'''Geneva, September 2016.''' Agenda: https://indico.nikhef.nl/conferenceDisplay.py?confId=500 == Monday, 19 September 2016 == === Trusting External Identity Providers for Global Research Collaborations - Mind the Gap! === Speaker: Jim Basney (NCSA) (JB) * overview & comparison of IGTF, eduGAIN and Social IDs * issues with large number of IDPs (>2000) * gaps between infrastructures === Trust and coordination of incident response information in a federated world === Speaker: Hannah Short (CERN) * eduGAIN missing central helpdesk and security incident response team * Sirtfi - Security Incident Response Trust Framework for Federated Identity * IGTF could join eduGAIN as a federation * it would be trivial to map X509 to SAML assertions * existing authentication profiles would help with certification process === HPCI === Speaker: Eisaku Sakane (NII) * HPCI: Japan national HPC distributed infrastructure * in production since 2012. * integrates supercomputing resources * second stage will start in 2017 Resource usage process: * select project category * project proposal (acquire HPCI-ID) * project implementation * user report Software: * distributed storage Gfarm - 22 PB * GSI-enabled SSH client GSI-SSHTerm ** based on development branch of UK NGS software ** have issues with unsupported recent cipher suites Remote identity vetting issue: * anyone can apply a project proposal to the HPCI * preparing mechanism to solve this Discussion: * is video identity vetting considered viable for CAs? * RPs didn't reject it immediately === The AARC model: developing an architecture and trusted pilots to support research === Speaker: Christos Kanellopoulos (GRNET) AARC: * gather requirements through real use cases and international collaboration * create pilot infrastructure based on policies * deliver training Requirements: * long list of points IdP/SP Proxy * 3 LoAs discussion Pilots * IdPs * AA/Proxy ** BBMRI community * Token Translation ** CI-logon for ELIXIR * Service Provider ** Owncloud + LibreOffice ** ORCID SP - connecting ORCID ID with national IdP (http://orcid.org/) ** SIRTIFY ** Reference impl. of Blueprint Arch ** LOA Elevation Discussion: * What should IGTF do for AARC? (JB) ** communication between parties * What is the status of proxy software? Ian Neilson (IN) ** AARC is not supposed to provide software ** plan is to provide architecture and pilot implementation to infrastructure operators and community; they can keep working on existing code or implement their own solution == Tuesday, 20 September 2016 == === Update from the APGridPMA === Speaker: Eric Yen (ASGC) (EY) * IPv6 should be supported by the end of the year * 4 CAs with more than 100 valid EECs === Update from the TAGPMA === Speaker: Derek Simmel (PSC) (DS) * chair to be changed from Scott Rea to Derek Simmel * Colombia decommissioning, small amount of certificates, staying as RP * Venezuela has difficulties operating CA, staying as RP * Update of website & wiki planned (new web master) * they hold monthly meetings === Accreditation I: DarkMatter/UAE === Speaker: Scott Rea (DarkMatter) (SR) * overview of DarkMatter services * accrediting 3 CAs, two already operated by QuoVadis, one will be established by the end of the year Discussion: * DarkMatter plans to provide PKI services to EU countries by 2018. * No robot certificates at this stage, phy capability is there just need to modify policy Reviewers: * three reviewers: David Groep (DG), Jens Jensen (JJ), Feyza Eryol * Christos Kanellopoulos volunteered === Self-audit status reports === Speaker: Cosmin Nistor (ROSA) * France - slow progress on self audit * 4 CAs to present self-audit in January: Cyprus, Egypt, Belarus, GermanGrid (Karlsruhe) * Attendance: ** no presence from QuoVadis from 2012. ** Moldova ** others are good === Credential life time for host credentials === Discussion: * JB: request came from LIGO, significant effort needed for annual renewal * DG: there should be additional assurances for such certificates (e.g. proof of org. structure owning the host/service) * DK: obtaining domain owner proof might be problematic for organizations or conflict existing procedures * SR: it should be formulated "up to 39 months" instead of exact 3 years * should handpick requirements from CAB baseline requirements and not reference to it * DG: