Upload
giles-morton
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Updates from the EUGridPMA
David Groep, Apr 8nd, 2008
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 2
David Groep – [email protected]
EUGridPMA A word on its history Autonomous growth “Virtual Silk Road” PKI
Plans and updates Auditing Identity Vetting processes, AuthZ, 1SCP, CP/CPS doc Repository issues
CAOPSwg documents Grid Certificate Profile finally “Published”! RPDNC requirements …
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 3
David Groep – [email protected]
Eight years of growth
November 2000:Invitation to the DataGrid WP6 partners
December 2000:First CA meeting at CERN
March 2001:5 CAs: CNRS, LIP, NIKHEF, CERN, INFN, UK-HEPFirst version of the minimum requirements
December 2002:Inclusion of the CrossGrid CAs
April 2004:Establishment of the EUGridPMAFirst formal charter and guidelines documents
…April 2008: 77 accredited CAs in the IGTF
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 4
David Groep – [email protected]
Minimum Requirements version 1
Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP.
Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person
Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be:
a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15
characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network
minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ...
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 5
David Groep – [email protected]
The European Policy Management Authority for Grid Authentication in e-Science (hereafter called EUGridPMA) is •a body to establish requirements and best practices •for grid identity providers •to enable a common trust domain applicable to authentication of
end-entities in inter-organisational access to distributed resources.
As its main activity the EUGridPMA•coordinates a Public Key Infrastructure (PKI) •for use with Grid authentication middleware.
The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter - the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines.
The EUGridPMA “constitution”
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 6
David Groep – [email protected]
The story so far …
0
10
20
30
40
Mar
-01
Sep-0
1
Mar
-02
Sep-0
2
Mar
-03
Sep-0
3
Mar
-04
Sep-0
4
Mar
-05
Sep-0
5
Mar
-06
Sep-0
6
acc
red
ited
CA
sFoundation of the IGTF
allows migration of CAs to Regional PMA
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 7
David Groep – [email protected]
The IGTF
TAGPMA APGridPMA
improve trust building through better face-to-face contact better manageability of the PMA
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 8
David Groep – [email protected]
Geographical coverage of the EUGridPMA
23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IS, MA, NO, PK, RO, RS, RU, TR,
UA, ME, MK, SEE-GRID + CA, CERN (int), DoEGrids*
Pending or in progress IR, SY, MD, LV
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 9
David Groep – [email protected]
More growth expected
Pending EUMedGrid countries: DZ, TN, LY, EG
New initiative across the ‘silk road’ countries Established by Ara Grigoryan and ArmeSFo In collaboration with NATO Partnership for Peace
programme
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 10
David Groep – [email protected]
Auditing started
Based on APGridPMA Auditing effort
Self audits, peer-reviewed BEGrid, DoEGrids, IUCC, TR-Grid, ArmeSFo,
HellasGrid, CyGrid
Assessments were thorough Implementation of recommendations started
Also external audit DutchGrid CA (thanks, Yoshio!)
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 11
David Groep – [email protected]
Pending plans: ‘AuthZ op. policy WG’
Discussing extending to AA policy requirements authZ as important as AuthN,
but operational AuthZ policies today are far less clear minimum requirements on running an AA server may
be quite similar to running a CA ‘There is no other large group of experts out there
waiting to take this on’ – we don’t need a parallel I*TF
But: scaling the model is very, very different; … Dave Kelsey will sort this out …
http://www.eugridpma.org/agenda/archive-a073/kelsey15jan08.ppt
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 12
David Groep – [email protected]
More to-do items
Repository of “good” and “bad” CP/CPS examples boilerplate text repository On software used Activity ‘owner’: Jens Jensen
‘profiling’ of various identity vetting options Traditional F2F Notary-public-supported verification ‘Time-shifted via implicit RA/Agent anointments’ or ‘TTP’
One-Statement Certificate Policies (1SCP) First 1SCPs should be there soon:
‘private key is held on a token’‘I am a Robot/automated client’
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 13
David Groep – [email protected]
IGTF Release Process and Web
Release Process Releases moved to (preferably) Monday or Tuesday Documentation of the process still needed
Use: https://dist.eugridpma.info/distributionmirror:https://www.apgridpma.org/distribution
Web server updated Room for some additional static services Input and suggestions are very welcome!
Monitoring and alarms Nagios: http://signet-ca.ijs.si/nagios/ (guest/guest)
(mirror at AIST) PMA Distribution Warnings by email 4 times/day
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 14
David Groep – [email protected]
CAOPS-WG
Grid Certificate Profile is now published as GFD-C.125
Relying Party Defined NS Constraints New draft out on GridForge Out to RPs for comments and new requirements Pending reactions (we got one from DavidCh already…)
Authentication Profile Template Cleanup needed (ChristosT) Fork off glossary in a separate document
Some dates for you to remember and schedule May 26-28 2008
13th EUGridPMA meeting, Copenhagen, DK (NBI) June 2-6, 2008: OGF23, Barcelona, ES September 15-19, 2008: OGF24, Singapore Oct 6-8 (tentative), 2008: 14th meeting, Lisbon, PT January 2009: 15th meeting, Nicosia, CY