Dear EUGridPMA and IGTF members, The 37th EUGridPMA meeting is now over, and I would like to take this opportunity to again thank David Kelsey from the Rutherford Laboratory and STFC for hosting us at the Coseners House! I would like to share with you a few of the highlights of the meeting. Send corrections and omissions if you spot them, since these have been taken from my own scribbles and memory at https://www.eugridpma.org/meetings/2016-05/eugridpma-abingdon-notes-davidg.pdf Slides with background of the Abingdon meeting are attached to the agenda at http://www.eugridpma.org/agenda/37 Subsequent meetings will be: ** 38th EUGridPMA meeting, 19-21 September 2016, Geneva, CH, kindly hosted by Paolo Tedesco at CERN ** 39th EUGridPMA meeting, January 2017, Florence, IT, kindly hosted by Roberto Cecchini of INFN and GARR ** 40th EUGridPMA meeting, May 2017, Ljubljana, SI, kindly hosted by Jan Jona Javorsek of IJS and of course our affiliated meetings: * REFEDS & TNC 2016: 13+14-16 June 2016, Prague, CZ * I2 Technology Exchange and REFEDS: September 25-28, Miami, FL, USA * Digital Infrastructures 4 Research: September 26-30, Krakow, PL See all of you in Geneva, or at any of the upcoming meeting of the IGTF or elsewhere. Details on the Geneva logistics and the block booking at the CERN hostel will be made available shortly. Please book before August 15th. Best regards, DavidG. Subject discussed and listed below ---------------------------------- * RCauth.eu and the AARC CILogin-like TTS Pilot for Europe * Guidelines on Trusted Credential Stores * IOTA minor update * Implementation of the Generalised Assurance Profiles (and PKI Guidelines) * New AP structure and GFD.169/review sheets * Disaster Recovery and Business Continuity development * Model implementations for video-supported vetting * Recommendations on cyber-security programmes * GFD.225 OGF Certificate Profile and OGF News * Dissemination and impact * Other updates: farewell to Jules Wolfrat; Concerns over future Hungarian R&E; Keeping more SAML auditing; The road to hell is paved with SAML Assertions (by Ioannis Kakavas); Darkmatter sets up PKI for Emirates; Evolution of SP800-63 assurance inspired by Vectors of Trust; More countries move to GEANT TCS; Self-audit and reviews completed; Jisc Certificate Services for the UK; Chair re-elected - additional contributions welcome! All presentations are available on the agenda page: http://www.eugridpma.org/agenda/37 please review these as well as a complement to this brief summary. Much information is contained therein and not repeated here. RCauth.eu and the AARC CILogin-like TTS Pilot for Europe -------------------------------------------------------- The AARC project is running a pilot with a bridging AAI solution based on the Jim Basney's CILogon model to enable resources that use conventional identity and attribute certificates for access control to be used by researchers using exclusively federated credentials. While certificate-based access is effective for many non-web (command-line) and brokered-access (delegation) use cases, exposing this technology to a wide user base is seen as a significant barrier. In this pilot a set of mutually-interconnected third-party software components is composed to hide the technical details of certificate-based access. Part of the scheme is an on-line CA that is (usually) connected to a managed credentil store (master portal) that manages credentials on behalf of the end-users. The users use federated authentication (typically against eduGAIN and specific IdPs operated by the research infrastructures) to obtain PKI credentials implicitly. Therefore the pilot includes an IOTA CA that needs to be an accredited CA to permit the RIs and e-Infrastructures to trust it. This is "RCauth.eu", the white-label IOTA CA for Europe. It is set up by AARC and operationally supported by Nikhef and the Dutch National e-Infrastructure coordinated by SURF. The policy has been reviewed by Reimer and Ursula against the IOTA 1.1 profile, and both reviewers have given positive recommendations. The CA policy, details, and operational security controls were presented in the meeting: https://indico.nikhef.nl/getFile.py/access?contribId=11&resId=0&materialId=slides&confId=418 Following the presentation, the EUGridPMA accredited by acclamation the RCauth.eu IOTA CA, alongside the off-line DutchGrid CA Service Root - its higher-level CA. They will be included in an upcoming IGTF distribution. Guidelines on Trusted Credential Stores --------------------------------------- The guidelines on trusted credentials stores (TCredS) were last reviewed in May 2013, and since then the use cases and environment have evolved significantly. In particular, TCredS are relevant for RCauth since the master portals in the architecture need to be assessed for trustwortiness, and the TCredS Guidelines are an appropriate reference for this. Also the Private Key Protection Guidelines have emerged and partly overlap with the TCredS guidelines, so alignment is needed. Similar work on credential management has been taking place in the US, where schemes like DirectTrust (for