Dear EUGridPMA and IGTF members, The 40th anniversary EUGridPMA meeting is now over, and I would like to take this opportunity to again thank Jan Jona Javorsek and the Josef Stefan Institute for host in the greenest (and one of the nicest) cities of Europe. I would like to share with you a few of the highlights of the meeting. Send corrections and omissions if you spot them, since these have been taken from my own scribbles and memory at https://eugridpma.org/meetings/2017-05/eugridpma40-notes-davidg.pdf Slides with background of the Ljubljana meeting are attached to the agenda at http://www.eugridpma.org/agenda/40 More extensive notes, kindly taken by Dusan Radovanovic, will be available shortly as well! Subsequent meetings will be: ** 41st EUGridPMA meeting, September 25-27 2017, Manchester, UK, kindly hosted at the University of Manchester by Mike Jones and by Dave Kelsey and John Kewley from STFC --- Note this meeting will start in the afternoon at 1400L, and will run till lunchtime on Wednesday, so that you can travel on the day ** and we're looking for a host for the 42nd meeting in January 2018, for which proposals are very welcome (thanks for considering it) and of course our affiliated meetings: - REFEDS on Monday May 29th in conjunction with TNC in Linz, AT - PEARC (formerly: XSEDE) July 10-13 in New Orleans, US - NSF Cybersecurity Summit, Aug 15-17 in Washington, DC, US - APGridPMA at the 44th APAN Meeting, Aug 28-Sep 1, Dalian - APGridPMA at the ISGC 2018, March 19, 2018, Taipei, TW See all of you in Manchester, or at any of the upcoming meeting of the IGTF or elsewhere. Details on the logistics will be made available shortly. We also propose that the September meeting includes a space for CAOPS to meet and discuss interoperability matters, so do join us all! Best regards, DavidG. Subject discussed and listed below ---------------------------------- * Distributed ledger and (permissioned) blockchains in the IGTF context * Transliteration without human intervention - the RCauth experience * Long-term governance models for RCauth.eu * Disaster recovery and integrity * Trusted Credential Store Guidelines * Jens' Soap Box * PMA operational matters, reviews, accreditations, federation support * Other updates: SHA-2, IPv6, and CRL host updates * Attendance All presentations are available on the agenda page: http://www.eugridpma.org/agenda/40 please review these as well as a complement to this brief summary. Much information is contained therein and not repeated here. We also thank Eric Yen and Derek Simmel for presenting the updated information from the APGridPMA and TAGPMA, respectively. Distributed ledger and (permissioned) blockchains in the IGTF context --------------------------------------------------------------------- Although blockchain (distributed ledger) technology is best known in its anonymous form - mainly as cryptocurrencies like Bitcoin - there is a interestin gset of use cases for /permissioned/ block chains for organised communities. Prime examples could be unmutable audit trails for credential validation, attribute transformations and (research) data provenance, as well as certificate transparency. The presention given by Scott Rea [linked to the agenda materials] gives a great overview of the technology and examples, and proposes already some use cases. There are also concerns to keep in mind, esp. if private data is posted to the block chain in encrypted form, but at a later time the encryption method is broken. Probably posting the secure digest of the data will mitigate that somewhat, but if the underlying data is enumerable, then an attacker could just try to guess such data if the digest is public. This could be relevant in case of medical records, or for identity validation information that could be posted as an audit chain by an Credential Service Provider. Infrastructure use cases mentioned included the 'accountability of accounting systems', and the prevention of (unintentional?) multiple publishing of such records. The time stamping source in a permissioned BC comes from the ledgers own time source, which needs to be checked and maintained. And no single entity should obviously control more than 50% of the nodes in the system ... Review the slides on-line and contribute to the discussion on the list! [https://indico.nikhef.nl/event/823/contribution/3/material/slides/0.pdf] Transliteration without human intervention - the RCauth experience ----------------------------------------------------------------- The original (simple) transliteration proposed and now used in RCauth.eu, the IOTA authority that imports 'all of eligible eduGAIN based on REFEDS R&S and Sirtfi', was rather unhelpful to users whose name is usually spelled in non-Latin characters. These were always replaced by "X" everywhere, and as a result some users (e.g. from Greece) had their name displayed as "XXXXXXX XXXXXXXXXX". Rightfully, these users were not entirely satisfied with the proposed transliteration. A new mechanism is proposed based on the ICU's project library, and to make that new implementation take effect forthwith. The mechanism, decribed in the slide deck, still meets all the formal text in the CP/CPS (which was written in a permissible was for this purpose), although for displaying the Organisation name a change will be made to the CP/CPS to permit pynucode for IDN domain names. However, transliteration is very much curturally and historically defined, and Unicode (or UTF-8) do not distinguish code points for glyphs based on the