Transcript European Grid Policy Management Authority
Updates from the EUGridPMA
David Groep, Apr 8 nd , 2008
EUGridPMA
A word on its history Autonomous growth “Virtual Silk Road” PKI
Plans and updates
Auditing Identity Vetting processes, AuthZ, 1SCP, CP/CPS doc Repository issues
CAOPSwg documents
Grid Certificate Profile finally “Published”! RPDNC requirements … David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
Eight years of growth
November 2000: Invitation to the DataGrid WP6 partners December 2000: First CA meeting at CERN March 2001: 5 CAs: CNRS, LIP, NIKHEF, CERN, INFN, UK-HEP First version of the minimum requirements December 2002: Inclusion of the CrossGrid CAs April 2004: Establishment of the EUGridPMA First formal charter and guidelines documents … April 2008: 77 accredited CAs in the IGTF David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
Minimum Requirements version 1
Minimum requirements for RA - Testbed 1 -------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP. Communication between RA and CA ------------------------------ Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person Minimum requirements for CA - Testbed 1 -------------------------------------- The issuing machine must be: a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ...
David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
The EUGridPMA “constitution”
The European Policy Management Authority for Grid Authentication in e-Science (hereafter called EUGridPMA) is
•a body to establish requirements and best practices •for grid identity providers •to enable a common trust domain applicable to authentication of
end-entities in inter-organisational access to distributed resources. As its main activity the EUGridPMA
•coordinates a Public Key Infrastructure (PKI) •for use with Grid authentication middleware.
The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter - the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines.
David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
The story so far …
Foundation of the IGTF allows migration of CAs to Regional PMA
40 30 20 10 0 Ma r-0 1 Se p-0 1 Ma r-0 2 Se p-0 2 Ma r-0 3 Se p-0 3 Ma r-0 4 Se p-0 4 Ma r-0 5 Se p-0 5 Ma r-0 6 Se p-0 6 David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
The IGTF
improve trust building through better face-to-face contact better manageability of the PMA
TAGPMA APGridPMA
David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
Geographical coverage of the EUGridPMA 23 of 25 EU member states (all except LU, MT) + AM, CH, HR, IL, IS, MA, NO, PK, RO, RS, RU, TR, UA, ME, MK, SEE-GRID + CA, CERN (int), DoEGrids* Pending or in progress IR, SY, MD, LV David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
More growth expected
Pending EUMedGrid countries: DZ, TN, LY, EG New initiative across the ‘silk road’ countries Established by Ara Grigoryan and ArmeSFo In collaboration with NATO Partnership for Peace programme David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
Auditing started
Based on APGridPMA Auditing effort Self audits, peer-reviewed BEGrid, DoEGrids, IUCC, TR-Grid, ArmeSFo, HellasGrid, CyGrid Assessments were thorough Implementation of recommendations started
Also external audit DutchGrid CA (thanks, Yoshio!)
David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
Pending plans: ‘AuthZ op. policy WG’
Discussing extending to AA policy requirements authZ as important as AuthN, but operational AuthZ policies today are far less clear minimum requirements on running an AA server may be quite similar to running a CA ‘There is no other large group of experts out there waiting to take this on’ – we don’t need a parallel I*TF But: scaling the model is very, very different; … Dave Kelsey will sort this out … http://www.eugridpma.org/agenda/archive-a073/kelsey15jan08.ppt
David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
More to-do items
Repository of “good” and “bad” CP/CPS examples
boilerplate text repository On software used Activity ‘owner’: Jens Jensen ‘profiling’ of various identity vetting options Traditional F2F Notary-public-supported verification ‘Time-shifted via implicit RA/Agent anointments’ or ‘TTP’ One-Statement Certificate Policies (1SCP) First 1SCPs should be there soon: ‘private key is held on a token’ ‘I am a Robot/automated client’ David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
IGTF Release Process and Web
Release Process Releases moved to (preferably) Monday or Tuesday Documentation of the process still needed Use:
mirror:
https://dist.eugridpma.info/distribution https://www.apgridpma.org/distribution Web server updated Room for some additional static services Input and suggestions are very welcome!
Monitoring and alarms Nagios: http://signet-ca.ijs.si/nagios/ (mirror at AIST) (guest/guest) PMA Distribution Warnings by email 4 times/day David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
CAOPS-WG
Grid Certificate Profile is now published as GFD-C.125
Relying Party Defined NS Constraints New draft out on GridForge Out to RPs for comments and new requirements Pending reactions (we got one from DavidCh already…) Authentication Profile Template Cleanup needed (ChristosT) Fork off glossary in a separate document David Groep – [email protected]
2008 APGridPMA ‘Taipei’ meeting – Apr 2008 ‹#›
Some dates for you to remember and schedule May 26-28 2008 13 th EUGridPMA meeting, Copenhagen, DK (NBI) June 2-6, 2008: OGF23, Barcelona, ES September 15-19, 2008: OGF24, Singapore Oct 6-8 (tentative), 2008: 14 th January 2009: 15 th meeting, Lisbon, PT meeting, Nicosia, CY