34th EUGridPMA, Copenhagen

Monday, May 11th 2015.

APGrid PMA
- CAs perform regular self audits

EUGridPMA updates
- ChristosK: there is no CA for Swiss universities; they will be served by EGI Catch-all (SEE-GRID). They have around 100 users.
- David Groep: TCS now issues personal robot certificates, getting closer to killing the classic Dutch CA
- End of contract for old Comodo TCS - June 31st. CAs will remain. Interface for requesting revocations will be removed, TCS PMA needs to be contacted through local helpdesk. NRENs and subscribers should already be informed about the change.

Self audits
- LIP CA - review declared success
- CALG CA - they are not issuing certificates any more
- pkIRISGrid - review declared success
- MARGI CA - decided to skip the review as the new one will be presented at this meeting
- Belnet - one institute cannot get TCS certificates, should be fixed soon so that CA can be killed
- IranGrid - no news
- UK eScience - it will be presented today

UK eScience CA
- CRL downloads from the old OpenCA web server
- JCS - QV based certificates

Tuesday, May 12th 2015.

MARGI CA
- certificates still issued with SHA-1, will switch to SHA-256 and revoke all EE certificates
- Jens - issue with personal contact based identity vetting, there should be trace
- Christos - issue with CSP software as it is not supported for many years, should change to something modern
- Jens - if you don't keep CRLs history somebody could un-revoke certificates
- reviewers - DavidG and EmirI

CAs generating certificates for cloud based hosts
- IGTF should define additional controls to be implemented by cloud-cert-issuing CAs
- issues: 
  - how to prove FQDN ownership (especially if VMs are hosted on commercial cloud provider)
  - how to handle renewal - could do manually or have component to use cert of oauth token to automatically renew (in which case short lived certificates can be used)
  - how to handle revocation once the machine is decommissioned - could be done by cloud middleware component or use SLCS certificates (in which case CRLs won't get too large)
  
RAT, Communications
- If CRL for one of CAs is unavailable at the time of IGTF CA bundle installation, all certificates from that CA will be accepted (openssl design) until CRL becomes available
- AP does not define that relying parties must check certificate revocation status, though some CAs have it in CP/CPS 
- Decided that it would be good to offer a package including expired CRLs for all (deployed?) CAs for those relying parties who are interested in such feature

Wednesday, May 13th 2015.

Closing session
- DavidG proposes to drop support for Yum version 2 and apt-rpm from the distribution; they will be discontinued sometime this year