EUGridPMA meeting, Niels Bohr Institutet Copenhagen, 26-28 May 2008. Notes by Javi Monday 26 May 2008 =================== 09:45 Round Table update ------------------------- - Majid Arabgol/IRAN-Grid CA: Presentation, Wed - Jan Jona Javorsek/SiGNET CA: In-depth review, Wed - Dana Ludviga/LatGrid CA: Presentation at 11:30 - Pawel Wolniewicz/Polish CA: New CA for science activities - Willy Weisz/Austrian CA: Debian bug - Anders Waananen/Nordugrid: Some Debian problems - M.Philopovic/Montenegro: Presentation at 14:00 - Michael Helm/DOEGrids: - ES-NET: Will replicate the CA to avoid disasters - Roberto Cecchini/INFN: A lot of servers with Debian bug. Auditing not made. - David Kelsey/RAL: RP - Usman Ahmad Malik/PK-Grid-CA: Will change CP/CPS due to auto-auditing report - Alice de Bignicourt/GRID-FR CA: No Debians - Nuno Dias/LIP: No Debian problems - Cosmin Nistor/Romanian: only 1 Debian revoked - Reimer Karlsen-Masur/DFN-PCA: ~40 Grid certs affected - Yoshio Tanaka: Report APGridPMA - Ursula Epting/GridKa-CA: some Debian problems - Milan Sova/CESNET CA: 4 Debian certs affected - Jens Jensen/UK e-Science CA: ~75 Debians. 1 root key - Javi Masa/pkIRISGrid CA: No Debians 10:15 Updates from the APGridPMA - Yoshio Tanaka ------------------------------------------------ - CDAC India - New member - Accreditations: PRAGMA-UCSD accredited NGO/Netrust and NCHC not initially accredited. Accredited after mail discussion - DC need to be used in RDNs instead of "C" and "O" - They installed a smap filter due to a lot of spam - APGridPMA with 10 accredited CAs, 2 under review - Next meeting in Singapore 10:25 Updates from the TAGPMA - Mike Helm ----------------------------------------- 3 CAs under reviews Discussions about CRLs for SLCS Next meeting in Venezuela 10:30 Accreditations: SIGMAnet CA/LatGrid - Dana Ludviga --------------------------------------------------------- SigmaNet: 120 valid certificates, ~200 issued. LatGrid: CP/CPS will be rewritten using RFC 3647 No certificates signed yet. Need to issue certs to complete the review process. 11:05 Coffee break Accreditation: MD-Grid (Moldova) initial presentation - Valentin Pocotilenco ---------------------------------------------------------------------------- Requested OID to IANA. DG: It's better to get one from IGTF. DG: DC need to be used in RDNs instead of "C" and "O" Willy: It's not a good idea to include OID in CA cert. Discussion about ISO registration. 14:00 Accreditation: MREN (Montenegro) initial presentation - Lidija M. ----------------------------------------------------------------------- DC need to be used in RDNs instead of "C" and "O" Christos: Problems with some URLs Plans and architecture of the new CESNET CA - Milan Sova -------------------------------------------------------- A lot of requirements: Multiples CAs, HSM support, web admin interface, federable. Change from Entrust ($/certificate) to a full featured licence free system (EJBCA in a federation with paid support). Attributes used: eduPersonTargetedID: permanent, unique to user and service, Authorizing attrs: eduPersonEntitlement: 1 value per CA or profile optional IdP ID, ... Naming attrs: schacHomeOrganization, organization, mail, .. Demo - How to revoke a cert? There is a page with all issued certs. - What happend if a user changes organization? New IdP and new identity - What about host cert? The IdP needs information about the user and host relation. The IdP part is not yet ready - How to query whether an identity exists? If RAs don't revoke them CA does not know anything about it. - How vulnerable is it to phishing attacks? With one username/passwd one can access to multiple services. Planned to use a 2nd factor. RP says that VOs have same problem. Updates from the previous Self-Audits and implementation of Recommendations --------------------------------------------------------------------------- Discussion on self-audits Israel: Was not present Belgium: No much response CygGrid: need to following up Slovak: need following up HellasGrid: Working on a new version of CP/CPS Coffee Niels Bohr Institutet - John Renner Hansen ------------------------------------------ Presentation of NBI Incident Response procedures: CVE-2008-0166 and lessons learned - David Groep ----------------------------------------------------------------------------- Reaction: - Fri 16 may, 90% of CAs checked their certificates - Fri 23 may, GridCanada gave its first response :( - A release was prepared not containing GridCanada - Happy news announced on Sat 24 Learned lesson: - RP worried before initial announce - Mail contact address not worked 100% - All CAs must check their certificates and revoke those affected with debian bug - In an incident we need autentication of the sender. Use Thawte of PGP. - What kind of response time can we expect from our CAs? How much 24x7 support can we expect from CAs? :( - It's more important information about CA status than fixing the problem. - We need an incident channel. - We can revoke certs but this is not only the solution if users do not check CRLs in their browsers. - We can not exclude whole PMA from the distribution if anyone of its CAs has problems What to do: - Creation of an incident response team - Channel to send advisory. Not encrypted - Max 36 hours to read mail What happend with public holidays in a country? Suspension process. - If there is no response until deadline the suspension process will start. - TACAR on the incident response list? No - Suspension is a delicate process and should not happen lightly - Discussion on different methods of suspending a CA (locally, warnings, ...) Election Process and how to make the PMA ROBAB-proof ---------------------------------------------------- Need 4 teams Risk Assessment team: Holliday support Incident response team: Public reports Suspension Review Core team: Suspension process Web, mail, operation team: Hold secrets Tuesday 27 May 2008 =================== Portals, and Credentials Used By Communities SLCs for use in Grid-Portals - Reimer Karlsen-Masur --------------------------------------------------- Problem: grid users needs accredited certificates but they don't know anything about PKIs/X.509 cert Solution: use portals to make certificate process easier Questions - If one user get access to the grid portal can access to myProxyCredentital Store? - Jens: NGS has a simpler architecture. Will send details to the list. - Pawel: The private key is store on a public machine. Need to delete it after use the computer or put it in memory. - Khristos: How vulnerable is it to phishing attacks? Excerpts from the Portal Classification in the EGEE TCG Portal Working Group ---------------------------------------------------------------------------- David Groep Biomed users use anonymous access in free portals. They do 5000 analysis/day Proposed 5 levels of authentication - Anonymous - Pseudonymous - provides mail but not used - Identified user - without cert - Identified user - with grid credentials but doing stuff with separate creds - Identified user - with certs which are used to do stuff. David gave a classification of use cases by jobs. Coffee 10:45 Jens' Robot Soap Box - Jens Jensen ---------------------------------------- Principle: There is verified subscriber (by RA) and non-verified ones. How to make all things verified and what is the risk of non-verified information? If the robot cert lives on a token how can CA verify it? RP need different levels of verification. Key storage. What is the level of assertion about key storage itself? We must care care how the key is stored in the token. Robot naming. Naming is in the DN. Proposals: - How tightly do we need to manage usage? VOMS, portals Powerful clients vs weaker clients - How to move away from personal names Confusing, cannot be inherited Cannot be shared Project owned/managed - Need project-owned certificates Need to tie certificate to a single person - Access to private key can be shared - Single person responsible But buck can be passed and must inform CA when buck is passed - Look closer at use cases Risks, usage 12:22 One Statement Certificate Policies - Milan Sova ----------------------------------------------------- Need to mark certificates with something similar to - private key is on e-token" - was generated on a PC and exported to e-token - this is a robot, ... The idea is simple, we write the policy making only 1 statement. This policy has an OID and we can insert the OID in the certificate. 