Dear EUGridPMA and IGTF members, The 32nd EUGridPMA meeting is now over, and I would like to take this opportunity to again thank Pawel and Agnieszka for hosting us in Poznan. The hospitality definitely encouraged trust building, the remote participants and those who were not there will just have to guess at the results thereof. But some of the key outcomes of the meeting itself are summarized here in this note. Consolidated minutes of the meeting and the notes kindly taken by David Kelsey are to be provided on-line, alongside my own notes, but meanwhile I would like to share with you a few of the highlights of the meeting and draw your attention to a few action items that will concern you all. Send corrections and omissions if you spot them, since these have been taken from my own scribbles and memory. Subsequent meetings will be: - Berlin, Germany, January 12-14 2015 hosted by Reimer and DFN at the DFN offices on Alexanderplatz (in the city centre) REMEMBER to book your accomodation early because of the Berlin Fair - October 20-22, TAGPMA meeting in Valparaiso Dates for the May 2015 meeting will be agreed shortly. I'm indebted to Anders Waananen who kindly volunteered to host it in Kopenhagen, Denmark! See all of you in Berlin, or at any of the upcoming meeting of the IGTF or elsewhere. Slides with background of the Poznan meeting are attached to the agenda pages at ! Best regards, DavidG. Subject discussed and listed below ---------------------------------- - Update to naming in Approved Robot Guidelines - AARC and the pan-European AAI in the next two years - Generalized IGTF Levels of Authentication Assurance - On-line CA Architectures Guidelines document - Registration Practice Statement - xSIM - Identity Management for Virtual Organizations - Auditing, accreditation, and compliance - SWITCH/QuoVadis membership status change - Miscellaneous topics All presentations are available on the agenda page: http://www.eugridpma.org/agenda/32 please review these as well as a complement to this brief summary. Much information is contained therein and not repeated here. I also apologize for any omissions and misrepresentations - this summary is taken mostly from memory and scribbles (and the scribbles will be posted on-line later). Update to naming in Approved Robot Guideline -------------------------------------------- The naming of Robot certs will also permit the use of a FQDN as a recognisable, and contactable, identifier in the subject name. Additional controls to ensure the robot owner/operator can be contacted are required so as to facilitate the work of the incident response teams. Specifically, the new version adds as a possibility: "the validated fully-qualified domain name of the system from which the robot shall be solely operating. The RA SHALL ensure that the requester is appropriately authorized by the owner of the associated FQDN or the responsible administrator of the machine to use the FQDN identifier asserted in the certificate. In this case the CA SHOULD have a facility to obtain at least the contact information contained in the public certificate about the owner of the FQDN based on the subject name of the certificate to any requester." This revision now goes for endorsement by the other PMAs. AARC and the pan-European AAI in the next two years --------------------------------------------------- The AAI landscape in Europe (and around the world!) is changing and dedicated efforts are under way to make this AAI more effective for research communities (and educators, students and libraries). This involved enhancements to policies and policy negotiation mechanisms, development of an architecture that should support attribute aggregation, multiple attribute authorities, and many sources of identity that work together to provide a collective experience. The consortium proposing AARC, explicitly aiming to engage with the R&E community and existing coordination groups, will work to address these issues over the next two years. Look at the presentation for a first glimpse of where this might bring us! Your comments and input will be welcome - we hope to start in earnest by Q2 2015 but of course continue all current efforts. Generalized IGTF Levels of Authentication Assurance --------------------------------------------------- The LoA generalization process aims to extract those elements from the IGTF APs that are of general value to the community well beyond PKI. This has not always been clear from the AP document, since they have both LoA elements and PKI implementation requirements combined in a single document. But the APs, and now these LoAs, actually encode the consensus of acceptable levels for our major relying parties, and are designed such that they also balance the 'cost' or 'do-ability' of our identity providers. In a PKI context, these LoA levels may also be referenced from the APs (although the CA trust anchor distribution and the accreditation of authorities using a specific technology will always combine the LoAs together with requirements on issuing technology and implementation). But, e.g., the MICS AP could well state "Comply with BIRCH, and implement it within the following PKI constraints". The exact model is open for future discussion. In preparation for the Poznan meeting, the material differences between ASPEN and BIRCH as drafted at the TAGPMA meeting have been identified. These ware actually very minor by now (both APs edited enough so as to make them quite close. Since many requirements are common to both LoA levels, it makes sense having a single document with the differences expressed through tables for the different levels. The Classic AP profile was similarly analysed and the LoA generic elements extracted from it. These have been added to version 02 (IGTF-LoA-authN-set-20140908-v02) which is now available on the IGTF member Wiki https://wiki.eugridpma.org/Members/LoAandAPDocumentLinks along with the set of differences compare the (merged) levels identified in Lehi. In the meeting it was considered likely that BIRCH and CEDAR could be merged (into BIRCH), since MICS and Classic are similar in the material assurance level provided. Where LoA elements have been identified in Classic that were deemed generally applicable to ASPEN (SLCS) and BIRCH (MICS) these have been added to the general text. The LoA elements identified in the Classic profile are marked in purple in the attached (v5 draft) of the classic AP. https://wiki.eugridpma.org/pub/Members/LoAandAPDocumentLinks/IGTF-AP-classic-4-4-LoA-5BETA.doc On-line CA Architectures Guidelines document ------------------------------------------- The Guidelines for On-line PKI Certification Authorities was completed - and encodes the current requirements and best practices for operating and establishing an on-line CA architecture. It also addresses the best common practice