Dear EUGridPMA and IGTF members, The 31st EUGridPMA meeting is now over, and I would like to take this opportunity to again thank Piiu Pilt, Hardi Teder, and the whole team at EEnet for hosting us in Tartu. Those of us who where there will fondly remember the many trust building opportunities - and the rest will just have to guess at the results thereof. But some of the key outcomes are summarized here in this note. Consolidated minutes of the meeting and the notes kindly taken by Cosmin are to be provided later on, but meanwhile I would like to share with you a few of the highlights of the meeting and draw your attention to a few action items that will concern you all. Send corrections and omissions if you spot them, since these have been taken from my own scribbles and memory. Subsequent meetings will be: - Poznan, Poland, September 8-10 2014 hosted by Pawel and the PolishGrid CA at PSNC - Berlin, Germany, January 12-14 2015 hosted by Reimer and DFN at the DFN offices in the city centre See all of you in Poznan, Berlin, or at the upcoming TAGPMA meeting in Lehi, Utah, USA, hosted by DigiCert. Slides with background of the Poznan meeting are attached to the agenda pages at ! Best regards, DavidG. Subject discussed and listed below ---------------------------------- - IGTF repositioning and new byline - Generalised MICS profile - Private Key Protection Guidelines v2.0 - RAT communications challenge - Heartbleed - SHA-2 readiness - Trust, ID management and CAs in sub-Saharan Africa - SANREN eScience CA and KENET accreditation - GRENA-TSA CA (Georgia) accreditation - On-line CA Architectures Guideline document - Auditing and compliance - Miscellaneous topics and Soapbox All presentations are available on the agenda page: http://www.eugridpma.org/agenda/31 please review these as well as a complement to this brief summary. Much information is contained therein and not repeated here. I also apologize for any omissions and misrepresentations - this summary is taken mostly from memory and scribbles (and the scribbles will be posted on-line later). IGTF repositioning and new byline --------------------------------- With the concurrence of the APGridPMA, and pending endorsement by TAGPMA, the IGTF will henceforth be known as the "Interoperable Global Trust Federation (IGTF)", and will use the by-line "supporting distributed IT infrastructures for research"*. The new name and byline reflect better what the IGTF is actually about: building trust at a global level, focussing not on the technology but on getting agreement amongst relying parties and authorities on how to best implement the trust assurance required to operated large distributed infrastructures for global research. The revised charter now says: "The IGTF –through its members– develops guidance, coordinates requirements, and harmonizes assurance levels, for the purpose for supporting trust between distributed IT infrastructures for research. This goal is accomplished by the members of the IGTF through coordination of providers of trust information (authorities) and consumers thereof (relying parties) and by adoption of common standards, minimum requirements, and best practices for policy, technical security, and operational trust." In this, the IGTF complements the work of other groups such as REFEDS, FIM4R, and SCI, and the activities of GEANT and future AAI activities. Sharing a common aim we should work together closely with all of these to prevent unfortunate overlaps but at the same time ensure that no gaps open that leave researchers out 'in the cold' and unable to get their science done. We will thus also talk about the IGTF using the new name, byline, and mission statement in e.g. the AAI BoF at TNC2014. One of the aims for the coming period is to find out how all groups can best complement each other**! The new Federation Document (v2.0-02) draft is available on the Wiki with track changes (https://wiki.eugridpma.org/Members/IGTFFederationDocument) and in consolidated form at: https://www.igtf.net/doc/IGTF-Federation-2.pdf Please review the new version (and the changes) - I hope that we can converge to a final version at the TAGPMA meeting in June! The IGTF web site also is updated to reflect the new mission and scope. It also now incorporates all the suggestions made in the Abingdon meeting*** but is still lacking member input. Especially if you have material (press releases, journal articles, interviews and public lectures) that align with the repositioned IGTF, you are urged to send them for inclusion as reference on the IGTF web page http://www.igtf.net/press/. Send them (with a one-line description of the relation to the IGTF please) to please! *** ACTION on all members is to collect