EUGridPMA meeting. Kyiv. Day 2 - 14 May 2013 ----------------------------------------------------------------- Present remotely: Vladimir, Miroslav, Jens, Ursula 1. Jean-Francois Guezou - New CA structure for research in France See slides. Things changing in France - the reason why no recent self-audit. He shows the current structure - grid2-fr is a sub-CA, two below the CNRS2 root. Self-signed root without trust in browsers. No longer the will to fund this. There is another PKI in Education run by ANSSI.. They plan to build a new branch in this tree for Research. Preferred scenario is to build a single CA hierarchy for Research which meets the needs of al stakeholders including IGTF. This now has approved funding and the end CAs will continue to be run by RENATER. New staff will start in Sep 2013. DPK suggests that they could follow scenario 2 but have separate signing CAs for IGTF server and IGTF personal. DavidG notes that one problem is the naming for personal certs - likely to need the full character-set. They will address these technical issues during the implementation phase. 2. OCSP guidance. DavidG asks how many people have made progress on this since the Rome meeting. Noone. This was not discussed in the recent TAGPMA meeting, either. DavidG shows the two current documents. These are currently still on the wiki as not yet finalised. https://wiki.eugridpma.org/Main/OCSPProfileForIGTFCAs https://wiki.eugridpma.org/Main/OCSPDeploymentGuidelines DavidG: do the technical guidelines for the light-weight OCSP make sense or is it better to run a full-service? Comodo is running a light-weight OCSP. Digicert does the same - mainly driven by Facebook load. Nobody has anything to report. The new CA structure in France? Jean-Francois is not sure of the status. The browsers now all support by default (in Chrome it has to be turned on) but only if the extension is set in the certificate. EMI-3 now supports OCSP (but needs to be turned on). There is no urgency for this. We agree that we should test this for those CAs who have it turned it on (e.g. TCS). We cannot really push for this while everyone is working on SHA-2. But in the meantime would be good to do some testing in EGI. 3. Back to LIVEAP discussion. https://wiki.eugridpma.org/Main/LiveAPSecuredInfra We still need a good title. DavidG suggests IOTA (Identifier-Only Trust Assurance). Now to section on Operational Requirements. Discussion on whether we need an HSM operated in FIPS 140 level 3 mode or is level 2 sufficient. New wording was agreed. Should be either level 3 or level 2 with compensatory auditing and physical controls. Jens Jensen joins remotely Is there text in SLCS related to CRLs for 24-hour life EE certs? Can't find it. --- coffee time discussion - -- we like the title IOTA (Identifier-Only Trust Assurance) wiki title updated to IOTA. Alexandru Bobe joins remotely followed shortly by Ursula Epting. Back to IOTA document. Publishing. Do we need to require/support an RSS feed from CAs? e.g. change to CP/CPS or even new revocation? This is not mentioned in other profiles but could be useful. IOTA V1 profile completed. Next step will be to share with other PMAs and discuss in IGTF All Hands. 4. Risk Assessment Team - communication challenge Ursula still having problems connecting to the Vidyo system. DavidG explains the aim of checking communication channels with response required in 24 hours. There are potential concerns with public exposure of response times in a commercial survey system. Perhaps Ursula could ask Jim Marsteller if we can still use the UIUC system? Ursula cannot connect so move to another issue before lunch. 5. IPv6 readiness RIPE-NCC has run out of IPv4 addresses. WLCG/HEPiX work on IPv6 - CERN will run out of IPv4 addresses in 2014 and cannot get more. IGTF CAs need to support downloads of CRLs from IPv6-only clients. FZU runs a IPv6 CRL monitor. Only 22 CAs support a working IPv6 CRL. 4 CAs have a AAAA record but the GET fails. We need to issue a questionnaire to all EUGridPMA CAs; a. Is IPv6 available at your site? b. If not what are the plans/timescale for IPv6 support? c. What is the status or what are the plans for general IPv6 access to the CA (web site etc)? 6. Back to IGTF RAT. Ursula says she needs to discuss with members of the IGTF-RAT list and then do the challenge. DavidG goes through the membership of the list. Adds Ursula. Asks for more volunteers. ---- break for lunch and tour around the University museums ----- 7. Guidelines on the operations of trusted credential stores Started from the AA guideline and removed AA-specific stuff. See https://wiki.eugridpma.org/Main/CredStoreOperationsGuideline Do we need a credential store service operator like we have an AASP? Answer: no, AASP are different. Discussion about Credential Store naming - required if the CS is generating. We do not need RP obligations. On to Operational Requirements… Lots of changes to the wording. One issue: how much do we specify security best practice for locking down a CS? or do we just refer to some standard best practice description. Coffee break ----- 8. Cosmin - announcement of the next EUGridPMA meeting in Bucharest. see slides 9-11 Sep 2013 ROSA - Romanian Space Agency will host/sponsor the event. 9. Back to the CS Guidelines. Refer to ISSEG best practice and training documentation. Then clear up the AA specific text from the rest of the document. Are the audit requirements too restrictive? Talk tomorrow about statement of compliance or accreditation. Meeting ends at 17:15 ----