Notes EUGridPMA, May 2018

Host: KIT

Attendees: David*, Uros*, Ian*, Hannah* (note taker), Walter*, Melanie*, Ingrid*, Scott*, Cosmin, Eric, Jan, Lidija, Miroslav, Valentin*, Reimer*, Emir*, Feyza, Nuno, Mischa, Jouke, JK, Marc*, Nabil*, Pawel*, Marcus*
*in the room

Thank Yous: Local hosts, in particular Ingrid
and Hannah Short for taking these notes

Notes Wednesday 23rd 

  • Announcements
    • Please upload slides to
    • Volunteers wanted for hosting the autumn meeting
    • Dinner 19:00 Gasthaus Gutenberg, see logistics and maps at
    • Thursday/Friday, catch the 08:30 shuttle to KIT North Campus
    • Katrin visit rescheduled to start at 13:00 on Thursday
    • Scott volunteered for January EUGridPMA in Abu Dhabi
    • New CPS for CESNET, added to the agenda for Friday morning
  • APGridPMA Update (Eric from Academia Sinica, chair of APGridPMA)
    • New chair (Eric Yen) and vice chair (Eisaku Sakane) elected last October in Japan
    • 2 meetings per year, often co-hosted, each CA must give a self auditing report per year
    • Connection with Australia lost for a long time. Next meeting in NZ (August) should clarify status.
    • Regional catch-all CAs serving many countries
    • ~50% CAs are not yet supporting IPv6
    • In October meeting
      • Federated Identity Management presented following user demand for friendly workflows
      • Remote identity vetting, propose to use existing IGTF resources
      • (see slides for full list)
    • Supporting AAI, helping others to join eduroam and eduGAIN. Webinars organised
    • RPs from AU and NZ to be invited, want to extend experiences with user engagement beyond physics/astro to bio-sciences etc
    • Identity & Access Management WG hosting series of meetings to boost participation and engagement
    • Little engagement from present EUGridPMA attendants to attend August meeting  in NZ
  • IGTF All-hands, possibly to be hosted at ISGC in Taipei in March 2019 - all encouraged to attend
  • Self Audit Status (Cosmin)
    • GermanGrid (presentation on Friday) there is an open question r.e. private key storage for new CPS
    • RDIG, no response via email, should incorporate recent changes. @DavidG will follow up 
    • AustrianGrid, likely to be gone within a year and replaced with TCS. Terms of retiring CA defined in CP/CPS. Maintainer is retired and voluntary.
  • MD (Moldova) CA Update
    • Storage updated, restricted access to secure room
    • User certificate request process explained. Host certificates are requested by user that have user certificates and are host admin (known through tight-knit community). 
    • Certificate revocation upon user request, expiration or violation. Old certificates must be revoked before new ones can be issued - this is why the CRL is quite long.
    • MD-Grid CA based on old CP/CPS
    • Following RFC 3647
    • New CA = MD-Grid-CA-T and has 11 month overlap with old CA. Not yet registered in TACAR
    • Website contains old and new information
    • Issuing digicert certificates. Joined TCS several years ago
    • Q, is SHA1 ok? OK for root certificates. MD CA used SHA256. SHA1 certificate on webpage is just a fingerprint.
  • OIDC Federation (Mischa, David, Jouke)
    • Introductory slides for those not familiar with OIDC
    • Research communities would like to use OIDC (user and developer friendly) but standard does not easily scale to multiple Identity Providers, so current focus on dynamic OIDC federations 
    • For research communities, we need to trust both the OPs (OIDC Providers, roughly Identity Providers) and the RPs (standard OIDC relies on RPs trusting OPs but OPs knowing nothing much about RPs)
    • Multiple federation aspected from SAML and x509 can be reused; policies, assurance profiles, token translation
    • Discovery, registration and trust are decoupled
    • Trusted 3rd parties needed at scale, a heirarchy of trust relationships
    • Metadata is sent with registration requests and [the key material therein] must be short lived [could be one or a few days] - this may have operational impact
    • Some test scripts are available on github. Google is developing OIDC libraries in multiple languages and will (hopefully) include OIDC Fed requirements
    • Ongoing work in the GEANT Project to address infinitely large scenarios
    • At last IGTF meeting heard from stakeholders looking for OIDC Federation
    • Monitoring work in other groups
      • Still seems early stages
      • Trainig material should be added to a website at some stage
      • Mobile client registration discussion started, some concern about users having full control over devices so may be out of scope
      • SWAMID have a fairly complete spec., based on URLs
      • Work in REFEDS [oidcre group] for new claims in OIDC
    • WLCG Authorisation WG should be trying to keep the bigger picture in mind
    • Request is that people with RPs and OPs join the pilot - WLCG might make sense (happy to at least explore the idea) and possibly WATTS
    • Q: Where are the policies for this? Aim is to make existing policies technology agnostic. Some templates should be created. May be enough to use e.g. CoCo & Sirtfi, however we need policies in addition to profiles. Should come up with minimum necessary policy.
    • Some pertinent links:
      SWAMID profile for OIDCfed
      PoC for OIDCfed based on an 'out-of-band' profile. Roland and Davide
        have been debugging the setup today but I think it should work now
      There should be a new website coming soon at and
      Basic OIDC primers / talks, in particular the second has nice clear
      introductory material under 'presentations':
      - Roland's material:
      - Davide and Andrea (Biancini), nice intro:
  • TAGPMA Issues & Developments
    • Last Face-to-face at Internet2 Global Summit
    • Latin American meetings have been less successful, possibly co-locate with RedCLARA
    • Interest in OIDC Fed
    • OSG CA Retirement, many DoE sites do not know where to get their host certificates
      • Funding crash means that OSG CA RA will cease operations on May 31st
      • User certificates have workarounds
      • Host certificates are more problematic. e.g. Fermilab 1300 host certificates needed, BNL get 100, many Tier 2/3 sites
      • DoE labs cannot get certifcates from InCommon CA, possibly political problems. It is also quite expensive ($175 per cert) 
      • A free alternative is LetsEncrypt. Criticism of some security practices - e.g. phishing.
    • LetsEncrypts (LE)
      • Offering CA in CABForum offering Domain Validation
      • 90 day host certificates, auto renew
      • DNS records to identify host owners
      • Question to IGTF of what would need to change to allow LE host certs
      • Position paper available from OSG security officer
    • Current situation
      • Nobody willing to host the OSG CA, moved out of IU for strategic reasons
      • Users redirected to CERN or CiLogon
      • Services redirected to Incommon IGTF CA 
      • Digicert may be able to provide a fee-per-certificate service
      • OSG thinks LE could be used in an equivalent way to IOTA & Community ID. OSG members have a site registration step that could be queried
      • Some work already done to identify risks (but from the OSG perspective so biased)
      • BREAKING NEWS, DoE labs can now get certificates from InCommon CA at a fee
    • Should we be starting a conversation about how to allow IGTF accredited host certs? Comments
      • DV validated certs offered for free (work in progress for higher LoA certs) - need to be aware that the current assumptions may change
      • Would need LE to participate in community and current model is fee-based
      • Currently backed by Identris 
      • Do we require LE to come to IGTF? Is that realistic? 
      • Is DV enough? Too much trust placed in internet & DNS etc (only checked at point of issue)
      • If motivation is purely financial, there may be other options within IGTF
      • The RA aspect is possibly more complicated and costly than the CA, this could have been underestimated
      • If this is only a small use case, there is less of a case for introducting low/no assurance CAs to IGTF
    • OSG Guideance at
    • There's a TAGPMA WG and EUGridPMA participation is welcome with a small fee ;)

