------------------------------------------------------------------------
Minutes - 2012/01/17


» CA self.audit Ill: CyGrid CA (Andoenai Balla)
===============================================

* There is no need to change the CP/CPS to RFC3647 if no big changes are
being implemented (That's the case)
* Jens suggested if the procedures are right but are not described in
the CP/CPS should be a C not a D.

Reviewers: Shahin Rouhani (Iran) and Thijs Kinkhorst (TCS)


» The IGTF Wish List for EGI and SHA2 support (David Groep, Dave Kelsey)
========================================================================
David Groep

* Jens request, Multiple CAs with the same namespace, useful in CA
rollover.

David Kelsey (Maarten Litmaath Slides)

* SHA2 problem, do we want to setup a SHA2 infrastructure to issue
certificates for testing?
* If SHA1 is obsolete in 6 month, RAT needs a plan B, middleware as
well.

* Milan, we can stop supporting software that not accepts SHA2.
* David K. WLCG stopping for 6 months (awaiting for upgrading the
software) is bad for everyone, even IGTF.

* Jens, Has plans to issue SHA2 certificates within the UK e-Science to
test it in the infrastructure.

* There are 3 CAs that issue certificates with email in the DN, there
are a request to remove it.

* David K. Suggested January 2013 as the time limit to change to SHA2
* Milan has the opinion that middleware should be able to replace the
algorithm in a simple way.
* David K., Add to the wish list the ability to be agile in changing the
algorithm.

* We will do a risk assessment, and not move to SHA2 before the risk
assessment is completed, a new date will come out from it, but no later
than January 2013.

* David K., Support all the family of SHA2? at least SHA-256

* David G., We must also start to issue certificates with 2048.


» IGTF and EGI release time lines (David Groep)
===============================================

* IGTF releases on last Monday of the month, but EGI, need more two
weeks for testing
* Has been decided that EGI will have access to the preview release for
testing (a week before of the main release).
* Changes to be incorporate in the next release, need to be sent before
the middle of the month.


» New CA accreditation: TNGrid CA (Heithem Abbes)
=================================================

* Jens, Suggested to change the certificates lifetime to 1 year + 1
month, lifetime described as been 1 year.

* Acceptance of the certificate after issuance it's not needed.
* Remove issuer in Authority Key Identifier

* Milan, remove host/ from CN options, just service/ and FQDN
* Suggested to use DC instead of "C" and "O".

Reviewers: Roberto Cecchini (Italy) and Alexandru Bobe (Romanian).


» Updates to the PKP Guidelines and management of credentials (Jens
Jensen)
====================================================================

*"CA Must not have access to the private key at any time whether in
encrypted form or not"

* For a certain time a CA has "access" to keys on a token

* Key generation, where? inside CA or outside of CA?

*David K., As relying party he trust in the CAs

* Jens, Should a CA control the private key or not?

* The subscriber can control the private key, or a "key role"? something
inside the CA but is not the CA?

* "Private key must not be used except in conjugation with a
certificate, or for the purpose of obtaining a certificate."

* "The certificate is used for digital signatures." (Jens note, should
change this phrase).

* Milan, The private key should be archived? is different from Backup.

* Reimer, Where is the private key stored by the user? in the same place
where is stored the certificate but encrypted.

* Roberto, The private key must not the stored in a NFS volume!
* This is not enforced anymore.

* Jens, If the private key is controlled by the users, system
administrators can check from weak passwords and warn the user? 

* Right now, if a System Administrator finds the password of the private
key, then the certificate must be revoked.

* A key may be stored in active form if (6. Key activation)
(Jens note, Point 2. is "or")

* David G., How to get these guidelines to the other PMAs?
* Try to agree on the principles before put a lot of work in the
document.

* All Hands IGTF in Karlsruhe?
* Ursula ... Agree, no problem.


» Pending minor updates to the Classic Profile and the EUGridPMA Charter
========================================================================

* maximum validity of end-entity certificates.
1 year plus 1 month -> 395 days

* 1024 bits -> 2048 bits

* Christos, What about hardware tokens (about 2048 support)?
* David G., Many hardware tokens can handle 2048 keys

* Pawel, Should increase the key of the CA?
* CA Key Should have a minimum of 4096 bits

* General Architecture
* Remove the "one CA" per country ... and other text that has been moved
to the Accreditation document.

* Edition of the Accreditation document, the changes will take effect
immediately.

* Classic Profile will be reviewed by other PMAs before approval.


» TAGPMA update (Derek Simmel)
==============================

* 27 members, Problems to have quorum in calls because some members
don't participate (if this comes to be a problem, they will suspend some
members).

* David K., Asked to include in the agenda of San Diego Meeting the
Private key protection guidelines and the update of Classic profile.

AA Profile (Attribute Authority)
================================

David K.

* Continuation of editing the document.
* Finished, Need to be sent to the other PMAs.