Dear EUGridPMA and IGTF members, The 38th EUGridPMA and IGTF All Hands meeting is now over, and I would like to take this opportunity to again thank Paolo Tedesco and CERN for hosting us. I would also like to share with you a few of the highlights of the meeting. Send corrections and omissions if you spot them, as these have been taken largely from my own scribbles and memory, but with great support from the notes kindly taken by Emir Imamagic. Slides with background of the Abingdon meeting are attached to the agenda at http://www.eugridpma.org/agenda/38 Subsequent meetings will be: ** 39th EUGridPMA meeting, January 30 - Feb 1st 2017, Florence, IT kindly hosted by Roberto Cecchini of INFN and GARR ** 40th EUGridPMA meeting, May 8-10 2017, Ljubljana, SI, kindly hosted by Jan Jona Javorsek of IJS (with September 2017 and January 2018 open if you are so kind as to volunteer to host a PMA meeting) and of course our affiliated meetings: * TAGPMA24 in Hamilton, BM, on October 24-25. See for registration: http://indico.rnp.br/conferenceDisplay.py?confId=234 * REFEDS, November 28, Geneva, CH hosted at CERN https://eventr.geant.org/events/2520 * APGridPMA meeting, March 6, 2017 in Taipei, TW, colocated with ISGC http://event.twgrid.org/isgc2017/ See all of you in Florence, or at any of the upcoming meeting of the IGTF or elsewhere. Details on the Florence logistics will be made available shortly. Best regards, DavidG. Subject discussed and listed below ---------------------------------- The presentations of the IGTF All Hands Open Day are a worthwhile read for anyone, especially if you have not attended the meeting itself. Review the slides for these great talks (https://eugridpma.org/agenda/38): - Trusting External Identity Providers for Global Research Collaborations - Mind the Gap! - by Jim Basney (NCSA) - Trust and coordination of incident response information in a federated world, Sirtfi - by Hannah Short (CERN) - The HPCI Infrastructure and AAI Evolution - by Eisaku Sakani (NII) - The AARC model: developing an architecture and trusted pilots to support research - by Christos Kanellopoulos (GRNET) IGTF and PMA business: - Extended validity periods for networked-system credentials - R&E Federation use of the Generalised Assurance Profiles - Auditing guidelines and MICS checklist - Business purpose of CAs and RAs: where is the risk? - Video-supported identity vetting guidelines - Disaster Recovery WG - IPv6 readiness - OGF/CAOPS * Other updates: clarification of identifier assignment in DOGWOOD on applicant-provided (opaque) extensions in IOTA end-entity certs continued use of sha-1 after sha-1 is broken - an analysis accreditations, updates, and self-assessment reviews - Attendance All presentations are available on the agenda page: http://www.eugridpma.org/agenda/38 please review these as well as a complement to this brief summary. Much information is contained therein and not repeated here. Extended validity periods for networked-system credentials ---------------------------------------------------------- [see http://wiki.eugridpma.org/Main/IGTFLoADraft1-1 for document] Following requests by the several relying parties, the risk profile associated with having longer (>13 months) credentials being issued to servers (networked entities and the services they run) was discussed. In particular, the longevity of hosts is not typically constraint by staff turn-over (which was the main ingredient in the risk analysis for personal credentials), and the stability of the operating platform (e.g. in LIGO where the compute environment is preferably left unchanged during operational science runs that last longer than one year) leads to a preference for longer-lived host credentials. This could also align with industry practice for server (SSL) certificates in the public trust domain, where CABforum guidance for OV (and DCV) validated certificates is limited to 39 months (~1200 days). The consideration there balances the risk of key exposure (through its use) against operational feasibility and de-registration of validated information (like the domain name ownership) in organisation-validated (OV) scenarios. There is obviously the example of short-lived DCV certs from letsencrypt.org: 3 months. For the IGTF Assurance Level (specifically CEDAR) the host/server credential issuance can currently be tied to either domain ownership (like in the CABforum BR), OR to the operational sysadmin capability by a person who has administrative access to a machine. Extending the host credential validity in the latter case is not desirable, since the underlying association