5 October 2006 Welcome and Round Table David Groep welcomed the participants and detailed the agenda. Updates from APGridPMA Yoshio Tanaka introduces news from Asian Pacific Grid PMA. 2 Cas currently in review: NECTEC (Thailand) and NGO (Singapore). GAMA profile needs to be defined: software providing User interface for key pair generation and other tools. Updates from TagPMA Tony Genovese shows status of TagPMA members approval status. Brasil CP/CPS has been approved, is issuing certificates but has not followed an operational audit. Tony asks if operational audit (basic website check) is mandatory in the approval process. Round table: CAs updates Austrian Grid: Hardware needs to be replaced, 300 certificates are to be replaced. NorduGrid: DN change is foreseen, associated with a key length change. UK Science: new hierachy for certificates. Mistake in subject leads to short display in browsers (CN=CA). Clarifications about people having multiple DOEGrid host certificates in UK. PK: 20 host certificates, CP/CP updated next month. IRISGrid: 17 RA, 60 host certificates. HellasGrid: 500 certificates last year. Cern CA: new hardware infrstructure in place, with HSM. Smartcards will be used in some experiments. Estonian: 253 certificates issued, 68 hosts. 14 Ras. CESNET: Root replaced, certificates reissued following new procedure. Switch: 200 hosts, 20 organizations. Migration to new hierarchy pending. DoeGrid: update to CP/CPS (organizational update). OSG reorganization (20+ VO). Trying to deploy new CA software form RedHat, going into some issues. Plan is to update software 1st quarter 2007. ArmesFO: issue certificates to participate to ALICE experiment. New CP/CPS being prepared, new structure with Root and Issuing CA certificate. GermanGrid: New frontend software developped internally will go soon in production. 2650 certificates issued. 44 Ras. DutchGrid: 616 certificates issued. DFN: Move to an online CA OpenCA software, HSM module nCipher nShield F3 500 PCI, model A of the min requirements: separate web from backend with a DMZ. CPS change in section 6.2.1. Dedicated connection for CA, behind dedicated firewall, only outgoing connections from online CA to RA with https and ssh. Local backup tape drive. CA polls the RA every 10 minutes for new requests, and push back results to the RA (cert or crl). 1 ou of 6 HSM operator card schema. 3 cards onsite, 3 cards in bank safe deposit. Operator card needed to reactivate the key, i.e. in case of power failure. Web Frontend URL: https://pki.pca.dfn.de/grid-user-ca/pub New CA: AEGIS Dusan Radovanovic presents the goals of AEGIS new CA. Willy has concerns about minimum lifetime of the CRL, which does make much sense. Christos (reviewer of the CP/CPS) agreed that this CA is compliant with minimum requirements. New CA: ACAD.BG Stanislav Spasov presents the goals of Bulgarian Academic new Certification Authority. Private key length will be lowered to 2048, EE to 1024. No renew, only re-key, simplified procedure. Bob Cowles: is there any timeframe set for re-key (an attacker would request a new cert, so he would be able to play even if the old cert is revoked) ? Milan S: Host CN containing IP address (CN=host or CN=IPAddress if no fqdn) is not very good, no software support that. -------------- Lunch -------------- Update from ROSA, Romania Cosmin Nistor details feedback following CA discussions in Romania, and started to write the CP/CPS document that should be available next week. Christos and Milan are volonteers for reviewing the document. AAI Integration Roadmap David Groep details the roadmap and alignment of AAI infrastructures in Europe. Tony G expressed his feeling that US will certainly not agree/adhere to such thing, and will create their own. Short discussion about which international entity will organize the contributions and federate the discussions. IGTF seems to be the most relevant. SWITCHsIsc Christoph Witzig presents the followup to Vienna presentation about SLCS, Shibboleth and Switchaai. Ara G: SLCS is providing short term certificates (11 days), why not a (long) 1 year ? Identity provider is a login/password based, long term association cert/password is not so good. HSM 'optional' is currently a should in the requirements. ??: why not create immediately a proxy instead of a short term cert ? Someone must sign the proxy.. Milan S: how does SLCS and Online CA talk to each other ? CSMS protocol. David G: DN is the same as Swisssign, they should use DC naming. Currently the browser is command line only, for gLite integration. Milan S: Certificates in TACAR demo Certitificates in TACAR repository: https://www.tacar.org/repos are ordered by IGTF type. You can install them one by one by clicking on an Install button, or check multiple checkboxes for multipled download. Install all in one click in browsers work for IE and pkcs7 version, Mozilla will work later. -------- End of day 1 --------- 6 October 2006 Higher Level CAs Jens Jensen presents why introducing hierachies and CAs above grid Cas is interesting. Short discussion followed about trusting or not higher level root, which seems mandatory by default if the certificate chain has to be trusted. MICS (Member integrated Credential Service) presentation Tony Genovese is describing MICS profile. Discussion about point specifying that indentity information must contain enough information to allow to get back to physical person any time now and in the future. 'In the future' is a bit too strong. 