EUGridPMA Day 2

1. Eygene Ryabinkin gives status report of the RDIG CA Self Audit
(given remotely via video conf) - see slides
Self audit done following guidelines
61 Class A, 2 D, 3 X - goes through these in detail
Reviewers comments: Jens: Change to new CP format should be a B not a D.
Compromise to Class C?
How many CA operators do you have?:  answer 2
DavidG comments that running a CA with just 2 operators is a challenge.
Jens not worried that there is as yet no key roll-over plan.
DavidG expresses PMA concerns (discussed yesterday) that nobody has yet
turned up in person at a EUGridPMA meeting.
DaveK reiterates the importance of this for the Russian federation
and for WLCG (as a Tier2 centre). Both offer to help with discussions 
with management etc if this would help

2. David O'Callaghan - Grid-Ireland CA self audit
See slides. Not yet been able to upgrade to new OpenCA. Will use this
self audit report to seek resources to do the upgrade.
The plan was to use EduGate + TCS eScience CA, but this is not possible
for now. New plan is to make Grid-Ireland CA properly compliant
and delay the move to a federated SLCS CA later
2 D, 12 C, 20 B, 33 A, 3 X
Goes through the results. Found difficulties with some items being multi-valued.
Section number for GFD.169 do not all correspond to the Auditing spreadsheet.
The two class D:
Certificates and CRL profiles do not meet GFD.125  
(no policy identifiers, MD5 signature hashes,
old Netscape identifiers - all easy to implement).
There are no annual internal operational audits - will improve this.
Aims to resolve all issues with the help of reviewers
Reviewers were appointed: Jens and Nuno.

3. MICS and NIST 800-63 LoA requirements. Mine Altunay
Mine shows NIST 800-63, section 7 - Registration and Identity Proofing
Levels 2 and 3 include remote identity proofing.
Remote proofing requires government ID and a bank account.
Confirmation includes proof of registered address.
(or registered phone number of email address).
Lots of discussion about this.
Dave points out that InCommon Silver used to have slightly different
identity vetting wording from NIST 800-63. Mine shows the current
InCommon Silver Assurance Profile - also includes the use of a 
Student ID or Employee ID or a Utility service.
The issuance of a Student ID is not required to follow any process.
Is it NIST 800-63 or Incommon Silver that we need to study?
Reimer notes that Scott Rea's original email on this asked that we
consider InCommon Silver.
Options: Change MICS profile, create a new profile, Ask CILogin to comply
with current MICS (i.e. only issue certs to people who identified F2F)
Relying parties do want to accept certificates issued by CILogon following
face to face vetting.

Conclusion is that EUGridPMA is *not* willing to interpret InCommon Silver
remote identity proofing as meeting the needs of the MICS profile,
nor does it want to change MICS to achieve this.

Discussion continues...
What is the use case for remotely registered students needing IGTF certs?
DavidG suggests that face to face and remote subscribers could be issued
names in two different namespaces - signing policy file could then restrict
to face to face. Two separate CAs would be even better.
We should ask CILogon how strong the use case is for remotely identified
people. This discussion needs to continue in the TAGPMA meeting in Lubbock.

--- coffee break ---

4. Licensing and Liability issues
DavidG introduces issues related to including CA roots in various OS 
distributions, e.g. Debian.
This has problems with licensing of CA information. 
And need to allow redistribution.
Can we distribute using a Creative Commons license?
Quovadis have replied that they are happy for distribution under CC.
Comodo not yet replied. Christos reports their CAs are covered by Mozilla public 
license. 
Discussion - are we happy to distribute using CCBY?
Milan states that all of the Comodo CAs are already in Debian. Only one not there
yet is TCS which presumably belongs to TERENA.
Conclusion - all agree that CCBY is an appropriate license.
DavidG says that the Update cycle may be mis-matched. Thijs suggests that this
has to be discussed with the security team of each distribution. We should
encourage maintainers to issue updates very soon after the IGTF update is
released.
Christos: Where are the certs going to be installed? Grid specific or OS standard place?
Do the CP/CPS restrictions (e.g. do not use certs for finance) interfere with the
distribution process? Jan: These are two different things.
Jens suggests that we need more investigation to be sure the CCBY does not open
up other liability issues.
Summary: All are happy to have our roots of trust in the OS distribution(s).
Back to question of installation location... Jan: ideally we want them
in both (standard and Grid). Someone needs to check if/how this can be done, e.g. links.
Conclusion: they may be installed in the standard location, but the developer should
also ensure that it works with Grid software.

5. Updates to the PKP Guidelines for use in SLCS. Jens.
Jens shows diffs between latest version and the one we agreed last time.
Two changes to allow for key storage in unencrypted form if it is basis for
a short lived credential. DavidG points out that the new OID is wrong. Needs
another level for the version number. Will be fixed.
All agree that the new version is now correct. EUGridPMA formally approves
the new PKP Guidelines (V1.1).
BUT.. there are still some problems.
3a has a missing word "be"
Difference between the long term storage of keys (3a) which has a MUST and 3g which
is talking about activated keys. Jens suggests it would be good to make 
things clearer this in another update. Or Reimer suggests via footnotes 
explaining what/why the document says what it does.

--- lunch ----

6. SLCS and MICS profile updates
Starts by showing the latest SLCS version. Includes new references to the PKP guidelines.
Also reference the GFD.125 certificate profile.
EUGridPMA approves SLCS profile V2.2

Now MICS. We look at the version V1.2 discussed at TAGPMA meeting of 14 July 2010. This seems
to include some changes made during the meeting of 14th July. Is it final?
The draft includes reference to the PKP guidelines and other changes to make consistent
with the Classic and SLCS profiles.
We suggest to drop the sentence about short-lived certificates in section 3
"In particular ..."
In Section 4.4, there is no statement requiring revocation if the IdM identity has been
compromised "In case the identity in the IdM is compromised, affected issued certificates
must be revoked"
Happy with the change from should to "must" in section 9 (recovery plan) as long as this is
definitely the CA and not the IdMs.


7. CRL issues
DavidG circulated some time ago a link to a new version of fetch-crl (V3.0) to address various
issues with the old version. FetchCRL3 now written in Perl rather than shell scripts.
http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/FetchCRL3
Goes through pros and cons
It has been packaged for Fedora and RHEL6 and above. Also part of Debian testing.
Who will test this? Several members have started already.
DavidG asks for feedback on how long support will be needed for V2.7 and V2.8.
Mine says that OSG will need 6 months to a year (for V2.8). 
EGI is still using V2.7 and 2.8 is a new installation methodology so not trivial to move.
DavidG suggests end of life for V2.7 in mid 2011 and V2.8 in Q2 2012.
Will be in newsletter.

8. Distribution of trust anchors
Moves on to new format of IGTF distribution for OpenSSL V1. OSG have tested this
and it works. DavidG asks if this can now be tested in EGI.
Once all is confirmed to work, then the old style can be dropped.

9. New HIAST CA (Roberto Cecchini)
New CA for EUMedGrid. (Syria). 
Roberto sent his review to the CA manager 3 weeks ago and response saying will
study received today. Review details also sent to EUGridPMA mail list.
Roberto goes through some of the important points.

--- coffee -----

10. Jens' Soapbox

See slides. Not easy to take notes, so I didn't!
Science, its methods and trust building.