Notes Thursday 24th

  • Introduction to KIT from Andreas 
    • Helmholtz does long term research and large scale computing facilities 
    • KIT is a merger of Technical Uni. of Karlsruhe and this Nuclear Research facility
  • Policy Starter Pack
    • Acceptable Assurance Policy should be more guiding, leverage AARC guidelines on profiles and help readers to pick the right one
    • We should test the pack on several communities to understand relevant questions and blocking points (e.g. HDF, EOSC)
    • Need to add clarity on involving management from the beginning
    • EOSC-Hub will be sending a survey to their participating communities to understand AAI requirements, this could be useful input. Expect 15-20 responses
    • Unclear to many how policie are managed and adopted in complex scenarios involving hybrid community-infrastructure-services environments
    • Clear usage for new communities, less clear for communities purely leveraging generic infrastructures or those already operational. Important thing is that using the Policy Starter Pack should not put you in conflict with interoperating with infrastructures
    • FIM4R contributors may be the right policy people from communities
    • Maybe we need to re-brand as "Policy Development Kit" rather than "Starter Pack" since it is probably relevant for those trying to update policies in line with e.g. GDPR
    • Proper moment to collaborate with EOSC Hub, should include policy questions in agenda with communities
    • Add question to EOSC survey to collect Policy Contacts
    • Try and add some nicer schematics
  • AUP
    • How do we say that other communities can layer more specific requirements on top of this? -> changed starting sentence
    • Need for citation -> should remove this, should be annotated in Policy Development Kit
    • Personal data governance -> replaced original text to point to privacy statments instead of duplication information
    • Replace SLA clause (8)
    • Privacy statement has to be shown explicitly 
  • GDPR
  • SRCE CA Update
  • Attribute Authority Operations Policy

Notes Friday 25th



  • @DavidG to chase Eygene from RDIG
  • @DavidG to chase Willy from AustrianGrid on dates for CA retirement
  • @Cosmin and @Feyza to review self assessment of MD CA
  • @All volunteer to be RPs and OPs in OIDC Fed Pilot
  • @Hannah and @Mischa to add considerations for OIDC Fed into ongoing WLCG Authorisation Work
  • @All send email to Derek if want to be in TAGPMA LE emailing list
  • @Pawel to add a question to the EOSC survey to collect policy contact
  • @David/Dave/Uros/Hannah ask for policy contacts from FIM4R List