12:30 Lunch 13:40 David presented an 1SCP example for private keys generated and protected on a token. Some changes were made. 14:00 Identity Vetting Models ? wording and assignment of OIDs -------------------------------------------------------------- Policy on vetting identity by a trusted third party (ttp) Used some text from https://tagpma.es.net/wiki/bin/view/Sandbox/NSF Policy on face to face identity veting (f2f) Used some text from https://tagpma.es.net/wiki/bin/view/Sandbox/LOA3 Adding text about naming. 15:30 Break 16:20 Date and Time of next meetings ------------------------------------ 10/2008 - Lisboa, Portugal 01/2009 - Nicosia, Cyprus 05/2009 - Zurich, Switzerland 16:30 Authorization (AuthZ Operations Policy) WG - Dave Kelsey -------------------------------------------------------------- Main goal: to prepare recommendations on policy and global trust issues related to Grid Authorisation (AuthZ) List of issues: - Minimum req. and best practice for the operation of a Grid AuthZ Attribute Authorities (AA) - Minimum req. and best practice for Virtual Organisation user and service membership management - Accreditation of AA - Accreditation of VOs and their membership management procedures Auths profile was short and simple but now it got complex and full of technical details. We can start with a simple draft profile instead of trying to solve all the problems. SLCS Revocation: TAGPMA change and update time plan --------------------------------------------------- Discussion about a mechanism to revoke a compromised SLCS certificate longer than 24 hours. All SLCS CAs must issue CRLs CAOPS-WG session - Christos Kanellopoulos ----------------------------------------- Yoshio Tanaka accept to be a co-chair Transition to the Security Area as a Standards Group. To be decided in BCN next week. - Better dissemination of the information to the user community, and get in CAOPS the opportunity to also publish recommendations-track documents and standards. - Different oversight: from the security area in the standards function - Long workshops and informational sessions are still possible. - Will need to update (actually: write) the group charter again. David: Discuss 1SCP OIDs with developers Christos: A lot of people and only one week Dinner, dinner. Wednesday 28 May 2008 ===================== In-depth review: SIGnet CA - Jan Jona Javorcek ---------------------------------------------- 1 RA Heavily patched OpenCA 0.9.2 Hot disaster recovery tests Survived a complete hardware failure on online machine Hard disk failure on offline machine Self-assessment: - CP/CPS update - CP/CPS to RFC 3647 form - Updates to conform to IGTF-AP Classic Profile version 4.1 - Added requirement for yearly self-assessment - CRL version number changed to v2 in CP/CPS - Allowance for FQDN in subjectAlternativeName - Provisions for an OCSP service - Dropped non-repudiation ;) David: CP/CPS. When will be available? In-depth review: KFKI RMKI CA - Szabolcs Hernath ------------------------------------------------ CA was expected to run for 1 year. It Has been working since 2004. Self-assessment: Major issues: CA - CP/CPS format - Physical security The room is not adapted. - does not have bars in the windows - the door is not strong and does not have lock - armed security man every 20 minutes - CA key protection - List of personnel Major issues: RA - Identity vetting (user) - Identity vetting (host) - FQDN ownership - Record archival in auditable form Recommendations - More is less: - specify everything as strict as possible - write all operational documents before production - Operational audit/review ASAP (before production) - Separation of GRID namespace is recommended - Accreditation profile version should be recorded on accreditation - Audit guidelines updates for AP changes? - Separate audit guidelines for different APs? Accreditation of new CAs: IRAN-GRID - Majid Arabgol --------------------------------------------------- Review of discussion / updates at & since Amsterdam video conference Significant changes CP/CPS changes - http://cagrid.ipm.ac.ir/IRAN-GRID-CA-CP-CPS.1.0--to--1.2.pdf Physical access Name forms: Use of "C" and "O" in RDN instead of "DC" removed email from DN Other changes (see slides) David: Possitive comments from reviewers. CA approved :) Need to give key material EUGridPMA and tacar.