01 Apr 2004 Practical issues: who is taking minutes (mwh & David O'Callaghan?) Who is who Agenda mods? Minutes from Dublin (approved by lack of complaints) Charter Ver 0.6 Let's go thru the charter section by section Abstact: DK: Abstract & intro don't match This authority charters & certifies authorities as well as … ? Removed most text of abstract, to only first sentence. Discussion of term "charter": decide to just leave it, to keep to GGF std (inadvertent American usage of term "charter"). Section 1.0 the certificates issued by the participating Authorities are considered equivalent. Changed to "meet or exceed relevant guidelines" 2.0 Keep "objectives" in title reduce size of bullet points; clarified scope to European Grid communities: "primarily concerned with Grid communities in Europe, and their external partners" Struggle to include the global grid context, without opening the door to everything, or inadvertently excluding some science partnership. Scope of minimum requirements defined Trust relationships from old abstract, inserted here 2.1 (an innovation of this PMA) - excluded activities clarify what the PMA will not do (result: change bulleted items to verbs) DK: do we need a legal disclaimer? Yes Where to put this? New section? Decided on section 4. 3 Membership "ex officio" type members - people who represent a project &c but not a CA (Usage is perhaps wrong here; means as a matter of holding a particular office) TG: shouldn't membership be drawn from focus group above (EU, E-Science). Working on 3.1 Need stronger language; inadvertently removes catch-all CA's Is this language actually too restrictive? Aiming for one authority per country. What is the reason for this - to prevent too many CA's from appearing… discussion (many places are evolving needs for multiple CA's from geographical organization) 3.2 process clarified; request for membership comes from major community relying parties &al, approved by EUGrid PMA. Who can make these requests? More on this later. 3.3 Chair Who does chair resign to? By written notification to PMA members Section 4 What about liability? Merged responsibilities & activities sections (section 5) Some deletions and simplifications New content: documents (enumerated: min requirements, pma charter, x.509 CA's) Accreditation functions (some content moved; just focus on activity) Publication & repository (combined repository functions; numerous clarifications) Do we need all versions of the old docss such as PMA charter revs? Audit Not that we are doing audits, but should be auditable Liability Break for lunch TACAR (Diego Lopez) Terena CA repository Proposed repository collaboration between TACAR &al . DL discussed the history of the repository and the policies for inclusion. Policy issues: provide a high level of assurance about the integrity of the repository (secure site, initial face-to-face meeting, PGP for updates). Q: handling of repository - really about liability incurred by the repository DL mentions that in Mozilla, when it finds a root / self-signed cert in a PKCS #7 bundle, Mozilla treats this is as root of everything, sort of, and then silently imports the entire bundle. IE will ask, cert by cert. The Mozilla developers made some simplifying assumptions about this that aren't true. A model to experiment with between TACAR & EUGridPMA - Lighter than a common root, simpler than a bridge Other possible uses: simplify maintenance; extend trust links to wider community; anchor for other AA mechanisms How to prove the authenticity of requestors? Many people come to Terena & have established reputations well-known to TERENA & community. Others might have difficulty meeting this standard and so some identity verifying must be done. Expectations for this meeting: What requirements must TACAR site/policy meet for EUGridPMA? Need to keep things simple, in order not to overwhelm resources Discussion about the meaning & utility of this repository. CRL info distribution - CP/CPS contains this Discussion about verification improvements made available by TERENA repository: fingerprints of CA signing cert, policy documents. Very difficult to keep policy documents up to date. So TERENA will only have a link to & fingerprint of the policy document. After break - return to PMA document 4.3 Publication & Repository Should TERENA or any other repository specifically be mentioned in this document? Add a reference document for this material rather than explicitly listing them. 5.1 Bylaws - meetings Should meet at least 2x a year; the quorum for calling for a meeting is 25% Voting rules Vote on items on agenda or not? What is the size of the quorum? Are the voting methods exclusive? (No) Acceptance of minutes is key for face-to-face votes. How long to wait for minutes approval? 