is akin to those of personal credentials. Those present at the meeting agreed, and this will become accepted on endorsement by the full PMAs, that: - host credentials may be issued for up to 1200 days (39 mo) PROVIDED that compensatory controls are in place. These controls align with the basic DCV measures detailed in the CABforum BR section 3.2.2.4 items 1 through 4 (confirmation with registrar, WHOIS data, control over the canonical 5 mail boxes). - if only regular checks of sysadmin capability are done through an RA, the validity REMAINS LIMITED to 400 days (13 mo) It MAY be considered to NOT assert the TLSWebClient eKU in these extended- validity host credentials, to prevent their inadvertent use as robots. For credentials issued to individuals, the 13 months (400 day) period is considered to remain applicable as it was before. Considerations include the alignment with the yearly affiliation turn-over cycle, and the need to remember training. The relying parties present (EGI, WLCG, XSEDE, OSG) also consider this to be of equivalent strength and usable under the current trust model. The IGTF therefore proposes to AMEND the current BIRCH and CEDAR LoA specification to permit the above mentioned extended validity subject to the conditions. This is incorporated in the Generalised LoA document - and because of document structure split over two sections. Version 1.1 defines "organisational sub-domain name ownership validation" with the subset of elements from BR section 3.2.2.4 that the IGTF considers applicable (and that are included directly into the document in section 3.2), and then stipulates for Credential Validity (4.6): Credential life time should be either 1. no more than 400 days if the credential is stored in a file and is further protected with a single authentication factor. The credential MAY be extended or renewed up to 4 times 400 days based on the same data (or for the lifetime of the subject for biometric data) if the credential is protected with at least two authentication factors at least one of which is a hardware token; or 2. in the case of network and service entities for which the organisational sub-domain name ownership has also been validated, no more than 1200 days, without the possibility for extension or renewal. The participants realise the new text is not excellent - suggestions remain welcome. This change proposal is being tracked at http://wiki.eugridpma.org/Main/IGTFLoADraft1-1 and should come into force after all PMAs have endorsed the text. For the EUGridPMA this will via mail in the usual way. For the EUGridPMA, comments are requested before October 10, 2016 please! R&E Federation use of the Generalised Assurance Profiles -------------------------------------------------------- [see presentations on Tue and Wed at https://eugridpma.org/agenda/38] The traditional assurance programmes, aiming to introduce NIST-style LoA1 or LoA2 into the (academic and public) community, have failed to take hold. Both InCommon and FICAM experience shows that even the institutions that once certified against the requirements do not renew (VTech will not renew InCommon Silver, and Google lapsed on FICAM LoA 1). One of the key elements blocking adoption of certification in academia is certainly the formal audit requirement - if 'audit' is mentioned, in the USA the university audit office is called, and the entire process stops. If only for that reason, we should probably refer to our 'audit' requirements as 'assessment', since the IGTF model is base don the far more successful peer-review and on self-assessments, which does get traction in R&E. For InCommon, also the assertion of multi-factor is self-asserted, and no checks are done by the federation beyond the organisation being 'in good standing' (which is never really checked, and nobody has ever been evicted from InCommon, which has very many members ...). Given the failure of existing certification programmes, Jim - through the REFEDS Assurance WG - is proposing the use of the BIRCH assurance profile in combination with the peer review process, to get some of the IdPs that are particularly relevant for e-Research (like the DoE labs in the US) to sign up to the scheme. They materially qualify, and have done more checks and assessments that most, but these never exactly matched the NIST levels, so DoE labs never qualified for Silver. The per-IdP sign-up model and compliance peer-reviewed-assertion with BIRCH mimics the model that TCS has successfully used in Europe. The relying parties in the US are willing to contribute to the peer-review, thereby making this a viable