interesting public articles and papers &c for use in the "About" section. Please! Also all other text is welcome, DavidG will merge all into site. ---- *) Although the word "research" appears in the by-line, this is not to be construed as an exclusive demarcation for the participating authorities, i.e. they are of course free to also serve other constituencies such as education or the public and private sectors. **) Although the IGTF mission is now broad enough to provide a 'home' to SCI, we of course leave this fully up to the SCI participants to decide. The operational security focus added to SCI is unique and not traditionally part of the IGTF scope. ***) See https://www.eugridpma.org/meetings/2014-01/summary-eugridpma-2014-01-abingdon.txt Generalised MICS profile ------------------------ In line with the new IGTF byline, it would be beneficial to 'generalise' the current MICS profile and turn it into a pure LoA document describing the requirements on identity authorities (IdPs or CAs) given the needs of the relying parties and SPs. Since the MICS is the closest one to the current federation model, it is the appropriate starting place. Unfortunately, the PMA meeting at this point ran out of time, so the details are deferred to the next meeting. In particular, we would like to ask the TAGPMA (the 'hosts' of the MICS profile) to consider this discussion for the next TAGPMA meeting in Lehi. The generalisaiton would imply: - removal of the PKI specific bits of the text - recast it as a 'Level of identity Assurance' text, representing the coordinated (harmonized) consensus of the relying party expectations and requirements - be complementary (and not overlap with) the SCI requirements This will then complement the (lower) IOTA level, which is already almost technology-agnostic. PS: the classic profile would be a good start for a catch-all service (DG). Private Key Protection Life cycle -------------------------------- The (last) final changes were made to the private key protection guidelines document http://wiki.eugridpma.org/Main/PrivateKeyProtectionLifeCycle It supports all the use cases currently permitted under the PKP guidelines version 1.1, but it is better reflecting the key life cycles and clarifies the roles of the participants. WIth respecto tthe Abingdon version, it was made explicit that the key for (manage and user held) soft tokes should not be kept past 24 hours of inactivity -- it was not yet sufficiently clear that keys in active use could remain activated as long as operationally needed. This new version will now be formatted in the guidelines template and published. The other PMAs are hereby invited to endorse this document. RAT Communications Challenge ---------------------------- Those authorities that missed the first 2013 RAT Communications Challenge or responded outside of the permitted time window have been re-challenged. The updates contact information improved the response, and afterwards several issues with the response mailboxes have been identified and fixed. Those very few CAs that did not respond to the final challenge and have not yet mitigated the communications issues will be contacted personally. Although there is no current intention to suspend unresponsive CAs, the PMA emphasised that we need responsive CAs for all cases, and that the RAT challenge should be treated with priority. There will be a new regular challenge towards the end of the year, in which also the current state of SHA-2 migration and key length will be included as questions (to implicitly assess the 2048-bit key and SHA-2 readiness). Heartbleeding ------------- In general, the CAs have seen an amazingly LOW number of revocation requests after the infamous Heartbleed vulenrability. Of course, OpenSSL only affects a subset of the subscribers, and then only server SSL is really exploitable, but still some CAs did not receive more than a handful. The operational readiness of the CAs was increased once the vulnerability was known and the RPs were happy with the quick service received. We hope/expect that the OpenSSL vulnerability disclosure process will improve in the future as well. Now should the IGTF authorities have an increased operational capability? - there is quiet consensus that the authorities are willing to work operationally with the CSIRT teams to get issues resolved quickly (the IGTF typically sees a 'different side' of the issue, and has other ways to contact the subscribers) - sharing testing tools proactively on the mailing lists is encouraged. These will not be publicly shared but remain within the IGTF trust circle. - We will use the Wiki (PMA member access only!) to share such tools and restricted information - the IGTF can also