25 of January 2011 Minutes CA Update I: BEGrid CA ====================== - Before - No local RA's, contacted the user's institute every time a new certificate is requested - After, opentrust pki www.opentrust.com, live since 2008 - They are only allowed to renew the contract with opentrust one more year, then they need to do a public tender, not sure if opentrust will win again. - Terena personal certificate it's a possibility - Only issuing certificates to people that uses the grid, they check this, Jen also do this. - They don't issue certificates to sign mail only. - Online CA, no HSM !!!!! the old system was a online CA as well !!!! - The current CP/CPS says is not connected to any network. - They are going to cut the link of the CA machine, Reimer and Onur are going to follow the process. New CA I: DZ e-Science Grid (Algeria) ===================================== - They are using INFN as CA, acting as a RA. - DN, RA ... various OU, the last must be OU=RA and then a L= ... complicated DN - Suggested to use DC instead of C= O= - Subject alternative name for hosts and services, must be used (willy suggested) - openca v1.1 - Certificate acceptance, to be sure the user gets the certificate, if the user doesn't accept the certificate the certificate will be revoked? not sure, will going to check this. - reviewers, Pawel and Eygene Self-audit II: MREN CA ====================== - Changing the Pass-phrase every 180 days, add any security? no-one are doing this with this interval of days. - In the same safe the pass-phrase and the encrypted key. - reviewers - Cosmin and Willy New CA II: HIAST (Syria) ======================== - Sha256 problems with this? not supported in middleware. - 8192 bit key, problems with middleware? Java problem is gone. no aware of problems - off-line CRL signing, key usage !!! - openca - host/machine, is required why? only put FQDN - keep the service/machine but don't advertise it - translate between Arabic names and Latin? - update the authentication profile? the 395 days is ok - policy identifier ... should only contain OID's ... this contains URL - Don't issue CRL after CA private key compromised. - DFN management is strongly against the inclusion of Syria in EugridPMA, statement from Reimer The Americas Grid PMA (Scott Rea) ================================= - OSG has not yet an replacement for Doug, after he left, waiting an official announcement. Private key protection and CA based key generation services – update to the PKP (Scott Rea) =========================================================================================== - ca generation of EE private keys - key protection guidelines, key generated, inside secure hardware token, computer user, computer administrate by organization, 3 party - What it mean by 3rd party? - Someone connects to a site, choose a pass-phrase, and then key and a certificate are generated and delivered in a pkc12 object to the user, after this the key is deleted by the CA. - The user then loads the certificate in to the browser. - This is made over https - asked - etokens? generated by 3 party with pins? thats one way to go - Jens, pkc12, the user still have to manage the private key, not solving a old problem - Jens, Now there are 2 factor authentication, private key and pass-phrase, this will have one factor authentication, only pass-phrase ... - Willy, what is the advantage in relation of the user generating the key in the browser? - Willy, what guaranties that the private key is deleted in the other end? - Jules, the users still have to manage the import to the key store and so on - Proposal http://tagpma.es.net/wiki/bin/view/Main/CAgenEEkeys - "generated and stored in accordance with the currently approved version of the Guidelines on Private Key Protection." - Remove the qualifying phrase "that is administered by a third party" - Jen, what a 3rd party is? - David, 3rd party include the CA? - David Groep, Portals already creates keys for the users, and don't delete the private keys. - David, There is one CA that what to do this because they think this will simplify the users life. - Willy, Should be explicitly described in the certificate that has been generated this way. - Jen, lowers the LOA. - Jen, private key guidelines, different interpretations, needs to be improved, like saying "The private key will been deleted". - Jules, Portals should only create short-lived certificate - David's (Groep and Kelsey), said the actual document already cover this case, but the document should be improved. - Jim should explicitly clarify what he want to do, step by step, Scott don't see any problem in Jim do that. - Scott, When Jim is in the accreditation, must explain the steps of the process. - This can be discussed in Taipei - This is for MICS long-lived certificates - An OID could be in the certificate, so that one can know how the certificate had been issued, in the case the document, in the meanwhile, is modified we can know that a certificate has been issued like this, and other like that. Downtime notifications and communications to relying parties (Christos T) ========================================================================= - The software is in place ... https://igtf-devel.grid.auth.gr/ https://igtf-devel.grid.auth.gr/downtimes.rss - Sign up and edit the profile. - Use this interface to announce downtimes or other related issues. Jens’ Soap boxes Ltd. (Jens Jensen) ============================================ Compliance, LOA, The warm and Fuzzy, private key protection - The People who make noise vs the silent majority 2012 meeting schedule and structure: locations in 2012, duration of meetings, etc ================================================================================= - Next meeting beginning of may in Prague, 3 days, Wednesday 11 until Friday 13 - Starts Wednesday after lunch, we need to see if it will be 2 or 2,5 days - Ljubljana, September 2011, but we had an offer to go to Marrakesh, 12 to 14 of September - Ljubljana, could be in January 2012 - Options 2 meetings a year, 3 meetings a year? - Video conference to self audits? we are going to making some tests with evo and h323 and adobe. - 2 days meeting, starting at lunch time, doing a test in Prague. CAOPS Working Group: document status review (Jen) ============================================ - 2 doc's in the pipeline, waiting reply to public comments - CAOPS will meet in Taipei, one session scheduled Presentation of the next EUGridPMA meeting and TERENA TNC, Prague, CZ (Milan Sova) ================================================================================== - At the moment Milan has no idea were the meeting will be held