option. Discussion in the REFEDS community did highlight that there might still be some technological bias in the way the BIRCH (and other) levels are defined in the IGTF LoA specs. The presentation (Wed) lists some of these, kindly brought to our attention by Tom Barton and Mikael Linden. The detailed comments will be circulated to the IGTF under separate cover, but it is worthwhile to review the wording and clarification in the LoA document to make sure they are unequivocally applicable to many credential types (SAML, username-password, Kerberos, PKI). Auditing guidelines and MICS checklist -------------------------------------- The GFD.169 guidelines for performing self-audits give (an old version of) the classic AP as an example list of items to check. Unfortunately, this list is out of date, and worse does not address newer assurance profiles such as MICS. Work by Eisaku-san has resulted in a extensive MICS review checklist (to be circulated shortly) that can be used for both (re)newed accreditations as well as peer reviews. [PDF will be posted to the IGTF list shortly] One of the items conspicuously missing from the MICS profile is the checks on the upstream IdPs, akin to what a peer assessment of IdPs would be such as being discussing for Sirtfi (checking from the outside if the expectations are met), and as we do internally with the RATCC challenges. Checking of IdPs can also take the form of heuristics, by which we can make a guesstimate as to how the IdP is operating. In recent events, a full check of all service use for a MICS CA was done, in which heuristics based on the issued IdP assertions was able to match all but four of the ~3400 certificates issued (these four were cleared by explicit check later). Business purpose of CAs and RAs: where is the risk? --------------------------------------------------- Reviewing the threat profile based on recent (2011+) incidents in the public CA providers points clearly to RAs being the weakest link in the assurance chain. Without discarding any risks associated with the CSP credentialing process, we should devote more effort (time) in defining acceptable RA processes. The RPS template details all the necessary elements (but may be considered over-complicated by some), yet we should develop a base of confidence. The MICS discussion [above] pointed in the same direction. On boarding of new RAs should be easy, but yet have a provable documented process behind it. At this moment, the IGTF has no explicit guidance on on boarding RAs, leaving it to be described in the CP/CPS (and thus different for all CAs and in all regions). A new guideline on best practices for on boarding RAs would be welcome and increase trust. A starting point would be to collect current practice and thus provide good examples. The documented process is especially important for large authorities, where the registration agents are 'more disjoint' from the authority itself. An area on the (members-only part) of the EUGridPMA Wiki will be created to facilitate collection of practices. All authorities are invited to upload any processes they wish and are able to share! Video-supported identity vetting guidelines ------------------------------------------- [see http://wiki.eugridpma.org/Main/VettingModelGuidelines] Following the introduction by Eisaku-san, the set of requirements and compensatory controls that would permit the proposing of video-supported remote vetting was discussed. Although it should be noted that even the in-person process was never rigidly defined by the APs (it was originally proposed because it was the 'easiest' method to describe), it is understood that many see in-person as the default preferred option, if it is reasonably possible. But when in-person checking is not a realistic option (too great distances, no useful notary public system, extremely expensive, or otherwise), then the advances in HD video technique now enable vetting to a level that could be considered equivalent to in-person checking of identity - provided that other compensatory controls are put in place. The approach taken should consider the management of the end-to-end risk, and offset that against the acceptable level that RPs are willing to use. It should be noted that - in order to be inclusive for their user communities and in order not to insert complex obstacles for usage of RP services, the RPs present (EGI, WLCG confirmed) are stongly in favour of a process that would be inclusive of all users, including those in locations without an in-person capability. Based on the earlier draft from the Abingdon meeting