1 month. Discussion of types of memberships. Should non Accredited Authority members vote? Note: need review of Robert's Rules of Order (http://www.constitution.org/rror/rror--00.htm). What happens if the quorum (50%) isn't achieved? Not completely clear, but the results of a meeting can be challenged in 1 month; also, the minutes MUST include the attendee list. Minutes must be published by PMA chair in timely fashion). 6 Transition Initial membership - existing CACG members 7 Accreditation process New CA's can be accepted provisionally until the next meeting; they must then attend & present. Estonian CA presentation http://grid.eenet.ee General presentation of project scope and recent history. Anticipating exponential growth Can use Estonian national electronic ID card for Grid user authorization (smart card) CP/CPS: http://grid.eenet.ee/CA Certs issued to people, hosts, service entities, & subordinate CA's. Technical disclosure: Unconnected (to any network) computer; openssl - based (OpenCA later) Signing private key & scripts kept on USB stick Issue with Sub- CA's: nothing gained by hierarchy of CA's because of certain limitations. But Estonians need to keep the sub CA in their CPS. The problem seems to be that the subordinate CA's & their support files need to be distributed everywhere, as well as their CRLs; this presents considerable burden. (Assuming these CA's are grid CAs.) Sub CA's should be replaced by RA architecture. Make subordinate CAs come here and give presentation? (Missed resolution) Hungarian CA presentation KFKI RMKI CA Scope: KFKI Campus, those involved in projects related to KFKI institutions, or any Hungarian scientific community member (in lieu of national CA) Also: roaming users, hosts, some services Excluded: No subordinate CAs, or RAs; 4096 bit key (may need to cut to 2048 due to software limitations) http://pki.kfki.hu Name space - 2 "O" components Distinguishes between host & service types (passwords required for services) Proof of possession: User: browser and pin based; can't download cert unless you know the pin No test for services or host. Authentication of individuals Procedures for on campus personal appearance; personal knowledge of RA; and remote subscribers by attestation and reference checking. Host or service requests Both signed by requestor & requestor authorized to acquire this type of cert Records success and failure reason in request Re-keying New public key required Authentication either as new request, or signed by old but valid cert for name binding. Subject Alt Name E-mail address, LDAP URL (person) Host: FQDNs CA host No network access, locked room, facilities for backup OpenCA based Why put LDAP URL's in the certs (subjectAltName)? This was to link the cert database (or publishing) to the site's own LDAP tree. Comment: the info in cert is public, is link to site LDAP appropriate? Response: Both are public as far as we are concerned? Is there a privacy issue? Proof of possession - issues with the pin discussed. The pin is kept in the OpenCA database (an online resource). Contention: the proof of possession should be completed by the subscriber demonstrating to the RA that he has the pin. The current pin use bypasses too much of your security. RA's role should be defined. Day 2 Accreditation Document (missed early part) 1.5 Modifications What happens when a CPS document changes - when does PMA re-approval become necessary? Defer to later meeting? Changes should be announced to these documents, and complaints registered within reasonable time. Selection of chair Need process - Minutes record David Groep chosen unanimously & accepts position. Changes to CERN, HellasGrid, Canada Canada - changes are cosmetic What about changes of version numbers, document tracking, and OID changes? This is still a little unclear - Profiles - NERSC CA (Our presentation - no notes taken) Minimum Requirements CA hierarchies vs distributed RA's Driven by management - how many CA's can we manage Problem with the middleware Where does the weight of the problem lie? RA and CA architecture could be disconnected (you can have n CA's and m RA's; different meshes) Amend the requirement to allow large institutions Not intending to inhibit market; what is practical in order to limit management burden and impact of middleware limitations. Proposition: One CA per country or one CA per 30 M people? Guidance. Some countries/organizations anticipate need for multiple CA's. Strong SHOULD; deal with on case-by-case basis? What would the LCG catch all CA be, if it were separate? Small number of people, a specific project, widely distributed? CA Computer Dedicated machine; secure environment Q: We left details vague in the past, allowing case-by-case addition. Should we specify more closely now? Allow FIPS 140-1 level 3 or better, or equivalent (other standards) HSM. Q: Details of the security architecture aren't