Minutes 2003-06-13

Academia Sinica Grid Computing Certification Authority

Documents Presentation

How is the first registration done, getting an account at the site?

Directory service under development. Fill out application form with signature (from who?). Information is checked before accepting. This will be put on the Internet.

What class of people are allowed to be users?

Anyone who has some sort of relationship with the institution can register. For example, employees, LCG testbed workers, are registered.

You require minimum length of user pass-phrase is 8 characters.

How is this enforced?

This is a strong recommendation, but is not enforced.

What changes have been made in version 1.1 of the CP?

Based on comments by Tony and David Groep. No problems/conflicts with these changes.

How many certs issued?

About 200: 10 users, 190 hosts.

CNRS has issued certs for Taiwan. What should be done with these?

Should these be revoked? They have the same DNs. The CNRS certs should be revoked, but it must be done in an orderly way.


The CA in Taiwan is run professionally and should be approved.

Proposal: Approve this CA


Now we must get details to include CA in distribution.

Fermilab Presentation

Tier of CAs, similar to DOE grids. Root CA and Service CA which are traditional, according to min requirements. Also have KCA for user certs.

Request that Root CA and Service CA are treated as ordinary CAs and that KCA is treated as an online CA.

Change to minimum requirements is that the requirement for being either offline or having FIPS level 3 HSM.

Root CA used only for signing KCA and Service CA keys.

Need to enforce in signing policy that KCA key can only be used to sign short-lived certs.

What would we like

Only change to min requirements is removal of offline requirement. Everything else should be retained.

Review of CP/CPS

Section 4.4.4 contradicts 2.6.2

2.6.2: CRL published every 2 weeks 4.4.4: CRP published monthly

These will be reconciled

Section 2.1.1

Replacement of KCA would have minimal impact. Claim that it is less of an impact than replacing Root CA.

Only delay should be distribution of new KCA key. This can be signed with Root CA for security.

A delay of 4 months could be expected to get other sites, etc. up to date. Change to thereby reducing the impact.

Should this CP/CPS cover all three CAs?

This means that we might have to make a decision on part of the CP. Are we approving the CP, a contract? Or are we approving the individual CA.

Problem is that approving the CA is tantamount to approving the CP, which could get interpreted as approval of the KCA.

The OID identifies the CP, but not under which policy the cert was issued. The OID has to identify the policy without any other information. Include this requirement in the min requirements.

Dane will split the CP/CPS into traditional and online parts. Milan and Ursula will referee the Fermilab CP/CPSs.

KFKI CA (Hungary)



Linux Rule-Based Access Control (RBAC) not used yet, as they are more familiar with LIDS.

OpenCA requests sent by email. Jens will offer some help.

What is the timescale for a CP/CPS?

Almost ready. There have been some changes recently. It will be submitted to the CA list within a few weeks. How quickly is approval needed?

When issuing certs to institutions, some issues.

If there is an incident with an institution cert, who is responsible.

How are email cert requests created?

Email request, signed by existing key, would be useful for re-keying.

Possible to setup client authentication on Apache, which could be used for renewals.


Jens and Roberto (in absentia)

Other New CAs

LIP Changes



Using two /O= (organisation) attributes in the DN. RFC2459 superseded by RFC3280, which allows this. Multiple O attributes caused problem, and did not display correctly in Netscape. This seems to be accepted by experts.

DN using UID.

Used by PyCA. Needs testing with lots of software!

Process for approving modifications

Since there are no changes affecting the min requirements, a deep review may not be necessary.

If changes for requesting/approval are required then this will need to be approved by PMA. Other changes could just be announced.

Conflicting Namespaces

CNRS issuing in multiple namespaces, this is a conflict in authority.

LIP CP Changes

Changes to many areas of policy.

Time scale

As soon as possible, but it may take several months.

Czech Changes

CP and service originally aimed at Grid community. When it was required to provide to a wider audience the policy was changed.

A split was made, with a new OID used for non-Grid certs.

Change is to declare a more general scope, with no change to operational matters.


Irish Changes

OU changed from VO of RA to host DNS domain of RA. No problem with this change. A new CPS will be issued.


German Changes

Change name of CA from Grid-CA to GridKa-CA. Now O and OU are mandatory

Changes related to release of personal information to site managers, under legal requirements, etc.

Are other CAs willing to provide this information to the relying services, the VOs. DOE setting up trouble ticket system to share information between VOs.

There are data protection issues here, as the users have to give permission for this information to be released, and indeed may be given the option to turn this down.

Changes to OID

used to indicate version changes.