EUGridPMA, Amsterdam

07 September 2015

08:22

Monday notes by Ian Neilson

=======

 

APGridPMA Update - Eric Yen

·       (see slides)

·       No questions.

 

Round Table Update

·       DavidG - trying to move out old Dutch GridCA. ~50 users unable to use TCS (e.g.EGI)

o   Anders - in same situation

o   Is there interest in  cross-country TCS - most users can go to CERNCA

o   Jan - ClarinIdp model

o   Jules - PRACE just buy commercial server certs. but not for EECs IGTF

o   Discussion about TCS contract model / SURFNET

·       Paulo CERNCA Classic - nothing to report.

·       Reimer DFN - Nothing

·       Jules PRACE - TCS discussions.  Jules retiring 2016. Introducing Walter. 

·       Cosmin ROSA - nothing new. TCS for servers only. No IdPs for EECs

·       Roberto INFN - would like to pass to TCS

o   Certs slowly decreasing

o   Certainly left with users without IdP

o   3rd CA signing certificate arriving (15yrs). Existing cert

o   Will present self assessment May 2016

·       Jan SigNET - update later

·       Marc GRID-FR - mainly no update.

o   TCS and GRID separate projects. e-science certs kept in GridCA.

o   One or two orgs. only declare IdP.

·       Ian -UKNGI nothing to report

·       Nuno LIPCA - start with TCS but will not replace

·       Discussion on TCS and non-commercial user. 75K certs max.

 

TAGPMA Update - DavodG proxying Derek Simmel

(see slides)

·       Forked ~1yr Latin Am chapter forked

o   Spanish language calls improved participation

·       Significant North Am/US bias

·       ESNET communities

o   OSG contracted Digicert->?end2016

o   OSG setting up own CA leverage NCSA/Jbasney

o   Namespace transition

o   Gone or private or ??

 

Self audit status -Cosmin

(see slides)

·       SRCE - no answer

o   Ian - has doc. and ok. will send

·       PK-Grid CA review approved.

·       IRAN - withdrawn due to safety concerns following staff changes. CA will be recreated.

·       PLGridCA - new CP/CPS to be reviewed.

·       UKeScience - query old self-audit?

·       NIIF - completed

·       ArmeSFo - need redo self audit

·       Belnet - stuck with 1 org. (5-6 certs) not going to TCS.

 

SiGNET CA Update - Jan

(see slides)

·       Nothing much changed but better staffed (3)

·       Public interface badly needs updating

·       Plans as per slides

·       Q: Reimer - ?OpenCA browser generated keys/keygen which is being disabled? A: Still possible but recommending js script based generation a-la UKCA. Links to this requested.

·       Unclear what future for EndUser PKI?

·       Discussion about UTF8 coding

 

RAT Comms Challenge

(DavidG proxy for Ursula - see slides)

·       Need volunteers.

o   Ian/UK interested in helping with challenge. Jules/Walter to discuss.

·       should be annual.

 

== Lunch ==

 

CERN STS IOTA CA - Paulo CERN

(see slides)

·       Discussion over CERN HRDB common key for user

·       Private key generated by (correction) STS (which is using certificates in background)

·       WebFTS acting as "cred. repository"  for Private Key Prot. Guidelines

·       Discussion over number and location of private keys

·       IOTA CA is not self signed so can be revoked.

·       ??Use HSM with multiple keys?? - not possible for Windows.

o   HSM would be needed for IOTA accred. - perhaps USB-based or RaspPi?

·       Would this support volume (5-6/sec)

o   Cache intermediate certs.?

·       eduPersonPrincipalName linked only in VOMS DB providing authz component

·       Timeline? Agree in principle first. CP/CPS needed to assessed, ?reviewers?.

o   EGI/WLCG would need to accept IOTA.

 

RPS Statement

http://wiki.eugridpma.org/Main/RPS

Changes tracked by live editing