Dear all,

The 23rd EUGridPMA meeting is now over, and I would like to take this
opportunity to briefly summarize the outcome. I would also like to
very warmly thank our local organizers from CNRST: Hassan Bouhaddou,
Nabil Talhaoui, and Katim Oustouch, as well as our hosts in Marrakesh
at the faculty of physics of the Cadi Ayyad University. They not only
ensured the meeting went smoothly, but also arranged some excellent
trust building opportunities!

The meeting is now over, and thanks to Dusan the full minutes will be
posted on-line shortly. Meanwhile, the following are the highlights from
the meeting as I captured them:

* The self-audit reviews are ongoing, and on the reviewer side there
  are no significant delays. Inappropriate delays on the CA side in
  addressing their identified issues must be adequately addressed
  before the next meeting in January 2012.
  Other CAs presented a self-audit at this meeting: ROSA (reviewers:
  Ursula and Yury), Belarus (reviewers: DavidG and Ursula), TR-Grid
  (reviewers: Jean-Christophe and David OC).

* The new authorities incubated by the EUMedGrid project are coming
  along rapidly now. HIAST was accredited in June, Algeria will be
  accredited by Sept 20, JUNet and the UAE presented at this meeting,
  and TNGrid has been introduced to the PMA (reviewers: Alexandru and
  Feyza). The Egyptian authority host organisation is setting up the
  on-line repository and will apply shortly.

  Based on the presentation, CP/CPS and review of the Jordanian CA, the
  JUNet CA review is almost complete. Having addressed the one outstanding
  issue, accreditation will proceed by email with a 2-week final call
  following the publication of the definitive CP/CPS.

* The MAGrid CA presented its status and plans, and will in due course be
  superseded by a generic national CA covering much more than eScience,
  covering the whole MARWAN constituency.

  It is clarified for all that - although the PMA is concerned primarily
  with the e-Infrastructure domain - the authorities themselves have
  no such restriction and are welcome and encouraged to serve as many
  subscribers as are relevant for the hosting organisation, country or
  company.

* Increasingly, large data centres are now facing massive host cert
  issuance. Alexey (CERN CA) will be drafting a plan for how to
  handle host cert issuance at cern, leveraging the integrated member
  management and the fully-controlled configuration management systems
  available for the CERN computer centre. DavidG produced a summary
  presentation (see agenda), and the PMA is quite favourable to the idea
  and the issuance concept. It is also relevant for the other PMAs, even
  if no change to the (MICS) profile is needed.
  The few new questions that arose:
  - how it the renewal process defined? Can that leverage the same
    rigorous controls put in place for new issuance?
  - how to deal with virtualised hosts, or are those treated the same?
  - are there controls on the robots certs allowed to request host certs?
  - can standard protocols (SCEP, CMC) be used?
  Other CAs (like DFN) are facing similar issues and are interested! If
  properly secured, the PMA will approve of this model

* MarcoB (IGI) presented the portal use case (see agenda material). The
  main concerns for the PMA is the integrity of the credential management
  systems, so the proposal is to do any private key handling (also the
  uploads) on a specific box separate from the LifeRay portal itself. E.g.
  by combining it with the MyProxy server.
  Even for MICS credentials created by the portal for the user, it should
  be possible to generate from it a long-term proxy and then wipe the
  key material pertaining to the original MICS request.
  The portal satisfied an important use case, where the end-users do now
  have software or experitise to handle any kind of key material or
  proxies, and this use case is universal and must be supported in some way.

  With a thin credential management system (separate from the portal) and
  using a dedicated machine only for the credential and key management
  (also the uploader!), the PMA is favourable to this idea.

  It is also clear that the existing MICS capability of GARR TCS should
  be used for the issuance, and not a separate CA be used. There are
  no policy or inherent obstacles expected for the use of GARR IDEM TCS
  is  this scheme, although issuance software (next to or in Confusa) should
  be developed.

* Jens' presentation on the PKP guide lines update refactored the problem
  set into various distinct issues. Based on  this decomposition, Jens will
  come up with a concrete draft text by the end of November 2011 and circulate
  that to the mailing list.
  By the January meeting, we should conclude on this new text.
  (detailed notes to be posted later)

* The UKeScience CA is rolling over to a new set of issuing CAs, and is
  drafting a new policy. Until the new policy is reviewed by the PMA and
  approved, all issuance will comply with the current ('old') CP/CPS.

* The Grid-KA CA rewrote part of the CP/CPS to accommodate organisation name
  changes and (soft-key) robots. It is not (yet) responding to the
  issued identified in the self-audit previously, since the reviewers
  thereof did not complete. A new self-audit is due later, but
  meanwhile the proposed changes can just be sent to the list and
  will be accepted following the 2-week standard period.

* the next meeting(s), a session (an afternoon and/or a morning) will be
  dedicated to the discussion of 'technical' topics relating to ID
  management, PKI and its applications or software. There is enough
  interest to discuss some interesing bits:
  - Moonshot and an hands-on session (by Jens in January)
  - OCSP and HSMs; namespace definitions and RPDNC; release model, schedule
    and technical content; outcome and results from EEF Federated ID meetings
    and workshops

* The new TACAR policy was presented and well accepted by the EUGridPMA.
  A PGP signing party (please everyone generate PGP keys if you want to
  get into tacar) followed during the meeting.
  With the new TACAR policy significantly easing the introduction process,
  everyone is again reminded to complete the registration through your
  favourite Trusted Introducer soon!


Next PMA meetings were also planned and/or confirmed:

#   Location                   Dates                 Host
24  Ljubljana, SI              16-18 January 2012    Josef Stefan Institute
25  Karlsruhe, DE              7-9 May 2012          SSC KIT
26  Belgrade, RS (tentative)   September 2012        AEGIS CA
27  Abu Dhabi, UAE (tentative) January 2013          Ankabut
28  Kyiv, UA (tentative)       May 2013              UGrid CA

Also:
- next EEF Federated ID workshop will be Nov 2-3 in the UK
- OGF 33 next week (Sept 20, 2011) in Lyon, FR
- TAGPMA at ORNL Oak Ridge, TN, USA on October 11-12, 2011
- APGridPMA at Sapporo, Hokkaido, JP on October 17, 2011
- ISGC2012 and APGridPMA in Taipei, TW the week of 25 Feb - 2 Mar 2012

Hope to see you all at the next meeting in Ljubljana, kindly hosted by
the Josef Stefan Institute!