https://wiki.eugridpma.org/Main/VettingModelGuidelines further guidance was developed. The risk most discussed was to guard against the identity document being faked or not belonging to the applicant (and thus issuing credentials to the wrong entity or in the wrong name). It would be good to have some demonstrators of a remote vetting process, in which both real and fake documents are used to try both working and 'abuse' cases - and see how the RAs that would be permitted to perform remote vetting for that RA would react. It should be considered to only accept those forms of PhotoID with which the RA is very familiar and for which the RA has been trained to recognise (visual) authenticity features. All other compensatory controls are in the guideline text above. There are controls of various 'strength' listed, and a weighting system may be considered by reviewing PMAs to make sure the combination of controls proposed by the CA actually meets or exceeds a minimal level (e.g. based on a points ranking). This can realistically be done by having the CAs that propose to use this process actually try it and present the results of such a vetting test (in particular the authenticity of photo IDs is interesting). The guidelines, over which rough consensus was reached by the IGTF AHM, define a process by which the PMAs will assess requests by authorities to implement a remote identity vetting process. The PMAs shall - based on these guidelines - asses sufficiency of process and - when the proposed process is endorsed - will permit the authority to use the proposed process. Of course, an authority can only start issuing credentials based on remote vetting under an accredited CA AFTER the PMA has endorsed its proposed process! It should also be noted that the method involving notary publics is already approved and can continue to be used and included as-is. At least in countries where notary-publics are a useful option ... Disaster Recovery WG -------------------- Shahin presented the combined work on the D/R working group, including earlier work presented by Jan Chvojka in Abingdon. The balance to strike for nxm control of the backup key pair also depends on staff turn-over rates (with long-term permanent staff, 2 of 3 may be better, in case non-IT-aware taff is used, or rollover is higher, 3 of 5 might be a better choice). Also the use of printed material can be considered, esp. if it's only for D/R (and gets rid of media aging). IPv6 readiness -------------- The availability of CRL downloads over IPv6 is now continuously monitored by Ulf Tigersted for the HEPiX working group on IPv6. The current and historic status can be inspected at http://cvmfs-6.ndgf.org/ipv6/overview.php which also poinjts to a few important points: - if a CA provides a AAAA record, IPv6 really ought to work, or clients will suffer long download delays or will fail - the number of CRLs that can only be downloaded over legacy IP is going down, but not fast enough. There are still 54 broken CRL endpoints APGridPMA members have already committed to have all CRLs available over IPv6 by the end of 2016. This is doable for all CAs, especially since a service like CloudFlare can be used to offer this for free and is dual-stack by default. CRL downloads (being small) easily fit in the free tier of CF: http://indico.rnp.br/getFile.py/access?sessionId=5&resId=0&materialId=0&confId=217 For all IGTF authorities, we expect IPv6 capability BY THE END OF 2016, with status to be reviewed at the 39th meeting (Jan 30). OGF/CAOPS --------- The GFD.225 OGF Certificate Profile document is 'almost ready', but Jens will be doing a bit more editing to fix references. It will then depend on the availability of the OGF Editor AndreM to push it to the document repo. Work on the updated GFD.169 document can progress in CAOPS. Those of us in CAOPS willing to participate in the OGF-relevant ISO process can do so by way of OGF, which is represented at a country-equivalent position but without voting rights. It should be noted that normally ISO documents are closed licensed material, but because of the OGF copyright the oGF document content will always remain open. Considering the ISO process is relevant only when government or industry is the target of the specification. Other updates ------------- - in matching the needs of the EUDAT B2ACCESS service against the IOTA profile (as part of a suitability assessment of RCauth.eu for replacement of the current internal CA), it was found that the wording on identifier assignment was confusing. Where it states that it should "identify the identity management system via which the identity of