Dear EUGridPMA and IGTF members, The 36th EUGridPMA meeting is now over, and I would like to take this opportunity to again thank Miroslav Dobrucky and Ladislav Hluchý from the Institute of Informatics at the Slovak Academy of Sciences for hosting us in Bratislava! I would like to share with you a few of the highlights of the meeting. Send corrections and omissions if you spot them, since these have been taken from my own scribbles and memory. Subsequent meetings will be: ** 37th EUGridPMA meeting, May 9-11, 2016 hosted by Feyza, TR-Grid and ULAKBIM in Ankara, TR ** 38th EUGridPMA meeting, September 2016, Geneva, CH, kindly hosted by Paolo Tedesco at CERN ** 39th EUGridPMA meeting, January 2017, Florence, IT, kindly hosted by Roberto Cecchini of INFN and GARR ** 40th EUGridPMA meeting, May 2017, Ljubljana, SI, kindly hosted by Jan Jona Javorsek of IJS and of course our affiliated meetings: * APGridPMA & ISGC: 13-18 March 2016, Taipei, TW * REFEDS & TNC 2016: 13+14-16 June 2016, Prague, CZ See all of you in Ankara, or at any of the upcoming meeting of the IGTF or elsewhere. Slides with background of the Bratislava meeting are attached to the agenda pages at ! Best regards, DavidG. Subject discussed and listed below ---------------------------------- * Credential Stores & more: the AARC CILogin-like Pilot for Europe * IGTF RAT Communications Challenge * PKI technology Guidelines (and Classic and IOTA AP updates) * Reviews and self-audits * Disaster Recovery and Business Continuity development * Outlook for EUGridPMA meetings in the future: selected topics * Recommendations on cyber-security programmes * OGF CAOPS WG: GFD.225 and OGF updates All presentations are available on the agenda page: http://www.eugridpma.org/agenda/36 please review these as well as a complement to this brief summary. Much information is contained therein and not repeated here. I also apologize for any omissions and misrepresentations - this summary is taken mostly from memory and my own notes. Credential Stores & more: the AARC CILogin-like Pilot for Europe ---------------------------------------------------------------- Many research infrastructures and users are working on AAI infrastructures that have one prominent shared characteristics: a token translation service that converts credentials from one form to the other. Such services allow applications to 'hide' any perceived complexity of PKI technology from the end-user, and enable the end-user to be far more flexible in the choice of authentication and authorization services. Specifically, use of home organisation credentials through R&E SAML federations is enabled by these services. It is a frequent pattern: the CERN wLCG IOTA CA does such a translation (using its "STS" service and a web portal), and in the US CILogon enables integration of InCommon with the PKI world at various assurance levels. In Europe, the AARC (Authentication and Authorization for Research and Collaboration) project is aiming to enable these scenarios, and a pre-pilot around CILogon and MyProxy technology is well advanced in this area. It adds additional credential storeage and generation services (in a 'master portal') to further hide credential management complexity also from the science gateway developers. The details are described in the presentation given to the EUGridPMA meeting and available on the agenda page and at https://www.eugridpma.org/presentations/AARC-CILogonPilot-IGTF-20160118.pdf One of the key elements is a central credential store (alongside the "master portal") that addresses usability and security concerns. However, it poses some new usage scenarios that have not been foreseen in the Trusted Credential Stores draft guidelines - and the Private Key Protection guidelines (PKP) do address them for short-lives credentials only. Issues could potentially arise around long-running workflows, but it is there recommended to - if needed - use community (VO) contact details where available to remind the user to periodically (<11 days) update and re-authenticate to refresh the credential store short-lived certificates. Having discussed the AARC CILogon pre-pilot scenario, considered the likely business models (with a small number of credential stores operated by well-resourced trusted parties and a single back-end IOTA CA), and taking into account the intention of the PKP Guidelines, the PMA at this moment concluded: - that the use of end-entity certificates with a lifetime <1Ms (11 days) will be recommended and is compliant - to change the draft Trusted Credential Store guidelines to align with the PKP Guidelines and permit this use case [http://wiki.eugridpma.org/Main/CredStoreOperationsGuideline] - to not consider changing the PKP Guidelines at this moment - where needed, to clarify that support for long-running workflows (>11days) will need explicit support in the VO portals to end user reminders as needed IGTF RAT Communications Challenge --------------------------------- Ursula Epting ran the 2015 Communications Challenge for the IGTF Risk Assessment Team, with improved results compared to the previous run. Within a reasonable period of time, 95% of the CAs responded positively, with 75% completing the more detailed questions on the cryptographic digests used within their constituency. This shows that the majority of issuing CAs today issue SHA-2 based certificates by detault, even though there are a few cases left where subscribers in