exchanging messages in the healthcare domain) need to project their credential stores where users keep their PKI credentials. Considerations in the USFedPKI have lead to the requirements on protections on credential stores be /one assurance level step higher/ than the credentials protected in them. So to protect level-2 credentials, the store itself must have level 3 (i.e. level 3 HSMs as well). This may of course evolve with the upcoming SP800-63-v3 changes on decomposing various assurance level aspects. [see presentation on SP800-63-3] The work in AARC consideres both a decomposition option (entity-category based) as well as an ISO29115 option for representing LoA. This is ongoing work there coordinated by Mikael Linden et al. We should also consider that - by moving credential management to a central place - we are likely to improve over any user-based credential management for many use cases, given that users are not trained at protecting any credentials. Yet we can apply the 'principle' that was used in e.g. the USFedPKI by adding controls to the TCerdS guidelines. As a start in this meeting, section 4 (Operational Requirements) was reviewed and edited in the Wiki document, which now also addresses virtualised environments: http://wiki.eugridpma.org/Main/CredStoreOperationsGuideline The other sections still need more review and discussion - and alignment with the Private Key Protection Guidelines. IOTA minor update ----------------- Minor changes (editorial and clarification) were made to the IOTA profile, resulting in version 1.1a. This version - published on the Guidelines pages, has been endorsed by the EUGridPMA and is deemed to be of no material impact elsewhere (e.g. fixing 5820->5280, and dropping an confusing byline): https://www.eugridpma.org/guidelines/iota/ We therefore consider the IGTF endorsement to remain valid. Implementation of the Generalised Assurance Profiles (and PKI Guidelines) ------------------------------------------------------------------------- Both the IGTF Levels of Authentication Assurance Guideline and the PKI Technology Guidelines are now complete and published: https://www.eugridpma.org/guidelines/authn-assurance/ https://www.eugridpma.org/guidelines/pkitech/ A minor change was done to the PKI Guidelines to address an omission that we identified in placement of the subjectAltName. To section 3.2 was added: "If the credential has elements that allow direct contact to the subject, such as an email address, these elements should be included as subjectAlternativeName." We note with appreciation that the TAGPMA has already revised the SLCS and MICS profiles in October 2015 to refer to these two documents above and change the PKI AP profiles to reflect just references. These revised APs for SLCS and MICS are gladly endorsed by the EUGridPMA. The EUGridPMA has similarly revised the Classic and IOTA Profiles: Classic v5.0: https://www.eugridpma.org/guidelines/classic IOTA v2.0: https://www.eugridpma.org/guidelines/iota The OID assignments and versioning have been updated in the repository. We invite the APGridPMA to endorse all revised APs (Classic, MICS, SLCS, and IOTA). The LoA and PKI Tech Guidelines themselves have already been endorsed. We note that the intent and aim of the LoA generalisation process has been to make the new rendering of the APs be materially equivalent to the existing versions. The editorial process has been designed such that the material content should match in the new renderings. We hereby agree that the version 5.0 of the Classic profile is equivalent to version 4.4, and that version 2.0 of the IOTA profile is equivalent to version 1.1a. There is thus no need for CAs that are currently accredited to review or revise their own policies and practices. Also the IGTF web site has been updated to fully reflect the new structure, including the URL of the LoA document https://www.igtf.net/ap/authn-assurance/ and a list of URNs (OIDs) to designate these. All APs are now there in their new format. Historic versions remain on the managing PMA web sites. New AP structure and GFD.169/review sheets ------------------------------------------ For future self-audits and accreditations, the new scheme should be used. There are no checklists or review speadsheets yet, and this means that also the classic example in GFD.169 is now unusable. It woul dbe good to have a document to record the mapping between the LoA and PKI Tech guideline statements and the seciton in RFC3647 where these should or may appear. This can be done in an annotated version of these Guideline documents (like we had an annotated Classic AP). Having it in the same document will prevent divergence. Yet a sheet may help reviewers to not miss items - als help do the 'whitespace check': ensuring that there are no contradicting statements. The reviewers of the next-to-be-accredited CA should develop the preferred mechanism for review and - if needed - develop new sheets. It is likely that the Darkmatter UAE CA will be next (with DavidG, Jens, and Feyza). Coordination with and contributions by TAGPMA are appreciated. We note that the 'current' sheets by TAGPMA