https://indico.nikhef.nl/conferenceDisplay.py?confId=657 Monday TAGPMA - update Derek Simmel re-elected as chair. Membership - 20 members, 21 IGTF-Accredited CAs Updating communications infra, website, twiki, lists TAGPMA 25 in Washington DC Apr 23, 2017 ?26 TICAL, Jul 3-5, Costa Rica Observations: Continuing trend smaller infrastructures moving to larger providers ejbca popular platform for ca deployment Self Audit Status and Suspended CAs https://wiki.eugridpma.org/Members/SelfAuditStatus RGID - Austria - give more time Iranian - wait for Miroslav to confirm Armenia - Jan: waiting for new CP/CPS but should be minor. Jordan CA: unresponsive. CA removed from distro. Remove registration. Egyptian CA: with published CRLs and working website but not responding. Ursula to send comms challenge to Egyptian CA then after 30 days could formally suspend from trust anchor. Have tried several personal .eg email addresses. Probably affected users could be homed to Med CA - Roberto - will try to contact previous cert. holders CA Update - Dark Matter https://indico.nikhef.nl/materialDisplay.py?contribId=4&materialId=slides&confId=657 Setting up UAE National PKI Infra. All CAs regulated by telecoms auth. ?Ankabut research and education institutes to be provided via Dark Matter Migrating physical, owned, infra from Bermuda to UAE delayed but expect transfer in March Seeking accreditation today for IGTF issuing CAs . Pawel: translation of arabic names? Maybe English names but not "official". Maybe a challenge if issuing for other countries. Would come back to PMA with another process for supporting other countries. DavidG: can push Quovadis DM root into distribution now. DM root will need full review of CP/CPS when available. - Faisa/Jens/Reimer reviewing Scott: would like to be able to make statement for distro to Ankabut. - will circulate. IGTF Audit Guidelines https://indico.nikhef.nl/materialDisplay.py?contribId=5&materialId=slides&confId=657 1) Created excel spreadsheet by copying old and merging text Some work left: slide 6 DavidG: will install new onto webpage/wiki with guidance text. 2) GridKa-CA self audit https://indico.nikhef.nl/getFile.py/access?contribId=5&resId=4&materialId=slides&confId=657 Discussion over status of records from RAs. Suggestion to audit selected RAs with text added to CP/CPS according Monday afternoon Ioannis Kakavas - IGTF to eduGain bridge Part of AARC project - design,test,pilot Solution for allowing eScience services users to access Services Extensions to opensource php project. Bridge needs to be enrolled in eduGain as IdP. Should be limited numbers of instances (or 1). Stateless can have multiple IPs running instances serving same Vincent: can code be extended to add attributes? - configurable, should be easy SAML signed with self-signed cert. from IdP - included in signed metadata bundle. Will GRNET register in eduGain? - yes Can we assert refeds, rns, scirtfi? - should be possible Could IGTF be registrar for large research federations (LIGO) to get into eduGain? Would be "home" for large infrastructures without having to choose national federation. Already numbers of infrastructures (50+ EU). Vincent: can rp add attributes after signed assertion - possible at stage of proxy creation. PRACE security model Idea to find match with eduGain services Use case 1: PRACE as Ifed consumer - relies on home site. LoA not common within eduGain. Can be done with hand-picking IdPs aided by things like rns & scirtfi Plus worth by Refeds/MLinden et al giving "equivalence" of IGTF assurance profiles in process Refeds - also working on multi-factor auth assertions - can be inspected eduPersonAssurance std attribute