their software still cannot deal with certificates digests other than SHA-1. But it is clear that such communities and subscribers will face serious issues once SHA-1 is 'broken' from a cryptographic point of view. For the detailed presentation, IGTF members are referred to the confidential presentation at https://wiki.eugridpma.org/Members/CommunicationsChallengeStatus PKI technology Guidelines (and Classic and IOTA AP updates ---------------------------------------------------------- Having established the technology-agnostic assurance profiles ("ASPEN", "BIRCH", &c), the conventional authentication profiles can be updated to refer to these levels. The technology-specific elements of the APs should then be described in a separate document, and that document can be common to all assurance specifications. It is foreseen that the classic profile would materially say just: "Authorities accredited under this IGTF “Classic” profile, identified as 1.2.840.113612.5.2.2.1, must comply with the latest endorsed version of * the IGTF Level of Identity Assurance CEDAR (1.2.840.113612.5.2.5.3); and * the IGTF PKI Technology Guidelines (1.2.840.113612.5.2.7.1)." [https://wiki.eugridpma.org/Main/ClassicCASecuredInfraAP] This needs a complete version of the PKI Technology Guidelines to be approved and endorsed by the IGTF. It is therefore jointly developed in all PMAs continuously. At TAGPMA22 a complete version was presented. In this meeting, it was reviewed in detail for sections 1 through 4, addressing the general architecture, identifier management, and operational requirements. The changes discussed during the meeting are available inside the revised version 06 of the document, attached to the Wiki development page http://wiki.eugridpma.org/Main/PKITechnologyGuidelines All members, relying parties and interested experts are warmly invited to comment on this version! Auditing, accreditation, and compliance --------------------------------------- The self-audit peer review status was tracked for the ongoing reviews. Details are available in the detailed notes. Having heard the reviewers comments and recommendations, the self-audits of PL-Grid, BG.ACAD, and SRCE were considered complete. At this meeting, self-audits were presented by TR-Grid (TR, reviewers Jan Chvojka, Lidija, and Shahin), RDIG (RU, reviewers Anders and DavidG), IRAN-Grid (IR, reviewers Miroslav and DavidG), and DZeScience (DZ, reviewers Ursula and DaveK). Members are referred to the on-line presentations for details. DZeScience will also add support for (software keyed) Robots in the update. The KENET CA was officially accredited as an on-line Classic CA during the meeting. The trust anchor information will be part of the 1.71 release on January 25th, 2016. Congratulations to the KENET CA managers and thanks to the reviewers! The CERN wLCG IOTA CA CP/CPS was approved by the reviewers, and the HSM solution is in place. Once the certificates have been generated, they will be sent to IanN and DavidG (CC Reimer for additional eyes if possible) for the operational review and included in the distribution. We thank Dave Kelsey, Jan Jona Javorsek and Reimer for the comments. We again thank Cosmin for his work as self-audit review controller - and ask everyone to please process the requests coming from Cosmin in a timely fashion! Disaster Recovery and Business Continuity development ----------------------------------------------------- During the review of the IRAN-Grid CA self-audit, the need for a disaster recovery and business continuity section was discussed. This has been an ongoign discussion in the PMA and a concern for the members, considering various risks from (power) instability, earthquakes, to the sudden appearance in a CA managers' path of city buses that subsequently continue to run over said CA manager. However, there is not a large body of good reference texts for such a disaster recovery section in the CP/CPS. Some CAs do have it included, and periodically test the viability of the plans (such as CESNET), in others it is an ongoing concern of the operators (such as in the UK). It was decided to set up a task force to come up with good reference texts and methods for disaster recovery. The group initially consists of Shahin, Jan Chvojka, Ursula, and Jens. Outlook for EUGridPMA meetings in the future: selected topics ------------------------------------------------------------- The policy environment in which the EUGridPMA (and IGTF) operate is rapidly changing: policies in the area of authentication, authorization, and other security and availability policies are more closely aligned, and the number of participants in the e-Infrastructure ecosystem is growing. This is obviously a Good Thing, and it also poses new challenges in policy coordination and in getting the proper message received by the relevant audience. Through overlapping membership and cross-participation, there is a good level of practical coordination. It also helps in preventing unfortunate overlaps (e.g. it would be detrimental to all for IGTF and REFEDS to overlap, and so this by construction does not happen), and at the same time it does help in bringing ideas across. For example the IGTF model on peer-reviewed self-audits is catching on in other contexts, such as the self-assessment tool for baseline assurance that is being worked on in AARC for use in the eduGAIN ecosystem. With existing relying party involvement in the