country and culture of origin. It is thus almost impossible to do a correct transliteration of all names. Implementations like RCauth that - on input - support the conveyance of the same attribute with different language tags, should thus honour such tags and if an 'language="en"' version of the name attribute is provided use that one in preference to attempting its own transliteration. Then the responsibility for the transliteration is at the originating IdP, who should be aware of local sensitivities. Review the slides on-line at: [https://indico.nikhef.nl/event/823/contribution/8/material/slides/1.pdf] Long-term governance models for RCauth.eu ----------------------------------------- The RCauth.eu service - an IOTA authority that leverages qualified eduGAIN and Infrastructure proprietary IdPs to issue short-term DOGWOOD assurance credentials to users that are subsequently held in credential repositories - was originally developed as a pilot in the Authentication and Authorisation for Research and Collaboration (AARC) project [see https://www.aarc-project.eu/]. It is being run today by Nikhef as part of the Dutch National e-Infrastructure coordinated by SURF for the benefit of the entire European R&E infrastructure community. But in the longer term, this is neither a sustainable nor a desirable situation. A consortium of interest parties (mainly generic European e-Infrastructures) have come together to support this service beyond 2018, leveraging not only SURF but also EGI, EUDAT, and GEANT. Also ELIXIR is a key stakeholder in this process. The presentation (attached) foresees a model where both governance and authority key management are distributed, and more than one organisation will have an activatable copy of the private key used for signing RCauth.eu end-entity credentials. Governance models, risks in key management, and the distribution mechanism were reviewed, and the EUGridPMA would accept a distribution of the ey pair amongst multiple parties provided a single coherent management is in place, without jeopardizing the accreditation of RCauth.eu. The governance model, the distribution ceremony, and the understanding between the hosting institutions (GRNET, STFC/RAL, Nikhef) should be described in the CP/CPS. MoUs (if not contracts) need to be in place to ensure accountability and recourse. Of course technically the issued credential should stay unique. Part of that is traditional distributed database engineering, part is the option to assign ranges of serial numbers to each partner. Review the slides on-line at: [https://indico.nikhef.nl/event/823/contribution/9/material/slides/1.pdf] Disaster recovery and integrity ------------------------------- Doing both disaster recovery and security right at the same time remains a challenge. It is not for naught that e.g. Luna recommends that the part of key recovery are not to be given to managers, since they are not sufficiently trustworthy (to remember what to do technically, that is :) Yet making it more secure also makes it easier for key material to get lost, impacting business continuity and integrity. The slides by Jens list several of these issues and potential points for work, which will be persued in conjunction with the distriution of the RCauth.eu key material where a similar issue will occur. Creative use of bar code scanners and HID-compatible USB scanners can help with long splittable nxm passphrases, but is remains complex :) Review the slides on-line at: [https://indico.nikhef.nl/event/823/contribution/10/material/slides/0.pptx] Trusted Credential Store Guidelines ----------------------------------- The Guidelines on Credential Stores (the minimum requirements and recommendations for the operation of trusted Credential Stores) have been completed during the meeting. Now all sections have been reviewed and are up-to-date and expected to meet Infrastructure, authority, and relying party requirements. This document is a prerequisite for credential stores that want to connect to RCauth (before getting their OIDC set up), but is equally relevant to infrastructure MyProxy stores, institutional repositories, and key management systems. The (v2) Private Key Protection guidelines also reference this document. The new text is now on the Wiki at [http://wiki.eugridpma.org/Main/CredStoreOperationsGuideline] and will be formatted as an official EUGridPMA Guidelines document shortly. It will then be available from https://www.eugridpma.org/guidelines/trustedstores/ We hope that this document will serve a wider purpose for our infrastructure members and relying parties. Jens' Soap Box -------------- There is no way to briefly summarize this great soapbox and the discussion that ensued. Review https://indico.nikhef.nl/event/823/contribution/17/material/slides/0.pptx https://b2share.eudat.eu/records/20c1c0c8ba254e768fbcb67724918936 and join live next time! PMA operational matters, review, and accreditations --------------------------------------------------- - The current chair, David Groep of Nikhef, was re-elected as Chair for the 2017-2018 term. The proposed direction to (increasing) add attention and agenda time to including Research and generic e-Infrastructures (as RP members) to the PMA, and support them in engaging with R&E federations is encouraged and endores by the PMA. The practical working mode of the PMA ("it does have to work now") is an asset that has to be preserved in that process. An agenda and programme steering group could help alleviate some of the pressure on the chair