1 / 15

Updates from the EUGridPMA David Groep, Apr 8 nd , 2008

Updates from the EUGridPMA David Groep, Apr 8 nd , 2008. EUGridPMA A word on its history Autonomous growth “Virtual Silk Road” PKI Plans and updates Auditing Identity Vetting processes, AuthZ, 1SCP, CP/CPS doc Repository issues CAOPSwg documents

jamelia
Download Presentation

Updates from the EUGridPMA David Groep, Apr 8 nd , 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Updates from the EUGridPMADavid Groep, Apr 8nd, 2008

  2. EUGridPMA • A word on its history • Autonomous growth • “Virtual Silk Road” PKI • Plans and updates • Auditing • Identity Vetting processes, AuthZ, 1SCP, CP/CPS doc • Repository issues • CAOPSwg documents • Grid Certificate Profile finally “Published”! • RPDNC requirements …

  3. Eight years of growth November 2000:Invitation to the DataGrid WP6 partners December 2000:First CA meeting at CERN March 2001:5 CAs: CNRS, LIP, NIKHEF, CERN, INFN, UK-HEPFirst version of the minimum requirements December 2002:Inclusion of the CrossGrid CAs April 2004:Establishment of the EUGridPMAFirst formal charter and guidelines documents … April 2008: 77 accredited CAs in the IGTF

  4. Minimum Requirements version 1 Historical Minimum requirements for RA - Testbed 1 --------------------------------------- An acceptable procedure for confirming the identity of the requestor and the right to ask for a certificate e.g. by personal contact or some other rigorous method The RA should be the appropriate person to make decisions on the right to ask for a certificate and must follow the CP. Communication between RA and CA ------------------------------- Either by signed e-mail or some other acceptable method, e.g. personal (phone) contact with known person Minimum requirements for CA - Testbed 1 --------------------------------------- The issuing machine must be: a dedicated machine located in a secure environment be managed in an appropriately secure way by a trained person the private key (and copies) should be locked in a safe or other secure place the private keu must be encrypted with a pass phrase having at least 15 characters the pass phrase must only be known by the Certificate issuer(s) not be connected to any network minimum length of user private keys must be 1024 min length of CA private key must be 2048 requests for machine certificates must be signed by personal certificates or verified by other appropriate means ...

  5. The European Policy Management Authority for Grid Authentication in e-Science (hereafter called EUGridPMA) is • a body to establish requirements and best practices • for grid identity providers • to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. • As its main activity the EUGridPMA • coordinates a Public Key Infrastructure (PKI) • for use with Grid authentication middleware. • The EUGridPMA itself does not provide identity assertions, but instead asserts that - within the scope of this charter - the certificates issued by the Accredited Authorities meet or exceed the relevant guidelines. The EUGridPMA “constitution”

  6. Foundation of the IGTFallows migration of CAs to Regional PMA The story so far …

  7. The IGTF • improve trust building through better face-to-face contact • better manageability of the PMA APGridPMA TAGPMA

  8. Geographical coverage of the EUGridPMA • 23 of 25 EU member states (all except LU, MT) • + AM, CH, HR, IL, IS, MA, NO, PK, RO, RS, RU, TR, UA, ME, MK, SEE-GRID + CA, CERN (int), DoEGrids* Pending or in progress • IR, SY, MD, LV

  9. More growth expected • Pending EUMedGrid countries: DZ, TN, LY, EG • New initiative across the ‘silk road’ countries • Established by Ara Grigoryan and ArmeSFo • In collaboration with NATO Partnership for Peace programme

  10. Auditing started • Based on APGridPMA Auditing effort • Self audits, peer-reviewed • BEGrid, DoEGrids, IUCC, TR-Grid, ArmeSFo, HellasGrid, CyGrid • Assessments were thorough • Implementation of recommendations started • Also external audit DutchGrid CA (thanks, Yoshio!)

  11. Pending plans: ‘AuthZ op. policy WG’ • Discussing extending to AA policy requirements • authZ as important as AuthN, but operational AuthZ policies today are far less clear • minimum requirements on running an AA server may be quite similar to running a CA • ‘There is no other large group of experts out there waiting to take this on’ – we don’t need a parallel I*TF • But: scaling the model is very, very different; … • Dave Kelsey will sort this out … http://www.eugridpma.org/agenda/archive-a073/kelsey15jan08.ppt

  12. More to-do items • Repository of “good” and “bad” CP/CPS examples • boilerplate text repository • On software used • Activity ‘owner’: Jens Jensen • ‘profiling’ of various identity vetting options • Traditional F2F • Notary-public-supported verification • ‘Time-shifted via implicit RA/Agent anointments’ or ‘TTP’ • One-Statement Certificate Policies (1SCP) • First 1SCPs should be there soon:‘private key is held on a token’‘I am a Robot/automated client’

  13. IGTF Release Process and Web • Release Process • Releases moved to (preferably) Monday or Tuesday • Documentation of the process still needed Use: https://dist.eugridpma.info/distributionmirror: https://www.apgridpma.org/distribution • Web server updated • Room for some additional static services • Input and suggestions are very welcome! • Monitoring and alarms • Nagios: http://signet-ca.ijs.si/nagios/ (guest/guest)(mirror at AIST) • PMA Distribution Warnings by email 4 times/day

  14. CAOPS-WG • Grid Certificate Profile is now published as GFD-C.125 • Relying Party Defined NS Constraints • New draft out on GridForge • Out to RPs for comments and new requirements • Pending reactions (we got one from DavidCh already…) • Authentication Profile Template • Cleanup needed (ChristosT) • Fork off glossary in a separate document

  15. Some dates for you to remember and schedule • May 26-28 2008 13th EUGridPMA meeting, Copenhagen, DK (NBI) • June 2-6, 2008: OGF23, Barcelona, ES • September 15-19, 2008: OGF24, Singapore • Oct 6-8 (tentative), 2008: 14th meeting, Lisbon, PT • January 2009: 15th meeting, Nicosia, CY

More Related