in the CPS…. A: A separate document is acceptable, but in any event some documentation of the secure network, HSM, &c must be disclosed. Against this some limitations on disclosure for security reasons - private & confidential information - must be respected. This kind of information would be disclosed only to an auditor whose report might be made available. (Disaster recovery plan might also be documented?) Take up on mailing list CA Namespace Policy Documents & Identification Can you sign certs as long as you have announced it? This is not clear. The CPS must be time-stamped in order to allow correlation of CPS & end entity certs. CA Certificate Lifetime - 5 years? Can we distinguish between root CA's (needing long life) and CA"s that sign end - entity certs? Would anyone object to raising this to 10? Yes, Darcy. It doesn't make sense to focus on this parameter, need to look on whole system. Recommended that mwh (ESnet) write a document describing the experience of doing a CA migration (for future use & to illuminate the time limit discussion). CRLs One system is CD - based. Suggestion was to use a paper document. Key Changeover (CA signing key) Means key has 5 year life, but key must be changed at 4 years Min requirements RA EE identification - photo id? EE key - certificate Old requirements - pass phrase requirements are based on best practices but are unenforceable. Perhaps presentation of proof of non-compliance should require revocation. Smart cards &c alter these rules quite a bit; perhaps we should add token support.? Disclosure about smart cards required? No extraction of private key? Consensus on disclosure. Publish - GGF CAOPS as info document Also publish it in a format where we can release it to the public domain. Lunch GGF items (TG) OCSP (mwh & tg) Olle Mulmo, Milan Sova, & Mike Helm proposed requirements doc Looking for requirements & other input from this group Federation working group/VO What it means to be a VO; how to set up; requirements; how to federate: Need co-chair Will send out proposed charter Signed Applets (Darcy Quesnel) Managing myproxy or certificate key pair remotely with signed applets www.grid.nrc.gc.ca The name "BouncyCastle" has proved to be a problem with users! Deployer, not developer, signs the jar files. Brian Coghlan eirg report 2 meetings: 15 Apr eInfrastructures 16 Apr eIRG 1st is a workshop supporting second, which is closed/government ministers We want this group to endorse TACAR & EUGRIDPMA + future directions Why? Give EU credibility, and aid future eInfrastructure efforts 3 presentations: EUGridPMA: D Kelsy TACAR : Diego Lopez White paper: Fotis Karayannis High level - audience not experts Endorsement: means what? How to decide? Irish will propose a process. Endorsement: of what? Not the documents - too hard; high level statements better (One of this about EUGrid PMA and one about TACAR were presented for discussion) Consensus about TACAR statement. What happens if they don't endorse? It would be embarrassing and perhaps damaging to image but practically we have to move on. Endorsement is the step to EU support. Possibly some problems with people pushing alternative AAA technology. Opportunity to expand the existing infrastructure. Members List of members / CA's Propose members from the large, spanning projects: EGEE, SEEGRID, DEISA, LCG See http://www.eugridpma.org/members Name EUGridPMA Will also add name to EU domain when it opens What about TACAR as member-ex officio? TO access mail archives or get access, see link at http://www.eugridpma.org Discussion of closed list for PMA members only for PMA business CAOPS Working Group Needs additional co-chair; Tony G is moving to new group. Would be very useful to have on from EU group. See Darcy Quesnel or Tony Genovese. Statistics David O'Callaghan (For paper) Issued - Invalid - Valid Add country; also, date Remove the "invalid" column Brief discussion of "future directions" in paper (section 6). Need title for this section. Add mention of EUGrid PMA. Swap #5 & #6 because much of 6 is in progress Acknowledgements Who do we acknowledge/thank and how? Send information on your "funding body" which supported your activity? No, keep general. Reference - citation format Update David with your official, correct mailing address (required by publisher). References to all the CA's in URL's? Publishing fingerprints as well? (Note: State of Italy publishes CA fingerprint yearly in official publication) Glossary: let's use RFC 2828 Issues with GSI: decided to describe CRL issue as an example of ambigiuity & difficulty of interpreting standards. DK wants to do quick proofing pass thru document - get your address changes in right away. Could fingerprints be drawn from TACAR (many submissions have been made at the meeting). Probably a 2 day meeting coordinated with ggf XII (Sep 2004)