33rd EUGridPMA Berlin meeting Monday, 12 January 2015 Note taker: Jules Wolfrat Welcome: David Groep Agenda updates. Scott: proposes to discuss the SHA-2 timeline. Remote participation: Bulgaria, Slovakia, Spain, UK • TAGPMA update Speaker: Scott Rea (DigiCert) See: https://indico.nikhef.nl/materialDisplay.py?contribId=2&materialId=slides&confId=57 Current chairs: Derek Simmel, Ale Stolk and Scott Rea (vice chair). Positions for chairs are open. Webmaster also searched Two categories: authentication profiles and RPs 14 classic CAs 7 SLCS CAs New CAs: inCommon (classic) and CIlogon-basic (IOTA) NCAR and SDCS (both MICS) applications are on hold. Self audit process should be improved Web site will be updated Monthly video conferences. Spanish chapter has her own timeslot. Attendance of meetings is maintained. • Report-out from the self-audit review Report-out from the self-audit review and status of suspended authorities See https://wiki.eugridpma.org/Members/SelfAuditStatus David G: Kaspars Krampis (Latvia CA) won't be able to pursue the coordination, so new volunteer searched. Status updates: Moldova: done Bulgaria: in progress Austria: moved 1 December 2014 to new root CA. SHA-2 (512 key) signature used now. Will all SHA-1 certs be revoked by 1 February? David: not mandatory. Iranian: migration to SHA-2 in progress. New reviewer needed. Paolo Tedesco volunteers. Morocco: working on comments. Question: can I implement a technical change until change in CP/CPS is accepted? Poland: almost finalized. UK eScience CA: reviewers received the new CP/CPS document. Willy Weisz acknowledged receipt. Portugal: Almost done. CP/CPS should mention use of SHA-1/SHA-2. Montenegro: No response yet from Christos Kanellopoulos Latvia: are in hibernation state. Only 5 active certs left. Will move to Baltic grid and cease operations. Spain: new CP/CPS has been sent last month Hungary: new CP/CPS document for new CA (raspberry based) has been sent. Slovakia: success. FYROM: no responses received lately. TAGPMA: if no responses received a CA is suspended and a letter is sent and then removed if still no response. David G: will send a letter and make a phone call and without response they will be removed. Later in the morning David G received a response from FYROM that action will be taken. HIAST: is in failed status. CRL expired for a long time already. Timeline needed for suspension and removal of a CA. Also for checking contact details. What should be the timeline before starting suspension/removal? David G proposes 90 days. When does the period start. After the first warning. 30 days is proposed. Volunteer searched to overlook status of CAs. Also replacement for Kaspars Krampis needed. Cosmin Nistor (ROSA) offers to take up role of overlooking status of self-audits. David will do the escalation of non-responding CAs. Nagios monitor doesn't seem to be maintained anymore. Link will be removed from public until status is ok again. CA update I: PK-Grid 30' Adeel ur-Rehman (NCP) See https://indico.nikhef.nl/getFile.py/access?contribId=5&resId=0&materialId=slides&confId=57 Scott: slide 5, about the "The profile of the CA certificates must comply with the Grid Certificate Profile as defined by the Open Grid Forum GFD.125?" GFD.225 should be referenced too as the future version (current draft). Scott: slide 7, RFC 5280 is superseded by 6818, reference should be updated in IGTF documents. Volunteers for reviews: Nabil Talhaoui and Temur Maisuradze Scott: pair experienced reviewers with unexperienced reviewers, so to expand the pool of reviewers. • update II: CERN CA Speaker: Paolo Tedesco (CERN) SHA-1 infrastructure not used anymore. Can it just be removed? Yes For host certificate applications standard CERN authentication is proposed (not first having to get a personal certificate). David G: can re-authentication be configured for particular sessions, e.g. when applying for host certificates. Re-authentication is recommended for MICS profile. Host certificates only issued to persons associated with the host system. Proposal is to enable auto enrolment of host certificates for the OpenStack environment based on the Kerberos credentials for the hosts. Questions about Kerberos credential generation. Hosts names are administered, no hosts can be generated at will. Willy: we need a policy for the re-use of a machine name. Basically it must be clear who is responsible for the machine that is getting a host certificate. CP/CPS should be based on the MICS profile (for historic reasons the CERN CA is still registered a classic CA). David G: is there a check on the names used for host names, e.g. paypal in the name? Not only for CERN, but in general there may be issues with the re-use of names, e.g. with different roles. The CP/CPS must document the process of machine registration, specifically who is responsible. Self-audit: CRL and OCSP only updated immediately in case cert may be compromised. No objections raised. CP/CPS will be updated as a result of the self-audit. Key use: extension not critical. Paolo think that this cannot be changes easily. Scott and David G think that it can be done using the same key pair. Reviewers: David Groep and Adeel-ur-Rehman Zafar. Scott volunteers to review the auto-enrollment part. • Lunch · Updates from the APGridPMA Speaker: Eric Yen (ASGC) See: https://indico.nikhef.nl/materialDisplay.py?contribId=3&materialId=slides&confId=57 David G: who goes to the IGTF all-hands in Taiwan? David Groep, David Kelsey and Bob Cowles raise hands. Scott: are you seeing expansion of services? Eric: the number of CAs has been increased in past six years, but now is decreasing, because there is no use. Scott: In TAGPMA there is a decrease seen. How about EUGridPMA? David G: some CAs want to stop but can’t. Number of personal certs is stable and number of host certs are increasing. • 1SCP for Automated Entities – naming update Speaker: Dr. David Groep (Nikhef) See: https://indico.nikhef.nl/materialDisplay.py?contribId=9&materialId=slides&confId=57 Discussion of some changes. Naming should be updated. Jens: drop naming requirements because it’s documented elsewhere. Done. New v 3.0 will be distributed. · Guidelines for on line • Registration Practice Statement Speaker: Scott Rea (DigiCert) New version produced by TAGPMA and EUGridPMA. Sections 1 and 3 are discussed. An updated version has been uploaded to the agenda page.: https://indico.nikhef.nl/materialDisplay.py?contribId=10&materialId=0&confId=57 Below are some notes about the discussed items. Issue raised for how to deal in case of a name space change, either of the community or the CA? Based on the current document a community can plan a migration. RPS can replace description of RA responsibilities in CPS of CA. CPS statements can supersede RPS statements. CA also should accept the RPS. Willy: Can trusted agents also be individuals (1.3.5.1)? Scott: yes. Willy: should be documented. John Kewley: Trusted Agent Administrator must be defined. 1.4: second sentence deleted. 1.4.2: should only mention that subscribers will be informed about the CA’s prohibited uses. 1.3.2 updated 1.5.3: Willy: only IGTF control mentioned, additional controls are not mentioned. Scott: There may be additional, and should be covered by CA contract. 3.1.4: Willy: What is the use of ASN.1 here? GFD.225 will be referenced for accepted name information. 3.2.3: Jens: “personally known” is not a very strong requirement. Not mentioned in classic IGTF profile. Is removed. 3.2.4: David G: not all information in certificate has to be verified. John: only the CSR content may be verified. Willy: 3.2.4 may not be needed, is covered already by preceding content. Text is updated to be more specific on what is verified. 3.2.5: discussion on what the definition of Trusted Agent should be (see 1.3.5.1). What is affiliation of the Trusted Agent with the RAN? 3.2.5 should be adjusted. ------------------------------------------------------------------------------- Jules Wolfrat