IGF meeting
3/15/2005 5:06:34 PM

Action Items
IGF members to respond to OSG request: 1) we received it 2) agree in principle and 
working to respond
Revamp IGF web site (gridpma.org) – see notes
Clarify naming
DG: Send doc + slides to sourceforge/Darcy
Meet in Chicago

Discussion

DG:
We started at GGF-6 at Tokyo

Yoshio Tanaka
http://www.apgridpma.org
See table of CA's, services, &c

Status & plans of APGrid PMA
2 levels of CA's:
Experimental
	Internal only
Production level 
	Stricter, external exposure
The list has grown – includes India, Malaysia; but
Many members are not motivated to advance security, sticking with implementations like 
simpleCA.
Some such as U of Tsukuba are in the LATTICE QC grid project so need to have 
international recognition

Changing membership:
	General membership – no vote
	Representative/ex officio category
	Add relying party members
Change meetings  from email  votes to regular  and/or video conf meetings
Re-certification efforts
Establish relationships w other PMA's

EU Grid PMA
David Groep
http://www.eugridpma.org

Map of Europe
Table of European CA's: now showing last appearance at PMA, and "presentation".
We extended root CA lifetime to 20 years
SEEGRID – different people run the CA, and deal with the relying party perspective

The Americas Grid PMA 
Darcy Quesnel
http://www.tagpma.org

We are in a recruiting phase'
Mike mentions contacts made with Internet2 and Fed Bridge possible affiliations
TG: I2 is sponsoring Incommon federation
TeraGrid wants to be a founding member and is eager to support this effort

International Grid Federation
Tony Genovese
History  - from Mar 2003 Tokyo
Only EU true regional at time – now have 3 regionals and certificates all over the world

DG:
We have tendency to have independent PMA's
6 trust relationships better than a hierarcy/web

Proposition:
Federation document
Common elements : statements we can make to relying parties
Specific authentication profiles per technology:
Classic PKI (EU + YT's comparison efforts)
Cert Stores
SIPS/KX509
Experimental

Role of IGF: coordinate authentication profiles
If you get accredited by 1 PMA, then all PMA's recommend to relying parties that they 
treat all the accredited CA's from any PMA identically.
DG has a draft federation document for distribution
IGF is dependent on all the members remaining 
Architecture: PMA's accredit authorities; authorities  issue assertions, according to 
common profiles
Naming structure – need uniqueness mechanism
[what is this?  A namespace registry?]

Federation will have a secretariat role – distributed among members – that will respond to 
inquiries in a timely manner.

Publication and Repository – come back at end of session

Responsibilities and Liabilities
CA's can't accept liability (seems to be consensus); IGF shouldn't either
Membership fees for 3 members?  We are not ready for liability, fees &c.

Privacy and confidentiality
RC: You need to retain enough identity info to make sure it's the same person
DS: This is at the wrong level

There is some policy content in the document that may need to be sorted out later 
(discussion).

Can we change the name to Identity Federation or something?  PMA and IGF are kind of 
misleading or conflicting.
Dane:  "profile management authority"

Naming convention for profiles, names, PMA
Register names of profiles, and if you change/fork, you create a new name
Do we version profiles?  Problem – RP's confused by versioning?
DS: Use the OIDs
Apparently need an OID registry as well for these profiles

Who uses these names?   Only the CA's?  Will they use this in their CP/CPS?  Does the 
relying party look at them?

Classification – names – IGF maintains; tied to a profile document
Versioning of these is needed
How this is expressed, and what uses are made of it, remains to be seen
There is no regional specification of authentication profiles

But we need branching!
No – too hard.  Let's keep it simple for now.
Open Science Grid request to Regional PMA's
Bob Cowles

Executive Board of OSG will ask
5 items:
Standard profiles: assure approximate parities between CA's, and peer reviews
Namespaces: keep namespaces sane/unique if possible
Forum: Allow RP participation
Collection Point: Info about accredited CA's, lists of members, &c
Coordinate: standards orgs and other regionals

If you accept:
RP still owns trust, but OSG will encourage reliance on accreditation
See significant value in role of common service providers

EU, TAGPMA ok; APGrid PMA ok

What would you like for us?
A: A response saying you accept and here's how we plan to follow up.

EU: this is nice, as it's tech spec; in EU we got a lot of support at political level but at a 
technical level people didn't know what was what

In a sense this is a set of min reqs for IGF

Technical & Repository Issues (DG)
Web sites
Current web site shows mixture of CA's, projects, &c
Need to remove min reqs from site, keep pointer to Tokyo accord, & 3 regionals
Need documents appropriate to this federation

DQ: DO we need to change the name/identifier to clarify issues raised above?
We will clarify

Each regional operates a repository
Relying parties need a common spot, how to find these pieces
Set up common mirroring structure to mirror others' repositories?
This way you get everything

DQ: Must be clear about accreditation in that case

Distribution of trust anchors
Distribution of RPMS for CA's (as in EUGrid PMA and EDG)

Convenient bundling service

Is this beyond our role, or desired?

RC: Highly desirable, get standard set of CA's, head off self-managed distros.

MH: Don't like accreditation – this is not likely to work well in TAGPMA; need non-
pejorative language

We need Incident handling – issues tracking system, perhaps shared among PMA's:
4 kinds of problems

contact - who is teragrid?
compromise - security incident - teragrid incident
certificate challenge - fzk
cp/cps defect - publishing point not found

Plus probably others.

David will submit doc to group

Group huddle: will meet in Chicago, ok w/ ggf – organization umbrella tbd