are from 2007-2009 ... Disaster Recovery and Business Continuity development ----------------------------------------------------- Both Jens Jensen and Jan Chvojka presented disaster recovery strategies for CAs. The plan developed by CESNET includes periodic testing and is well developed. Jens - for the UKeScience CA - also developed a comprehensive plan, which is validated by having two-person exercises and operational runs in which redundency is tested with specific administrators. Regular operators are not normally supposed to display creativity in 'fixing' issues, since that has a large risk of creating incidents. The DutchGrid CA Root faced a similar issue when deciding on activation data fragmentation: increase the number of people holding a fragment of the private key, or have activation data in whole (but separate from the key materials) held by just two people - enough for redundancy, but sufficiently limited to assign security-trained experts. shared during the meeting - are private and confidential. This does not help the community in developing better disaster recovery plans. It is decided to revitalise the Disaster Recovery WG, tasked to develop guidelines for the structure and for topics to be addressed by the disaster recovery section of both the CP/CPS and in private specific plans. It can take some guidance from existing section 5.x in the CPS, but should take more inputs. Scott points out that there are also cheap mechanisms to enforce multi-person control, like embedded locked boxes inside larger safes, as Most of the material on disaster recovery - including the materials long as only tamper-evidence is needed. The guideline will be developed on the EUGridPMA (members-only) wiki, it should in the end be a public document with public guidance, and when there is sufficient content we can decide how to distribute this material: as an IGTF Guideline, as a white paper, a scholerly publication (like for SCI), or as an OGF Information Document. The WG members will be extended and include Jens, Jan, Scott, Reimer, DavidG, and of course Shahin. Model implementations for video-supported vetting ------------------------------------------------- The currently permitted vetting models for BIRCH and CEDAR assurance state that vetting "should be based on a face-to-face meeting and should be confirmed via photo-identification and/or similar valid official documents. " and continues to describe three models, one of which is that identity "be validated using notary-public attestations and/or official government data sources and supported by remote live video conversation". There are very mixed experiences with notaries public depending on country, and they may do nothing more than just asserting that a copy of a document looks the same as the document copy would look. They are not necesary stating that the ID document belongs to the claimant, or that the ID document is in fact an authentic photo-ID. There are also notaries, e.g. in the Commonwealth of Virginia, that can make these attestations over video themselves, so you just get two video chat sessions instead of an in-person meeting. Note that in SP800-63-v3, colleting full copies of photoID documents is no onger allowed, not even in the US. Many European countries don't allow making and retaining copies even today. To facilitate the process, soe CAs including HPCI, TR-Grid, but also others, are looking at alternative but equivalently rigourous processes to support video-vetting. The aim should be to stay within the 'bandwidth of trust' described in the current text: between the (possibly worthless) notary-public attestations, and the more trusted real in-person hand-shake vetting. A model that is between these currently allowed extremes should be and is good enough for the relying parties and compatible with the current BIRCH/CEDAR LoA. Following discussion, it is considered appropriate to develop guidance on the Wiki: https://wiki.eugridpma.org/Main/VettingModelGuidelines that can explore the permissible options. It is inspired by the model used for remote vetting for qualified US and Adobe Document Signing certificates at LoA2+ (stored on hardware tokens), and the HD-video supported vetting that is permissible for those qualified certs. If appropriate compensatory controls are in place and we can protect same-person cotinuity (non-reassignment) as well as traceability, it should be viable. Compensatory controls have some 'hard' requirements in the model process described in the Wiki above (mainly: exchanging a nonce during a videochat, high quality video, tracability of the user, liveness, and exchanging scans of visibly made signatures), and a set of controls that can be considered to make the process acceptable for accreditation by a PMA. It is important that this be described and reviewed in each case, so the proposal is that "The following is also considered to be an acceptable process for implementing method 2 - if so acceptably documented in the CP/CPS and endorsed by the accrediting PMA [description follows]. For additional compensatory controls to be considered by the specifically trained RA or