put up a PEM copy in a public place, but this location will not be publicly advertised. Authorization working group --------------------------- * for the authorization scheme to work properly, each CA must operate an LDAP directory service publishing the user certs by either subject DN or by a more flat scheme like CN only. * each VO has one LDAP directory, containing a hierarchy with groups and individuals, where the individuals are linked from one or more groups * the VO LDAP service contains user cert pointers, subject names and pointers to "authorization certs" * the authorization cert is issues for a definite lifetime (independent of the authentication cert validity), after the user has agreed to the DataGrid AUP. This "cert" need not take the form of a cert, but might as well be a token signed by a authorization-delegate (possibly automated). * for CAs an LDAP cookbook from Janus Liebregts is available from the web [http://ldap.gigacorp.nl/pkildap.html] * A program will generate grid-mapfiles based on a set of LDAP authorization directories. This program will check the validity of the authorization cert (not the user cert!) * replication of this service is not foreseen for PM9, but will be resolved if needed by WP6 * TB1 does not (yet) have a recommendation as to the update frequency of the grid-mapfile. * Roberto has a sample package with schemas and configuration files to set up a CA LDAP service. Samples will be mailed. * DO IT NOW, and publish all valid certs Roles and multiple certs ------------------------ An imminent problem exists from persons acting on TB1 in multiple roles (e.g., individual for analysis, developer and production manager). Although in the future the CAS service should provide all support for this, for the time being CAs will issue multiple certs to those expert users that require one and know how to handle the associated problems. With regard to naming these certs, BCP seems to be to add the role within brackets at the end of the CN [example: "..../O=nikhef/CN=Jeffrey Templon (alice production)"] The names to appear within the brackets should be coordinated, using the mailing list mailto:dg-eur-ca@services.cnrs.fr. Any Other Business ------------------ * all notes, references and documents will be available from the CA website at http://marianne.in2p3.fr/ * Next meeting will be in December at CERN, exact date to be fixed * The CA approval matrix draft will be presented in Frascati * Dave will propose to the PMB to delay the PM12 security deliverable from WP7, since the effort only starts in PM13! * We should start now to collect the user requirements for this document * a new security WG is to be established, as approved by the PTB. Those interested are invited to join.