found today in large-scale and publicly trusted CAs. http://wiki.eugridpma.org/Main/GuidelinesForOnLineCAs It is by now good practice that the key generation is done in a documented ceremony (to prevent technology lock-in to a specific HSM), although generation inside the HSM is obviously allowed. We invite the other PMAs to endorse this document, which will be soon formatted as an official Guideline and publicly posted. The Registration Practice Statement ----------------------------------- Communities in practice seem to have a life cycle longer than many of the (project or research-organisation funded) issuing authorities that they use. This has been the case for Open Science Grid, the Austrian community, and is likely to happen often. In practice, these communities seek a new issuing CA, but the underlying registration and identity vetting practices remain the same. The RPS is the document codifying the registration practices for a community, and is as such a subordinate document of the CPS. It should also be formatted that way (i.e. be in RFC3647 format): "“a PKI can establish a set of core documents (with a CP, CPS, subscriber agreement, and relying party agreement) all having the same structure and ordering of topics, thereby facilitating comparisons and mappings among these documents and among the corresponding documents of other PKIs” An RPS can be considered as a subordinate document to the CPS " Scott Rea from DigiCert and the TAGPMA extracted the relevant sections of RFC3647 and drafted the first version of an RPS template that would be usable within the IGTF. https://docs.google.com/document/d/1REvvAuUQ-J0-aYALDqGtBE_gkb0Ap8snWcsnTWPGnqI (this is the version before discussion in Poznan) Extracting the persistent elements of registration (done by the distributed RA community itself) from the CPS of the CA may make the process more transparent and 'simpler' (at least for the community involved). Of course there are scaling issues that may lead to unwanted workload: communities and RPSes should likely not be accredited independently, but always be seen in conjunction with an accredited CA. The Issuing CA is anyway the actual responsible entity for whatever happens - and has to guard the integrity of the CP->CPS->RPS document set. But is can also make it easier for reviewing if the RPS has already been seen once (with the first CA) and is then used as-is with a new CA if the community migrates. Worries about scaling should be addresses (especially if a PMA were to consider accrediting RPS statements and having communities as members that way -- but note that such a status is NOT foreseen and was NOT endorsed by the meeting). The RPS would be valuable now (had it been complete) for the AusCert use case, and it may be useful also on the short term for UKeScience/JANET And there may be more use cases ... The latest edited version will be posted in Google Docs (TAGPMA) shortly. xSIM - Identity Management for Virtual Organizations ---------------------------------------------------- The trust relationships between relying parties, users, and communities (VOs) are changing rapidly. The xSIM project, presented by Bob Cowles, clearly shows that the underlying trust models themselves are changing, and mediated and transitive trust are in the increase. The presentation at http://agenda.nikhef.nl/materialDisplay.py?contribId=11&materialId=slides&confId=2926 has all the details! Auditing, accreditation, and compliance --------------------------------------- * the NorduGrid CA will re-key its root/issuing CA - although migration to TCS is planned, it came to a sudden halt in Denmark when some organisation got stuck in the federation link between ADFS and the federation because of bugs in ADFS in Windows Server 2013 patch level 2. The new CA will be 2048 bits, and fully compliant to the new specs again * KENET revised the CA architecture and decided on the use of EJBCA. This should make it easier to deploy a secure CA. Details of the new CA setup and CP/CPS will be worked out with the reviewers, but technical input on EJBCA and how to make an effective split between a 'front-end' server and a back-end system-with-HSM or an off-line system are very welcome! This is not trivial with EJBCA. * TERENA TCS will change its back-end certificate provider, which is also the best time to update the intermediate chain and move to SHA-2. The model (TERENA is the organisation representing and accrediting the CA) will stay the same. The updates will however be major enough to at least warrant a dedicated look at the new CP/CPS by the PMA. This will then also serve as the (overdue) self-assessment. The name space assigned to TCS will remain the same, so the change should be fully transparent to the end-users! Additional details were kindly provided live by our new TCS issuing CA provider during the meeting. * Self-audits of BG.ACAD and the AustrianGrid CA were presented. The AustrianGrid CA will likely extend the current certificate life time for a limited period whilst the migration to an on-line CA proceeds. SWITCH/QuoVadis membership status change ---------------------------------------- QuoVadis, in consultation with SWITCH, presented the current status and plans for the Grid ICA that currently supports the SWITCH community. This classic CA will also be the ICA for new communities - with AusCert (AU) being the second user of the system soon. It therefore was agreed in the meeting that the representative organisation for SWITCH-QV will change from SWITCH to QuoVadis. This change does not affect the accreditation status, but will affect who is responsible for the self-audits and presentation of changes to the policy and practices. The Grid ICA was certifies by E&Y following the WebTrust criteria, a peer-reviewed self-audit following GFD.169 is coming soon. An likely update to the CP/CPS will if if the AusCert vetting processes necessitate a change in the registration practices. A future MICS CA (with accompanying ICA) may be added at a later date. We welcome QuoVadis as a direct member of the EUGridPMA. As a result of this change, the trust anchor naming in the IGTF Distribution will change (from "SWITCH-QuoVadis-Grid-ICA" to "QuoVadis-Grid-ICA"), which technically means a package addition and obsoletion. This change will be effective in the next release. Miscellaneous topics -------------------- - for future meetings (September 2015 and beyond) we may consider co-locating with other identity management events. In particular events organised by or having a large AARC attendance may be interesting. It may also attract more communities, relying parties, and help harmonization with like-minded groups. - self-audit reviewers are kindly asked to pay attention to Kaspars reminders regarding the reviews. The summer holidays were not very beneficial for progress in this area.