EUGridPMA meeting, Kyiv, Ukraine.

Day 1 - Monday 13 May 2013

Participants in the room - see registration page
Remote participants:  Vladimir Dimitrov, Miroslav Dobrucky, Dana Ludviga (after morning coffee)

1. Introductions.

David Groep welcomes all and thanks the local organisers for their provision of a nice meeting location.

There was a brief Roundtable on introductions.

The agenda was shown and agreed.

2. TAGPMA update.

Dave Kelsey shows slides on behalf of Derek Simmel.

3. APGridPMA update. Network connectivity to the TAGPMA17 agenda page is currently down so DavidG is unable to show the slides given by Eric Yen at last week's TAGPMA meeting.

4. EUGridPMA update (David Groep)

See slides.

DavidG talks about the two current issues with TCS.

a. Comodo OV certs now require phone calls to numbers that are often wrong.
b. CABforum guidelines forbid use of DC naming with 

SHA-2 guideline changed last week at TAGPMA17.

** The minutes should show the current agreed list **

Default issuing of SHA-2 EE certs has moved from Aug 2013 to 1st Oct 2014.
Sunset date for SHA-1 is now 1st December 2014.

The attendees agreed to the new timetable.
We should publish the timetable somewhere clearly on the EUGridPMA (or IGTF?) web site.

5. Self-audit review status.

NIIF - no news.

Moldova - no news.

Slovakgrid - no news.

BalticGrid - DaveK to check that it is done.

Armenia - no news.

PK-Grid - there is a new CP/CPS - looks good - now complete

SEEGRID - Edgars now left. Ongoing.

Cyprus - no news.

TRGRID - there is a new CP/CPS - but no feedback yet

BG.ACAD - did you get feedback, Vladimir?  No - net yet.  Please send new CP/CPS to the list.

MARGI CA - no news - stuck for ages

UK CA - CP/CPS still not update. UK CA TAG will apply pressure.

Belnet - now migrating to TCS so their CA will be decommissioned.

Discussed how to improve the work flow.  Decide it would be good to have a EUGridPMA secretary - a rotating roll - valid for 6 months.  Kaspars Krampis (IMCS UL) volunteers and is appointed until 30 Nov 2013. He will chase the CAs and reviewers of all pending self-audits.

6. Election of Chair of EUGridPMA.

No new volunteers.  David Groep was nominated by DaveK and was happy to do it for another year. All agreed. DavidG elected for another year.

7. Network link to TAGPMA indico site is back.  DavidG shows update from APGridPMA (given at last week's TAGPMA meeting by Eric Yen).

IHEP CA - issuer name included email address - this is finally fixed and will be in the May 2013 IGTF distribution.

--- coffee break ---

8. pkIRUSGridCA - update and self-audit (Javi Masa)

See slides.

An offline CA. Classic profile. Accredited in Vienna in 2006.
47 RAs in 20 locations. 118 RA operators and admins. 2 CA staff.
More than 7K certs have been issued. ~1K currently valid.
SHA-2 supported since 2012.
An updated version of the CP/CPS has been produced (see slides for details).

Now presents the results of the self-audit.  1X and 4 A/Bs.
Point (8). We agree that access to the CA is an A - not B
Point (16). Tamper-proof logs. This is aimed at an online CA using an HSM. So this point does not apply to their offline CA - this should therefore be X.
Point (17) - change of CA crypto data. Currently B but will be A once new CP/CPS is published.
Point (22) - comply with GFD.125. Was B before but now A.
Point (24) - response time for revocation. Now fixed in CP/CPS. Now A
Point (25) - subscribers requesting revocation. Now fixed. A
Point (37) - subscribers protecting their private keys. Fixed in one place in CP/CPS.
Needs also to be fixed elsewhere (A/B)
Point (40) - rekey not renew.  Last audit was a D. Now fixed the software and CP/CPS to only do rekey. Now A.
Point (41) - 
Point (42) - F2F identity required every 5 years. Was C. Now fixed in CP/CPS. Software being fixed. A/B.
Point (47) - CA operational audits.Was B at last audit. Now fixed. A.

