Updates from the EUGridPMA David Groep, Apr 8 nd, 2008

Updates from the EUGridPMA

David Groep, Apr 8nd, 2008

2008 APGridPMA ‘Taipei’ meeting – Apr 2008 - 2

David Groep – [email protected]

EUGridPMA A word on its history Autonomous growth “Virtual Silk Road” PKI

Plans and updates Auditing Identity Vetting processes, AuthZ, 1SCP, CP/CPS doc Repository issues

CAOPSwg documents Grid Certificate Profile finally “Published”! RPDNC requirements …



Eight years of growth

November 2000:Invitation to the DataGrid WP6 partners

December 2000:First CA meeting at CERN

March 2001:5 CAs: CNRS, LIP, NIKHEF, CERN, INFN, UK-HEPFirst version of the minimum requirements

December 2002:Inclusion of the CrossGrid CAs

April 2004:Establishment of the EUGridPMAFirst formal charter and guidelines documents

…April 2008: 77 accredited CAs in the IGTF



Minimum Requirements version 1

Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP.

Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person

Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be:

a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15

characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network

minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ...



The European Policy Management Authority for Grid Authentication in e-Science (hereafter called EUGridPMA) is •a body to establish requirements and best practices •for grid identity providers •to enable a common trust domain applicable to authentication of

end-entities in inter-organisational access to distributed resources.

As its main activity the EUGridPMA•coordinates a Public Key Infrastructure (PKI) •for use with Grid authentication middleware.

The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter - the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines.

The EUGridPMA “constitution”



The story so far …

0

10

20

30

40

Mar

-01

Sep-0

1

Mar

-02

Sep-0

2

Mar

-03

Sep-0

3

Mar

-04

Sep-0

4

Mar

-05

Sep-0

5

Mar

-06

Sep-0

6

acc

red

ited

CA

sFoundation of the IGTF

allows migration of CAs to Regional PMA



The IGTF

TAGPMA APGridPMA

improve trust building through better face-to-face contact better manageability of the PMA



Geographical coverage of the EUGridPMA

23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IS, MA, NO, PK, RO, RS, RU, TR,

UA, ME, MK, SEE-GRID + CA, CERN (int), DoEGrids*

Pending or in progress IR, SY, MD, LV



More growth expected

Pending EUMedGrid countries: DZ, TN, LY, EG

New initiative across the ‘silk road’ countries Established by Ara Grigoryan and ArmeSFo In collaboration with NATO Partnership for Peace

programme



Auditing started

Based on APGridPMA Auditing effort

Self audits, peer-reviewed BEGrid, DoEGrids, IUCC, TR-Grid, ArmeSFo,

HellasGrid, CyGrid

Assessments were thorough Implementation of recommendations started

Also external audit DutchGrid CA (thanks, Yoshio!)



Pending plans: ‘AuthZ op. policy WG’

Discussing extending to AA policy requirements authZ as important as AuthN,

but operational AuthZ policies today are far less clear minimum requirements on running an AA server may

be quite similar to running a CA ‘There is no other large group of experts out there

waiting to take this on’ – we don’t need a parallel I*TF

But: scaling the model is very, very different; … Dave Kelsey will sort this out …

http://www.eugridpma.org/agenda/archive-a073/kelsey15jan08.ppt



More to-do items

Repository of “good” and “bad” CP/CPS examples boilerplate text repository On software used Activity ‘owner’: Jens Jensen

‘profiling’ of various identity vetting options Traditional F2F Notary-public-supported verification ‘Time-shifted via implicit RA/Agent anointments’ or ‘TTP’

One-Statement Certificate Policies (1SCP) First 1SCPs should be there soon:

‘private key is held on a token’‘I am a Robot/automated client’



IGTF Release Process and Web

Release Process Releases moved to (preferably) Monday or Tuesday Documentation of the process still needed

Use: https://dist.eugridpma.info/distributionmirror:https://www.apgridpma.org/distribution

Web server updated Room for some additional static services Input and suggestions are very welcome!

Monitoring and alarms Nagios: http://signet-ca.ijs.si/nagios/ (guest/guest)

(mirror at AIST) PMA Distribution Warnings by email 4 times/day



CAOPS-WG

Grid Certificate Profile is now published as GFD-C.125

Relying Party Defined NS Constraints New draft out on GridForge Out to RPs for comments and new requirements Pending reactions (we got one from DavidCh already…)

Authentication Profile Template Cleanup needed (ChristosT) Fork off glossary in a separate document

Some dates for you to remember and schedule May 26-28 2008

13th EUGridPMA meeting, Copenhagen, DK (NBI) June 2-6, 2008: OGF23, Barcelona, ES September 15-19, 2008: OGF24, Singapore Oct 6-8 (tentative), 2008: 14th meeting, Lisbon, PT January 2009: 15th meeting, Nicosia, CY

Documents

Updates from the EUGridPMA David Groep, Apr 8 nd, 2008