scan itself -- some infrastructures (EUDAT) may never have scanner from the RP side - message templates for subscribers can also be shared (again on the Wiki) If the IGTF authorities take action, this may of course affect the results of other tests (like the EGI CSIRT ones). In those cases, the CRL may have to be disregarded when running these tests ;-) The IGTF RAT can and should take a more pro-active role herein. SHA-2 readiness --------------- Many CAs have migrated to SHA-2 already, and there are no known issues that should prevent any CA from migrating. A move to SHA-2 is a minor change that does in itself not necessitate reassessment of a new CP/CPS by the PMA (we want this change to happen). Note that e.g. guidance from Microsoft on root CA inclusion in their OS trust stores requires the use of SHA-2 as of mid-2016. We may see adverse effects of remaining with SHA-1 some time later, just like today short key lengths and MD5 are no longer supported by modern OS versions... Trust, ID management and CAs in sub-Saharan Africa -------------------------------------------------- A quick growth in research activities in sub-Saharan Africa is spawning a lot of new work in research networking, e-Infrastructures, and also in the establishment of identity federations and R&E PKIs. With the active support of projects like eI4Africa and CHAIN-REDS, and the ongoing activities of the UbuntuNet Alliance, ASREN, and WACREN these rapid developments are now spawning a lot of new CAs (and thus accreditations). This is very timely given the large number of new science projects like SKA, which spans almost the whole African continent. The presentation by Bruce Becker of SANREN http://agenda.nikhef.nl/materialDisplay.py?contribId=18&materialId=slides&confId=2866 gives an overview of this large number of activities. This activity (and the size of the continent and number of prospective authorities and projects in Africa) in itself merits the thought of establishing a dedicated PMA for Africa in the future, with preliminary actions to that effect mirroring the developments in the Americas with a dedicated 'chapter' (in TAGPMA conducted in Spanish). There is in the PMA quite wide support for an African PMA after the activities have been 'bootstrapped' and sufficient experience built up in the region to sustain the (effort intensive) review and accreditation processes. In the mean time, we should encourage good interaction between all PMA members, and explore some collaboration models: - a dedicated set of meetings or meeting schedules for the African CAs - increased videoconf meeting, with two co-scheduled rooms: one in Europe and one in Africa, where the two rooms are interlinked by video - dedicated coordinator for activities in Africa to ensure momentum is maintained All the actions above should also be accompanied by a firm time line, to ensure results are obtained and the process does not bog down. For example, once 5 new CAs have gone through the process and are accredited (and supported by the existing experienced CAs in Africa like those in Morocco), it may be timely to establish either a formal 'chapter' or a new PMA. Having a 'catch-all' service in some cases is actually detrimental to progress, since it takes away the urgency of setting up national or regional authorities. At the moment, CA accreditation requests are pending for South Africa, Kenya, and Tanzania. More are to come ... The concept of having in the future (2 years or so) a identifiable African presence in the IGTF is supported by the EUGridPMA. Welcome all! SANREN eScience CA and KENET accreditation ------------------------------------------ The revised SAGrid CP/CPS was presented over video by Bruce, and it incorporates the new CA issuing system and architecture using software which is joint with many of the new CAs in UbuntuNet Alliance countries. Some issues were identified and will be followed up by the reviewers. Since the software and is common, the same issues also affect the KENET CA that was presented in person by Ronald. To make it simpler to establish secure on-line CAs in the future, the design of the NIIF CA (RPis and L2/L3 USB tokens) was encouraged, since this is very low cost and still secure. For the time being, the CAs will be fully off-line systems, and it was emphasized that 'virtualising' systems merely adds risks and attack vectors - certainly signing machines will be fully off-line and in a secure location. All new CAs can also immediately use SHA-256/512 and must use 2048 bit RSA keys. As always, domainComponent naming is preferred, as well as RFC3647. Given the size fo the countries, a distributed endorsement model for RAs and subscribers, like the ones currently in