to draft the agenda alone. Dave Kelsey and Scott Rea will pro-actively assist in drafting the agenda, and thus meet more frequently (virtually) to discuss progress. - The alignment with the AARC work programme is welcomed and endorsed - The new DarkMatter self-rooted CAs will follow a new policy and practice statement (although still also compatible with the QV ones during the transitional period). The new CP/CPS was circulated to the PMA and assigned reviewers (Feyza, Jens, DavidG, CC Reimer). Comments are coming in, and the target is to review this as soon as feasible. The root trust anchors are hosted in the UAE in controlled data centres using EJBCA software with self-developed patches that have now been contributed upstream. The new roots are going through all 3 WebTrust audits (technical, Baseline, EV) right now, and the IGTF-private root will go through that process next week. The new classic IGTF CA off that private root will also be used by Ankabut. - The Pathfinder AAAI CA (UK) was presented by Jens. This new service, leveraging the UK JISC Assent service infrastructure, is targeting the MICS profile and will use a handful (1-5) Identity Providers as back-end sources of identity to the service. The Pathfinder AAAI project itself runs until the end of June 2017, but the aim is for the new CA to outlive the project and be a long term service. The reviewers assigned are Christos Kanellopoulos and David Groep. The real challenge for this CA (like it was for GEANT TCS and RCauth.eu) to provide the end-to-end chain of documents that meets the MICS requirements, and do so without requiring too much new (legal) paperwork. The mechanism proposed is to use the Assent "Communities of Interest" to scope the service to only known compliant IdPs, and then use the existing Assent agreements framework to bless this scope and maintain its integrity. The long-term aim would be to replace the entire (classic) UKeScience 2B service with a MICS based service. For the accreditation of this new CA, a full set of documents must be there, and the mechanism to weed out IdP that are out of scope (such as the self-signup guest IdPs that are present in the UK Access Management Federation) should also be described. The review target date is end of June, although everyone acknowledges that this will be challenging. Meanwhile, the trust anchor can always be included in the distribution under the unaccredited tree (where also the InCommon Basic CA lived before it moved to IOTA). - The EUgridPMA discussed (and endorsed) the closer integration with existing R&E and AARC federation efforts, and views positively any development to use the IGTF as a mechanism to support Research and e-Infrastructures - our relying parties - in joining existing R&E federations. If that includes operating a federation technical infrastructure (signing, distribution, assessment and enrolment workflows) there is interest by the PMA members to support that That would facilitate a global setup, given that such support can already be found in the Americas as well. Interested parties include Jens, Jan Jona, DavidG, and others. The operational capability can then be distributed (further than the mainly off-line infrastructure for generting IGTF meta-data is (not) distributed today). We would hope that this also helps Infrastructures and research communities gain access to closed forums such as the FOG and eduGAIN membership. Non-national federations are now eligible to join eduGAIN, which is great, and a definite help for non-national service providers and SP-IdP Proxies. - The following CAs presented their self-audit during the meeting, and the requisite reviewers have been assigned: * EG-grid (EUN): Dusan Radovanovic and David Groep * AEGIS CA (RS): DavidG, Emir Imamagic (tbc) - For the pending self audits, the one for ArmeSFo was completed successfully, others - especially those where there are significant changes - need a more in-depth assessment with their new CP/CPS. The UK eScience 2A is being re-assessed completely as the Pathfinder AAAI (MICS) authority now. We remind authority members that it should be the intention to complete also the review process in time. Other updates ------------- - it should be considered to re-issue intermedate cAs with SHA-1 as (new) SHA-2 CAs also without revocation of the root. That will get rid of browser warnings and monitoring errors, and improve usablity. Even if that means that youn vulnerable to 'old' self-signed roots out there that could be inappropriately used to verify the old SHA-1 intermediates. Software support for SHA-1 EECs and intermediaries may soon disappear from popular software stacks like dCache. - Please enable IPv6 for CRL downloads as soon as possible. Use the mechanism described by Jim Basney for free use of CloudFlare is local IPv6 is not yet available - We remind our authority members that the version of the web server hosting the CRLs can in many cases be automatically inferred, and that we have active relying parties monitoring their status. Keep these up to date to prevent reputational damage to the trust fabric as a whole Attendance ---------- We would like to thank the following members for the in-person attendance: Scott Rea, David Kelsey, David Groep, Marc Turpin, Ian Neilson, Jan Jona Javorsek, Dusan Radovanovic, Jens Jensen and for their extensive presence in the videoconference: Jan Chvojka, Christos Kanellopoulos, Miroslav Dobrucky, Nuno Dias, John Kewley, Vladimir Dimitrov, Cosmin Nistor, Feyza Eryol, and Pozidar Proevski.