NOTES 39th EUGridPMA Tuesday 31 January 2017 (Florence, Italy) Chair: David Groep Notes: Walter de Jong 09:30 CA Update CYGrid CA Maria Podeva university of Cyprus PRACE users offline CA self-audit in January 2017 - CP/CPS needs some minor changes: update section numbers - CP/CPS one major change: describe audits - 2 must change points - some could not evaluate - action plan in place, future steps taken * low volume CA, maybe move to using TCS - review new CP/CPS by JanC and DavidG 09:55 CA Update UGrid Technical University of Ukraine Oleg Alienin, Sergii Stirenko offline CA suspended institutes in Donetsk + Crimea area new OID needs to be approved by PMA upgraded key length, cipher to minimum of 2048 bits, SHA256 self-audit in January 2017 some points identified, to be improved new CA cert is not yet in IGTF distribution - review new CP/CPS by UrsulaE and IanN 10:20 Remote Vetting Christos Kanellopoulos experimenting with remote vetting: experiences phone camera is good enough to see (some, but not all) security features of a passport; use flashlight and tilt the passport to reveal hologram JanC also did experiment; identity card does not have good visible security features. Probably could be faked. Probably illegal to craft a fake id to test with. Will do more experiments Jens: official government document describing identity documents; passports, id-cards, driver's licenses, etc. Checking security features (UV marks, watermarks, etc.), photo (facial recognizition) Any encountered false documents should be reported to police Should do a cross check with company/institute to confirm person's identity CAs should accredit RAs, audit RAs, train RAs 11:20 coffee break 11:50 UKeScience CA Update : developments Jens Jensen Moonshot : "eduRoam for ssh, web" non-web (and web) SSO needs some client-side sw to be installed, but becoming "standard" in Linux distros and MacOS sw almost finished pilot with SAFE; AAAI : link together account mgmt, authN, authZ, accounting not in AARC, but should work together with/present in AARC Pathfinder project: repurpose 2A to be a SLCS CA pilot, but aim for full production there are no certificates issued to entities, so no migration needed will need a new CP/CPS for this new CA to be reviewed by DavidG and someone else STFC could host RCauth key for signing for EUDAT CPS needs to be updated for certain boundary cases SHA2 still needs to be done; needs new root + updated disaster recovery procedure still need to implement IPv6 CRLs 12:30 lunch break 14:00 visit Galilei's house 15:00 IPv6 status update David Groep serve CRLs via IPv6 41 working, 53 broken not much progress, really CAs are asked to fix this ASAP; WLCG allows IPv6-only worker nodes by April 2017. So this sets the deadline to April 1st 2017 A possible solution is CloudFlare; Jim Basney (NCSA, TAGPMA) put CRLs in CloudFlare: hundreds of thousands requests every day, globally distributed by CloudFlare--and they also do IPv6 15:45 tea time 16:10 OGF Update Jens Jensen OGF is still alive. Some groups dormant, some groups active OGF standard could become an ISO standard. Still open because of open license Positive experiences with 'plugfests' (ie. hackathons) CAOPS: sharing operational practices, but it's too quiet, inactive CAOPS needs someone who can get this going again, organize event 16:40 Jens' Soap Box Jens Jensen IGTF enables global e-infrastructure - Certificates work well - Some operations are hard to do. Are they done right? Connecting infrastructures: - RCauth Using other technologies: be careful not weaken the infrastructure Innovations must be coupled with risk assessments 17:30 closing the day Next EUGridPMA meeting will be in Ljubljana, 22-24 May 2017 EOB