EUGridPMA, it seems logical to maintain close relationships with SCI (already co-located several times with PMA meetings), but also with the Security Policy Group that is currently operating in the context of EGI. Widening its attendance beyond just EGI (e.g. with PRACE, EUDAT, &c) would likely help draft better policies, and could be feasibly done in joint and co-located meetings with the EUGridPMA. There are obvious areas of collaboration: around the AA Operations Guidelines (as attribute authorities gain more prominence), on credential stores (where we have draft guidance), and in the emerging area of IdP-SP proxies. The 'proxy' is emerging as a design pattern for many research infrastructures, as was identified in the AARC architecture work. As a complementary activity, a check to see fi a policy set is 'complete' and sufficient, and whether the current IGTF gidelines set is either too fragmented, has internal overlaps, or leaves gaps, could be part of this. There are also other potential topics emerging: although services like TCS have absorbed a lot of subscribers in those countries where TCS is made available, it is far from a complete solution. Some, like the legacy DutchGrid CA, would like to terminiate operation in favour of TCS but are unable to do so. A joint catch-all for those that want it might be a solution: a common signing scheme, jointly operated or procured, based on the existing distributed RA networks. However, building a viable business model around would require more work, and the over-all interest is not yet clear. Specifically, this would obviously NOT be needed for those cases where there is a strong existing national CA that wants to continue to operate. Then there are other external developments that the IGTF and PMA should likely respond to, or take into account for future work. Let's Encrypt [http://letsencrypt.org/] is both a protocol and a service, and how that fits into the ecosystem should be clarified for RPs and CAs alike. For the Ankara meeting, it is thus proposed to reserve on the agenda * identification of the relation between the IGTF/PMA and the work of Let's Encrypt, both the protocol and the (DCV) service * organise a joint session with an extended Security Policy Group SPG meeting (Wednesday morning, Tue afternoon if possible) to work on joint policy alignment and collaboration Recommendations on cyber-security programmes -------------------------------------------- An in-depth view on how to support the development of cyber-security programmes in the context of a continuous cycle of appearing projects and 'short-term' collaborations was presented by Bob Cowles of CTSC. Everyone is warmly recommended to read the presentation on the agenda at https://indico.nikhef.nl/getFile.py/access?contribId=14&resId=0&materialId=slides&confId=339 Giving a summary here would not do justice to the comprehensive nature of the CTSC work ... GFD.225 OGF Certificate Profile ------------------------------- The OGF CAOPS WG had a remote-supported meeting during Tuesday afternoon, with Mike Jones and DavidG as co-chairs. In this meeting the responses to the GFD.225 public comments were reviewed: - there is no need to mention "4096 bit RSA" in this Profile, since such a choice is a policy decision, not a technical specification. This comment is therefore not accepted - The comment on SHA-1 and SHA-512 is accepted, but it is noted that the issue with SHA-512 is no longer present when the latest software patches are implemented on MS Windows systems [https://support.microsoft.com/en-us/kb/2973337] - differentiating between 'best practice' and 'just-not-yet-supported' can be done, and DavidG should implement it in the doc where relevant - the limitation on the length of the subject DN comes from software like the 'gridmapdir-model'. Since this is stored in the file system, a path length maximum of 1024 should be considered. Given the DN may be URL encoded, this leads to a feasible maximum of ~ 300 chars This recommendation should be added to the section - the kerberism should be discouraged, in the section on DN naming - the streetAddress and postalCode should be forbidden. The footnote added should include the example by Jim. - even if the current user base may not be 'all of OGF' or 'all of the software used by OGF parties', it is certainly the aim of CAOPS to produce a generic standard document. As such, it is correct to call this the "Interoperable X.509 Certificate Profile" Anyone with feedback where this profile is incorrect is warmly invite to tell CAOPS!! DavidG will edit the GFD.225 document and make it final. Jens should then push it to publication. Other OGF news: * Jens Jensen is now VP of Standards in OGF, and would appreciate a new Area Director for Security (his old position) * Mike Jones will write a 1/2 page statement on the activities of CAOPS for the OGF-ITU joint committee * the Higher-Level CA (HLCA) document was an IGTF document traditionally hosted by the CAOPS WG. Since it's background policy document, it more naturally fits in the IGTF space, not OGF. Since it currently provides mostly guidance for reviewers when evaluating issuing CAs with a complex hierarchy, it was decided to move the contents of this document to the EUGridPMA Wiki and bring it to the attention of reviewers in the necessary cases. The Wiki allows joint IGTF development of the content. The OGF instance of the document (v0.10) is considered frozen.