use in Brazil and Turkey using notaries-public, is very suitable for South Africa. The role of the notary public can also be taken on by prevetted institutional contact persons of SANRAN, who anyway have been identified F2F and are already responsible for verifying organisational eligibility. They are not usually considered RA (having a mainly admin role in the organisation), but are trusted and can take on the role of validating documents for the RAs and subscribers. This allows beter scalability in a trusted way. Details will be followed up by the reviewers: SAGrid/SANREN: Roberto Cecchini, Willy Weisz, and Jens Jensen KENET: Willy Weisz and Marc Turpin Target completion date for the accreditation is September 2014. In some cases test version of the CA can be distributed under the 'unaccredited' part of the distribution. A generalised template (without actual content and in the new format) for new CAs will be developed by Bruce for use with the future African CAs. This is ensure no old content is inadvertently left in the new CP/CPS documents. As a result of the discussion, it was agreed that new assessment spreadsheets based on those used by TAGPMA, would be made more readily available. At the moment these are not easily found on the web. The IGTF member resources page is the obvious location to refer to them (and host them on a wiki). This will be done by DavidG. GRENA-TSA CA (Georgia) accreditation ------------------------------------ The new CA for Georgia, hosted by GRENA at TSU, was presented in person following initial review of the CP/CPS off-line. Some remaining details (domainComponent naming, 2048-bit EEC keys and a SHA-2 CA cert) will be addressed in the final version and the proposed practices brought more in line with community custom (in particular a less intensive backup archival schedule ;-) From here: - a new CP/CPS will be produces and the reviewers (Jens and Roberto) will check it one last time and then we're all happy - the final CP/CPS will be sent to the lsit for a 2-week comment period - the CA will then be included in the distribution The entire process can be completed electronically from now on. We thank Temur and Mikheil for presenting it here. On-line CA Architectures Guideline document ------------------------------------------- The on-line CA guidelines document was not discussed due to lack of time, but everyone is encouraged to review the draft available at https://wiki.eugridpma.org/Main/GuidelinesForOnLineCAs If access to the Wiki is not possible, please send your DN to the EUGridPMA operations folk (operations@eugridpma.org) to get your account activatd on the Wiki. Read-only access (through plain http) is open to the whole world. Auditing and compliance ----------------------- Self-audits for the next meeting are requested from SRCE (Emir) and BYGrid (Serge). Consistent and long-term video attendance during full meetings also resets the attendance clock. We laud those attendees who sat through the entire Tartu meeting remotely! The self-audits of the CAs that presented in Tartu will be reviewed -- there were no critical issues identified in either of PolishGrid (peer reviewers: Nabil and DavidG), MAGrid (reviewers: Pawel and DavidG), the CESNET CA (reviewers: DaveK & DavidG), and IRGrid (reviewers: Emir & Kaspars). The self-audits were - as always - viewed as thorough and complete. The currently pending peer reviews are being tracked by Kaspars and reviewers in need of reminders will get those from Kaspars or DavidG. Kaspars kindly agreed to act as self-audit guardian also in the coming time. The JUnet CA has been suspended in November 2013, and no communication has occurred since (there were no complains about being suspended). We remain interested in the state of affairs in Jordan and - dependent on the reasons that caused the suspension - will consider which procedures are applicable to lift the suspension only after we know the reasons for the current suspension. We continue to have hope that renewed activity inside ASREN will encourage activities inside Jordan. Those CAs still (for some legacy reason) issuing end-entity certificates based on 1024 bit RSA key pairs are urged to change immediately to requiring at least 2048 bit key pairs. Miscellaneous topics -------------------- - DavidG got re-elected as the EUGridPMA chair for another year (till May 2015, session lead by David Kelsey) - Kaspars Krampis agreed to continue as coordinator of the self-audit review progress monitoring, which is much appreciated. - Jens' Soap Box slides are available on-line. Read through these as they contain some nice ideas ... - attendance and self-audit review status has been reflected on the internal membership list pages