EU Grid PMA 2005-01-26
======================
NRENs -- Diego Lopez
--------------------
Updated TACAR policy
* Certificate verification process
* Based on OCSP
* Derived from service provided by
* Certificate diffusion system
* Derived from email addresses and DNS:
* Internet2 Proposal
* Federation of digital signatures
TF-EMC2 deliverable on trust in grids
Cotswolds Group initiative
* Aim is a federation of NREN AA
* Policy-oriented group in contrast with technical Terena group
eIRG Workshop
* Aim for convergence
* Support the idea of an trans-national trust hub for AA
Server Certificate Service -- Jan Meijer
----------------------------------------
A service (*not* a PKI, *not* a CA)
### European NREN PKI history ###
* There for 6 years
* Low uptake
* Usually PCA with CAs at each site
* Background: not originally for server certs. Intention originally for user certs around the time of EU digital signature legislation
### Current Real Cert Usage ###
* Grids (closed community)
* Webservers (popup-free and popup)
### Some other uses ###
* VPN
* S/MIME
### Other anticipated uses ###
* AAI middleware
* A-select, Feida, Papi, Shib, Radius
* EduRoam
* Webservers
* Webmail
* Webservices
### Why server certs? ###
* Enable ubiquitous encrypted SSL/TLS
### Vision ###
* make it lame not to use encrypted channels
* cheapest server-cert currently EUR 40 without special cert attributes
### NREN PKI ###
* Cost may not be as cheap as we think (salaries for CAs, etc.)
* Expensive to get root cert audited by WebTrust
### Commercial CA ###
* Outsourcing CA, Audit, etc.
### Server certificate service ###
* Commercial CAs offer "corporate SSL"
* Combine buying power
### Financial Model ###
* Fixed annual fee per participating NREN
* 7 have agreed to pay 20000 each to start up
* Later pay
* According to EU law we must tender if value is over 230k in 4 years.
* Michael Gettys of Internet2 is talking to a commercial CA provider
to get a deal for US and EU markets.
Someone talking to Mozilla Foundation to get NREN root certs in.
SSL guys at Mozilla don't want to weaken trust compared to IE.
They want to set the barrier high. However some of the current CAs
they inherited from Netscape and IPlanet are dubious.
What would it take for Grid world to trust commercial CA services?
If a CA provider is not restrictive enough, make RA more restrictive.
If this gets useful for Grid applications we should try to accredit it.
Action: Create mailing list for RP requirements for this service.
Status from current CAs
-----------------------
RMKI-KFKI: some updates needed to CP/CPS
UK: ~1600 certs. New RAs every month or two. 50 RAs. Working on Single Sign-on.
Working on migration of OpenCA. Can migrate DB from Berkeley DB to Postgres.
Need to update CP/DPS for Data Protection and Freedom of Information Acts.
NorduGrid: need to rekey in a few months. Request from Iceland to join CA. they now have a cp/cps.
German: Change from MD5 to SHA1.
Canada: Hit 1000 issued certs. Expiry in two years. Aim for rekeying March 2005.
Some problems from GridSite and SRM users. Plan for rekeying.
Ireland: Have not upgraded OpenCA from 0.8. Triple hex digits of certs issued.
Czech: Plan to switch to (commercial, shining) Entrust CA in first half of 2005.
DOE Grids: On the issue of migration: easiest approach is to let the old CA die and allow users to trade in old certs for new. Migrating to AOL Netscape CA.
INFN: Nothing exciting. 55 RAs and growing steadily.
SEEGRID CA: Process presented to RA managers. Certs for RA managers to be issued first.
Russian: Problems with VOMS compatibility. Problems handing over to new organization as it is impossible to prove that copies of private key are not retained.
Estonia: talks with Latvia and Lithuania. Plans to run Baltic Grid CA.
Dutch: recently updated CP/CPS. Moved to paper-based RA process. RA checks ID, records ID type and number, and signs in blue ink. Migrate responsibility to SARA.
CERN CA: No significant changes except one minor change to reflect change in CERN badges.