RPs should check with the respective project/org what do they think - WLCG and EGI probably won't mind/will love it IGTF AuthN Assurance doc: * added 1200 days limit to section 4.6. * long discussion on proper formulation - ended with two paragraphs === Update on the EGI Catch All CA === Speaker: Christos Kanellopoulos (GRNET/EGI) * New RA portal will be ready by Nov 2016 * CP/CPS ready by Oct 2016 Discussion: * IdPs will initially be manually whitelisted, considering to use EGI SSO to get additional attributes (e.g. if IdP is covered by existing IGTF CA); probably will use mix of these approaches in future * RA work is offloaded to IdPs, but need agreement with each IdP * CK: Try to use same principles as TCS for users that don't have access to TCS * SR: TAGPMA requires CA to present procedures for each new IdP ** DG: TCS has a policy approved by IGTF which is enforced on IdPs; IdPs agree to be opened for audit ** CK: CP/CPS will be pushed to IdPs Reviewers: Ian Neilson, Ronald Osure === Generalising the IGTF assurance levels for use in SAML federations === Speaker: Jim Basney (NCSA) Discussion: * long discussion about mechanism and control over IdPs in order to achieve significant LoA === IPv6 status === Speaker: Dave Kelsey * Currently: 39 OK, 2 broken, 54 IPv4 only * Status over time: http://cvmfs-6.ndgf.org/ipv6/overview.php * Status: http://cvmfs-6.ndgf.org/ipv6/specific.php?date=2016-09-14 * There are two CAs with valid entries in DNS but CRL is unavailable * AP: CAs should aim to provide IPv6 by the end of the year === Jens soapbox === Speaker: Jens Jensen RCAuth * https://www.rcauth.eu/ * used by EUDAT * discussion about identity vetting & traceability Extensions * ... SHA2 migration * problem only for CA hierarchy, roots are fine * in case of SHA1 compromise SW will drop support Video identification * Concerns: ** remote participants could use fake ID ** is the process recorded? ** issues with use of passport (too much information, how would RA recognize passport) * OK: ** identity vetting for rekey (reapplication) when previous certs expired Host rekey: * propose to automatically approve host cert rekey Discussion: * SR: video should be using secure channel and have a good enough resolution in order to make assertion ** secure channel was there, but got lost by Jens compression * DG: additional compensating control should be used in order to avoid injected stream == Wednesday, 21 September 2016 == === Checklist for MICS-based CAs === Speaker: Eisaku Sakane (NII) * Extended existing Classic checklist (GFD-I.169) with MICS specific items from the profile * DK will circulate checklist created before === Remote vetting models and approved procedures === Speaker: Eisaku Sakane (NII) Discussion: * list of compensating control added to document http://wiki.eugridpma.org/Main/VettingModelGuidelines * detailed discussion on each point... * detailed discussion on the next step ** CAs will prepare process ** PMA will asses sufficiency ** if satisfactory PMA will approve === Disaster Recovery development group === Speaker: Shahin Rouhani (IPM) * proposal for CA key disaster recovery === Generalised Assurance Levels in federation land === Speaker: David Groep (Nikhef) * SAML federations find IGTF Levels of Authentication Assurance definitions either unclear or too specific (PKI-sh) * SAML federations would like to see concrete examples of definitions Actions: * DG to circulate comments to the list === Business considerations for prospective CAs === Speaker: Scott Rea (DarkMatter) * Commercial CAs were compromised through RA in 2011. * Importance of RPS enforcement and proper validation/auditing of RAs * RPS standards should be defined as RAs are the highest risk Discussion: * JJ: we can start with documenting our existing processes * SR: start with the large MICS/CAs with distributed RA network (EGI Catch-all, HPCI, ...) === CAOPS WG: GFD225 publication === Speaker: Jens Jensen * we should prepare audit checklists for all profiles (MICS, ...) ** SR: maybe add big section for RAs * submit some documents for ISO standardization in order for them to become available/visible to industry/government ** JB: anything published in ISO is not freely available ** JJ: but OGF document will not be revoked ** DG: but if ISO standard change you loose them in OGF document