3 years after certificate expiration looks more accurate, even 'for the certificate lifetime' would be enough. New sentence was written by David G. Few other corrections were made to the document. Anders: Is any University able to get in this MICS ? Yes possibly, careful anyway as there is a risk to have a huge number of certificates. Alan on videoconference Classic AP updates David G describes updates to the Grid Certificates profile since last Budapest meeting were many concerns were raised. Mozilla problem: certificates with DN with DC only, no O or OU create a problem in Mozilla: it does not show any name but a blank line. Anders suggests that the document should not be too long, as currently it is increasing quickly with many technical details. Jens J: Investigations need to be done about empty CRLs lifetime, like in Fermilab. -------------- Lunch -------------- Subject: GridPMA From: "Emmanuel Ormancey" Date: Thu, 5 Oct 2006 09:31:27 +0200 5 October 2006 * Welcome and Round Table David Groep welcomed the participants and detailed the agenda. * Updates from APGridPMA Yoshio Tanaka introduces news from Asian Pacific Grid PMA. 2 Cas currently in review: NECTEC (Thailand) and NGO (Singapore). GAMA profile needs to be defined: software providing User interface for key pair generation and other tools. * Updates from TagPMA Tony Genovese shows status of TagPMA members approval status. Brasil CP/CPS has been approved, is issuing certificates but has not followed an operational audit. Tony asks if operational audit (basic website check) is mandatory in the approval process. * Round table: CAs updates Austrian Grid: Hardware needs to be replaced, 300 certificates are to be replaced. NorduGrid: DN change is foreseen, associated with a key length change. UK Science: new hierachy for certificates. Mistake in subject leads to short display in browsers (CN=CA). Clarifications about people having multiple DOEGrid host certificates in UK. PK: 20 host certificates, CP/CP updated next month. IRISGrid: 17 RA, 60 host certificates. HellasGrid: 500 certificates last year. Cern CA: new hardware infrstructure in place, with HSM. Smartcards will be used in some experiments. Estonian: 253 certificates issued, 68 hosts. 14 Ras. CESNET: Root replaced, certificates reissued following new procedure. Switch: 200 hosts, 20 organizations. Migration to new hierarchy pending. DoeGrid: update to CP/CPS (organizational update). OSG reorganization (20+ VO). Trying to deploy new CA software form RedHat, going into some issues. Plan is to update software 1st quarter 2007. ArmesFO: issue certificates to participate to ALICE experiment. New CP/CPS being prepared, new structure with Root and Issuing CA certificate. GermanGrid: New frontend software developped internally will go soon in production. 2650 certificates issued. 44 Ras. DutchGrid: 616 certificates issued. * DFN: Move to an online CA OpenCA software, HSM module nCipher nShield F3 500 PCI, model A of the min requirements: separate web from backend with a DMZ. CPS change in section 6.2.1. Dedicated connection for CA, behind dedicated firewall, only outgoing connections from online CA to RA with https and ssh. Local backup tape drive. CA polls the RA every 10 minutes for new requests, and push back results to the RA (cert or crl). 1 ou of 6 HSM operator card schema. 3 cards onsite, 3 cards in bank safe deposit. Operator card needed to reactivate the key, i.e. in case of power failure. Web Frontend URL: https://pki.pca.dfn.de/grid-user-ca/pub * New CA: AEGIS Dusan Radovanovic presents the goals of AEGIS new CA. Willy has concerns about minimum lifetime of the CRL, which does make much sense. Christos (reviewer of the CP/CPS) agreed that this CA is compliant with minimum requirements. * New CA: ACAD.BG Stanislav Spasov presents the goals of Bulgarian Academic new Certification Authority. Private key length will be lowered to 2048, EE to 1024. No renew, only re-key, simplified procedure. Bob Cowles: is there any timeframe set for re-key (an attacker would request a new cert, so he would be able to play even if the old cert is revoked) ? Milan S: Host CN containing IP address (CN=host or CN=IPAddress if no fqdn) is not very good, no software support that. -------------- Lunch -------------- * Update from ROSA, Romania Cosmin Nistor details feedback following CA discussions in Romania, and started to write the CP/CPS document that should be available next week. Christos and Milan are volonteers for reviewing the document. * AAI Integration Roadmap David Groep details the roadmap and alignment of AAI infrastructures in Europe. Tony G expressed his feeling that US will certainly not agree/adhere to such thing, and will create their own. Short discussion about which international entity will organize the contributions and federate the discussions. IGTF seems to be the most relevant. * SWITCHsIsc Christoph Witzig presents the followup to Vienna presentation about SLCS, Shibboleth and Switchaai. Ara G: SLCS is providing short term certificates (11 days), why not a (long) 1 year ? Identity provider is a login/password based, long term association cert/password is not so good. HSM 'optional' is currently a should in the requirements. ??: why not create immediately a proxy instead of a short term cert ? Someone must sign the proxy.. Milan S: how does SLCS and Online CA talk to each other ? CSMS protocol. David G: DN is the same as Swisssign, they should use DC naming. Currently the browser is command line only, for gLite integration. * Milan S: Certificates in TACAR demo Certitificates in TACAR repository: https://www.tacar.org/repos are ordered by IGTF type. You can install them one by one by clicking on an Install button, or check multiple checkboxes for multipled download. Install all in one click in browsers work for IE and pkcs7 version, Mozilla will work later. -------- End of day 1 --------- 6 October 2006 * Higher Level CAs Jens Jensen presents why introducing hierachies and CAs above grid Cas is interesting. Short discussion followed about trusting or not higher level root, which seems mandatory by default if the certificate chain has to be trusted. * MICS (Member integrated Credential Service) presentation Tony Genovese is describing MICS profile. Discussion about point specifying that indentity information must contain enough information to allow to get back to physical person any time now and in the future. 'In the future' is a bit too strong. 3 years after certificate expiration looks more accurate, even 'for the certificate lifetime' would be enough. New sentence was written by David G. Few other corrections were made to the document. Anders: Is any University able to get in this MICS ? Yes possibly, careful anyway as there is a risk to have a huge number of certificates. * Alan on videoconference * Classic AP updates David G describes updates to the Grid Certificates profile since last Budapest meeting were many concerns were raised. Mozilla problem: certificates with DN with DC only, no O or OU create a problem in Mozilla: it does not show any name but a blank line. Anders suggests that the document should not be too long, as currently it is increasing quickly with many technical details. Jens J: Investigations need to be done about empty CRLs lifetime, like in Fermilab. -------------- Lunch --------------