trusted agent, see the Wiki. The aim to demonstrate "duty of care" by the RA/TA. The discussion can continue on the list and in the Wiki. Feyza will contribute (and we hope also Eisaku Sakane-san), with the target of adoption of this model later this year by updating the LoA or by giving explicit guidance for interpretation of "should". Recommendations on cyber-security programmes -------------------------------------------- Getting tration for security with the leaders and researchers in smaller research projects can be challenging. The CTSC has developed a training and guide on how to communitate effectively with such projects and PIs. The key is to be engaging: "we're here to help you" - and then propose security and avaiability measures to protect valuable workflows. The example training presented by Bob Cowles will take an hour to present to intended audiences, followed by discussion: https://indico.nikhef.nl/getFile.py/access?contribId=0&sessionId=0&resId=2&materialId=slides&confId=418 It may also be good to highlight current risks to the research community: the rise of ransomware, for instance. In some caes, the security of researchers is 'offloaded' by the infrastructure, in particular for PRACE where it is all done by the home sites, and there is no real role for the PI. In other infrastructures (OSG, but also most of EGI and wLCG) there is an active role for the VO/community in developing a security function. For EGI there are good lessons here for training material. Also the CTSC work is good for application in the WISE community, esp. policy templates and helping communities write their policy, instead of expecting that to magically happen. GFD.225 OGF Certificate Profile and OGF News -------------------------------------------- The new "Interoperable Certificate Profile" GFD.225 is now complete and https://redmine.ogf.org/dmsf_files/25 has the final version of March 23rd. The final action is on OGF (Greg Newby) to publish. Other OGF updates: - OGF contributes to security (for clouds and federation) via the ISO/IEC JTC1 SC38 working groups 3-5, who liaise with SC27 for security. This may help in the sense that OGF can propose standards and documents, and can help steer existing ones (yet cannot vote). - OGF is sloce to offering certificates for those that really cannot get it otherwise - at marginal cost - by becoming a reseller of the DigiCert Grid CA. There are some (e.g. commercial parties and companies in the cloud development area) that have no access to R&E operated CAs. - the HLCA document should be moved to the IGTF EUgridPMA Wiki. We request that OGF speed up its publication process so that publishing via the OGF is a viable option. Jens will care for this. Dissemination and impact ------------------------ We do have a story to tell, but in practice we're not telling it. Looking at the IGTF web site, the section contains old material, and is not well focussed. It is also not clear what the communications targets are (what do we want to achieve by communicating) nor what the target audiences are (general public, funding bodies, ...). Potential target audiences include: general public, funding bodies, emerging and existent research infrastructures (new relying parties), other (federated) identity providers (e.g. to expose the assurance levels that have been co-defined by the current RIs and e-Infrastructures), and other researchers. Some of these are served by writing academic papers or contribute to scholarly journals -- which also helps those members in the IGTF whose careers benefit from publications. Yet also white papers, blogs, and glossy flyers can help spread the message. There are some emerging and existing journals: Journal of Cloud Computing (with Craig Lee as the editor), the new "Computing and software for data-intensive [physics] Science" (a publisher rep was at the HEPiX conference). Ther are also many existing blogs, and contributing to ones that are well read may help - maybe better than starting our own. If we were to start a blog, we should at least use a general blog platform, and have multiple people contribute. Writing a good blog (like those by DFN-CERT, by GridPP Storage, or on programming by Walter) easily take a day to compose. It would be even better to have some expert help from people experienced in how to communicate coplex subjects to a wider audience (although the members would still have to provide the content). Experts like Sara from EGI and the SURF PR people would be great. Worthwhile topics in the short term would be: - the new assurance level specification - Jens - the onboarding of new CAs, like Darkmatter and RCauth - DavidG/LiciaF - new use cases and RIs that use the LoA levels AT least Jens, Ian, and Jules are willing to help with (some of) these efforts. Other concrete actions for volunteer pick-up: - white paper on the assurance model (or more) - create a Wikipedia entry for IGTF (it's only mentioned now in a lemma on federation written by Rainer Hoerbe) *** and we should update the IGTF entry on the REFEDS Wiki! *** Other updates ------------- - the PMA highly appreciates the important work done by