(Dana Ludviga appears as a remote participant)

Further plans - will update CP/CPS, finish software, update web, create compromise and disaster recovery, add IPv6 support, deploy an OCSP provider.

DavidG - the proof of possession of private key process may be too much. Usually a signed CSR is sufficient.

Reviewers - DaveK and Sergii(? - or another 

9. CALG self-audit (Kaspars - and Dana remotely)
See slides.  First self-audit.  CA for Latvian Grid.
Accredited in 2009. Managed by IMCS UL.
Dana leaving soon for maternity leave (congratulations to her!).
46 A, 8 B, 2 C, 10 D, 2 X.
See slides for more details of Bs.
Major changes C.
What about the secure environment must be documented and approved by PMA.
This is an A. Visit by PMA is fine.
Need to add statement to CP/CPS about subscribers requesting revocation.
D: lifetime of CA cert and EE certs is not yet mentioned in the CP/CPS.
D: need to move to CRL x.509 V2 and change CP/CPS.
D: need to add OID in certs for GFD.125
D: renewal lifetimes to be fixed
D: RA can no longer legally take copy of ID, so have now implemented a new form.
X: Not a single CA. Also BalticGrid - but accepted by EUGridPMA before.
X: tamper-proof logs for online CA (they are an offline CA).

Dana will produce new version of CP/CPS to address all of these issues.

Reviewers:  Feyza and DavidG

Cosmin joins remotely just before lunch

---- lunch break ----

Remote participants in afternoon: Vladimir, Cosmin, Jens Jensen (after coffee)

10. Lightweight Identity vetting and Levels of assurance. (LiveAP).

See slides. DavidG introduces the topic.
Jules Wolfrat (in the Rome meeting) said that the PRACE sites does much of the identity vetting and therefore we can live with a lower assurance on the CA ID vetting.

Stresses that this is a redistribution of responsibilities, with the effective LoA retained.

PRACE, XSEDE and WLCG are all examples of cases where the site or the VO is doing proper identity vetting.  BUT, many EGI VOs fail to do proper ID vetting and rely on the CA including the name of the person in the certificate.

Discussion about the requirements for this. One example is the UK Access Federation and the UK SARoNGS service - where full name component is not available for use.

See wiki for the text of the profile.

DavidG shows the differences between V6 and V7 of the profile. V7 was produced last week in the TAGPMA meeting. One aim was to include the US InCommon Basic profile.

For LoA 1 commonName there is no proper vetting. Would have been good to use unstructuedName but this is not supported in OpenSSL.

We are no longer doing identity vetting - just identification.

institute email addresses are often recycled. ePPN is more likely to be persistent. 

Change wording to "a name chosen by the requestor obtained from a list proposed by the IdP".

Third-party IdP involvement in incident response. There was concern expressed that we are not able to require this. Would be good to get input from PRACE?  Can we require that the IdP MUST have an incident response capability. Or just change to "strongly recommended".

There is an advantage to the SubjectName being the same in LiveAP as in the other profiles as then an improvement to CA/IdP procedures may upgrade the LoA without the user SubjectName having to be changed.  InCommon Basic/Silver does this.

InCommon basic does not require members to allow for an audit by the authority. What do relying parties think about this?

---- coffee break ---

10 (continued) back to LiveAP.

What about the full title? Is it OK? The acronym "LIVE" tends to suggest more than just the identity vetting being light-weight.  Are the other profiles "dead"?!?!? Dinner-time discussion!

Now back to considering the full text. DavidG takes us through it. Several changes were made.

Move much of the text from the abstract to the General Architecture.

(Jens joins remotely and participates in the discussion).

Lots of discussion about the set of subject names required by the Naming section. Agree that we could do with some footnotes describing for example the anonymised ePTIDs used by SARoNGS and a mail forwarder to contact the user rather than publishing their email address.

RPs also need to consider collecting the whole certificate rather than just the DN so as to be sure to log contact info provided in subjectAlternativeName.

Conclude today's meeting before discussion on operational requirements.

End at 17:30