this person was vetted" in case of a multi-layered IdM system this applies to the top-level IdM, i.e., the IdM that provides the assertions to the issuing authority. This IdM is then by itself responsible for retaining sufficient information to trace through to its own downstream IdP, e.g. by propagating its own unique identifier (ePUID, ePPN, ...) to the issuing authority service provider. In case of B2ACCESS, the "O" field in the credential issued by RCauth would be "B2ACCESS", and the unique identifier one provided by EUDAT. This is also how EGI is doing this (providing its own ePUID. [see Jens' Soapbox presentation] - The EUDAT/B2ACCESS system uses proprietary extension in the end-entity certificates (not RFC3820 proxies) to convey additional information used for authorization by its own services. In practice, an extension contains a SAML blob as an octet-stream. It was suggested that an (IOTA) CA could accept incoming extension requests, treat them as opaque blobs, and permit specific requester agents (actors on behalf of the applicant as well as on behalf of a RP collection) to insert extensions with OIDs exclusively assigned to these agents. This way, an approved EUDAT agent system could request that EUDAT specific OIDs (like the one with the SAML blob) be included, if the request comes from EUDAT. The user data is then taken from the original user IdP (home org, not EUDAT). [currently this is out of scope of any accredited IOTA (or other) CA] [see Jens' Soapbox presentation] - For a discussion and analysis on the continued use of SHA-1 in validation after SHA-1 is broken (so when collisions are feasible), refer to Jens' document at https://cert.ca.ngs.ac.uk/sha2migration/sha2migration-1.6.pdf - The DarkMatter CA, serving initially the UAE natl. PKI and also developed in a way so as to be able to support the Ankabut e-Research efforts, was presented by Scott Rea. It is currently operating on own hardware hosted in a partner infrastructure, but is expected to move on-site early 2017. Given the relatively large number of CP/CPS documents, as well as the ancillary documents and agreements that have to be reviewed, ChristosK has been added as a forth reviewer, besides Jens, Feyza, and DavidG. The option is held open to - in the future - run also a retail service that can serve the national or even global community. - The EGI "Catch-All" service will move to an on-line service with a dedicated back-end. There's also the inclusion of a distributed IdP system that will increase the reach of the catch-all, especially in those countries where the NREN failed to sign up to TCS and that service is thus not available (and no alternative exists). The new CP/CPS is expected in Oct 2016. Reviewers will be Ian Neilson and Ronald Osure. The use of existing (R&E federated) IdPs will necessitate agreements with each specific IdP (like TCS today), which will include pushing down the CP/CPS compliance requirements on these IdPs. EGI SSO can be used to augment the identity, e.g. providing LoA data in case of linked accounts - The self-audit reviews are progressing, but slowly. The continued prodding of peer reviewers by our self-audit office Cosmin remains necessary. Pending peer-reviews include ArmeSFo (CPS in place, S/A docs sent this week); IRANgrid (Miroslavs comments will be addressed first); DZeScience (pending peer review); RDIG; AustrianGrid (we strongly encourage the AustrianGrid CA to move forward with its migration plans, expecting news by the next meeting). Grid-FR will do a report based on the old CA in january, the project to move to a new national CA is slow in progressing. Authories due for an urgent reviewed self-assessment, or overdue in-person appearance, can inspect their status on the membership status page. The upgrade plan for the UK (a completely new hierarchy) is OK. Attendance ---------- We would like to thank the following members for the in-person attendance: Paolo Tedesco, Eric Yen, Rahim Bouchra, Ian Neilson, Christos Kanellopoulos, Jim Basney, Shahin Rouhani, David Kelsey, Cosmin Nistor, Jana Kejvalova, Jan Chvojka, Eisaku Sakane, Jan Jona Javorsek, Marc Turpin, Emir Imamagic, Derek Simmel, Scott Rea, David Groep, Vincenzo De Notaris; as well as Romain Wartel, Hannah Short and Maarten Litmaath on the Open Day. and for their extensive presence in the videoconference: Javi Masa, Roberto Cecchini, Vladimir Dimitrov, Miroslav Dobrucky, Ara Grigoryan, Reimer Karlsen-Masur, Nuno Dias, Lidija Milosavljevic, Mariam Pilikyan, Ronald Osure, Jens Jensen, and John Kewley. (and to Thomas Baron for continuously monitoring Vidyo operations)