Jules Wolfrat of SURFsara and DEISA/PRACE since the beginning of the EUGridPMA in 2004. His presentation on "High Performance Trust" reminds everyone of the importance of collaboration and of the human factor that is so essential for creating a trusted community. We thank Jules for his important work and joyful participation over all these years! Look at the Retrospect and Future presentation of Jules for insight. From now on, Walter de Jong, introduced to the PMA in September last year and again in Abingdon, will - jointly with Vincent Ribaillier of IDRIS - represent PRACE in the EUGridPMA. - the PMA is seriously concerned about the recent plans of the Hungarian government regarding the future of NIIF and the position of research and educational networks and services in Hungary. Coordinated activities (including those at the policy level by our large organisational members, such as via Fabiola for CERN) should be considered in consultation with Tamas (if only because of the Wigner DC) - to increase response capabilities, CAs using federed (SAML) assertions are encouraged to log the entire incoming assertion (i.e. including the raw XML and the signature) - so that even at a later date one can centrally check these signatures (and not only the attribute values). This is specifically relevant also for the RCauth.eu Pilot ICA. Given that eduGAIN has limited operational capability for logging and response, independently making (daily) archives of the complete meta-data aggregate of eduGAIN is recommended (maybe in a central place by the PMA as well). - the PMA appreciates the work done by Ioannis Kakavas, and refers to "The road to hell is paved with SAML Assertions": http://www.economyofmechanism.com/office365-authbypass.html - Darkmatter, represented by Scott Rea at the PMA meeting, introduced themselves and discussed the research and education landscape in the United Arab Emirates. With the continued rapid growth of R&E in the Emirates, and with a new national PKI being established to be based entirely within the UAE and with public trust, there is an excellent opportunity to join efforts to also serve the R&E community with credentials that are both publicly trusted and IGTF accredited. This could also support (existing) relationship with the European e-Infrastruture (including EGI). Discussions with Ankabut on this issue are planned in the immediate future. Scott Rea will shortly submit a specific CA from the UAE for consideration as a Classic CA, inspired by that of an existing accredited CA in the EUGridPMA. The target for completion is the end of 2016Q2. Assigned reviewers are Feyza Eryol, Jens Jensen, and David Groep. - The SP800-63 NIST publication is evolving, and comments are now invited on the draft of version 3. This version takes a new approach, likely inspired by the Vectors of Trust (VoT) work in IETF, in explicitly acklowledging different assurance aspects, and incorporating federation and attributes as entities in their own right. Input is welcome and encouraged (but don't expect to change the concept drastically, since NIST internally will have reviewed it already). Commenting can be done via GitHub https://indico.nikhef.nl/getFile.py/access?contribId=0&sessionId=0&resId=1&materialId=slides&confId=418 - several CAs are moving most of their issuance towards the GEANT TCS, including NorduGrid, pkIRISgrid, INFN/GARR, and of course DutchGrid. - The self-audit peer review was completed for MARGI and TR-GRID. The Belnet CA will be discontinued entirely on January 10, 2017. - ArmeSFO presented their self-audit report, which will be reviewed by Jan Chvojka and Jens Jensen. For the UK eScience CA a major change is still upcoming, and once federated authentication would be used to communicatei with applicants and users a new CP/CPS would need a detailed review. This is foreseen for the September (Geneva) PMA meeting, and reviewers will be assigned then. - plans in the UK with respect to the use of the JCS for research purposes have been presented by Simon Cooper from Jisc in coordination with Jens Jensen - please refer to the presentation for details. - David Groep was re-elected as Chair of the EUGridPMA. The ongoing contributions from our self-audit coordinator Cosmin Nistor and from the RATCC coordinator Ursula Epting, are much appreciated and acknowledged. It would be jolly good if contributions to the agenda building and note-taking could be shared by a wider group than just the chair... More roles (vice-chair, secretary) can be added if that helps get more effort and more people - it may help folk to gain support within their own organisations. Attendance ---------- We would like to thank the following members for the in-person attendance: David Kelsey, Jens Jensen, Jan Chvojka, Feyza Eryol, Bob Cowles, Tamas Maray, Reimer Karlsen-Masur, Marc Turpin, Ian Neilson, Cosmin Nistor, Jules Wolfrat, Walter de Jong, David Groep, Scott Rea, and Simon Cooper; and for their extensive presence in the videoconference: Anders Waananen, Javi Masa, Roberto Cecchini, Vladimir Dimitrov, Miroslav Dobrucky, Ara Grigoryan, Mariam Pilikyan, Narine Manukyan, and Nuno Dias.