1 / 18

4 th APGrid PMA F2F Meeting

4 th APGrid PMA F2F Meeting. Academia Sinica, Taipei, Taiwan April 8, 2008 Agenda http://www.apgridpma.org/meetings/index.html Call for note takers!. Updates of the APGrid PMA and recap of the IGTF. Yoshio Tanaka Chair,APGrid PMA / AIST. Asia Pacific Grid PMA.

blaze
Download Presentation

4 th APGrid PMA F2F Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 4th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agenda http://www.apgridpma.org/meetings/index.html Call for note takers!

  2. Updates of the APGrid PMAand recap of the IGTF Yoshio Tanaka Chair,APGrid PMA / AIST

  3. Asia Pacific Grid PMA • General Policy Management Authority in Asia Pacific • Not specific for ApGrid, Not specific for PRAGMA… • Launched on June 1st, 2004 • Defines minimum CA requirements • Based on IGTF Classic AP maintained by EUGridPMA • APGrid PMA approved that we accept two levels of CA: • Experimental-level CA • Alternative of the Globus CA • Can be trusted within A-P communities • Production-level CA • Strict management is necessary • Expected to be trusted by international communities • Meetings • Regular VTC (every 3~4 months) • F2F meeting (once or twice a year)

  4. Members (13 + 4) • 9 Accredited CAs • In operation • AIST (Japan) • APAC (Australia) • ASGCC (Taiwan) • CNIC (China) • IHEP (China) • KEK (Japan) • KISTI (Korea) • NAREGI (Japan) • NECTEC (Thailand) • 3 CAs under review • NGO (Singapore) • PRAGMA (USA) • NCHC (Taiwan) • Planning • ThaiGrid (Thailand) • CDAC (India) • General membership • Osaka U. (Japan) • U. Hong Kong (China) • U. Hyderabad (India) • USM (Malaysia)

  5. Scope of the APGrid PMA • Manage the PMA membership • Define charter and minimum CA requirements • Publish related documents • Maintain and revise the documents • Accredit authorities with respect to the minimum CA requirements • Coordinate auditing and re-certification of accredited authorities • Monitor member CA signing namespaces • Operate a secure collection point for information about accredited CAs • Be primarily concerned with Grid communities in Asia Pacific, and their external partners

  6. APGrid PMA responsibilities • CP/CPS • Responsible for supporting and auditing the development and maintenance of the CP/CPS for CAs in Asia Pacific. • Other documents • Charter • Minimum CA requirements • Authentication Profiles

  7. APGrid PMA responsibilities (cont’d) • Accreditation • Accredit authorities according to the procedure defined in the charter. • Audit • APGrid PMA is doing external auditing • Operation • Every CA must be responsible for its operation. • The PMA is NOT an operation unit but a policy management authority. • Obligation • All PMA members are understood to represent the best interest of their national/regional communities and expected active participation to activities of the PMA.

  8. General Architecture of the IGTF • Member PMAs are responsible for accrediting authorities • The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers. • Each AP is assigned by the IGTF to a specific member PMA. • Classic AP (EUGrid PMA) • Short Lived Credential Services (SLCS) AP (TAGPMA) • Member Integrated Credential Services (MICS) AP (TAGPMA)

  9. General Architecture of the IGTF (cont’d) • Proposed changes to an AP will be circulated to all chairs of the IGTF member PMAs. • All of the PMA chairs, after approval by their PMA, are required to endorse the proposed changes before the modified AP will come into effect. • Authorities accredited by a PMA are always subject to the policies and practices of a specific AP as decided by the accrediting PMA. • Any changes to the policy and practices of a authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.

  10. Requirements for accredited authorities • Maintain at least one contact mechanism which must allow for un-moderated access to report problems and faults regarding the authority by the relying parties and genral public. • This point of contact shall be made known to the accrediting PMA and the IGTF for subsequent re-publishing. • Must disclose to the accrediting PMA and to the general public its documented policies and practices.

  11. Implementation of the federation • Each PMA maintains information of all accredited CAs. • Root certificate • CRL Distribution Point • Point of contact • Signing policy file • Point to the CP/CPS • Information of the all PMA is packed into a single tarball/RPM and distributed as an IGTF CA distribution • No hierarchies. All accredited CAs are included in a flat structure • Once you will be accredited by the APGrid PMA, you will be an IGTF-accredited CA • IGTF CA distribution is released in every few weeks • David Groep will notify all member CAs the plan of the new release to ask reports of any updates. • Distribution frequency is flexible. • The information is stored in the CVS repository maintained by the EUGrid PMA • Yoshio, Mason, and Darcy have accounts on the CVS server • If you have modified CA cert, etc., please let me know. • IGTF CA distribution is available from the EUGrid PMA web site and the APGrid PMA web site. • APGrid PMA is planning to mirror the CVS server as wel.

  12. Chair’s role • A Point of Contact for the PMA • Running the PMA meetings • Ensuring that all voting is recorded and published • Leads discussions • Contributes to the IGTF • Attend meetings of EUGridPMA and TAGPMA • Attend OGF • Best effort basis  • Maintains the IGTF CA Distribution • Commit/delete/update files of APGridPMA-accredited CA • Maintains web site • Maintains ML

  13. Businesses • Chair election • Next F2F meeting • September 2008, Singapore • How to protect the ML from SPAMS • TACAR and PGP/Thawte key signing

  14. TAGPMA The Americas Grid Policy Management Authority 7th TAGPMA Face-to-Face MeetingTACAR Registration and Accreditation Vinod Rebello and Mike helm NERSC, Oakland, CA, USA April 2 – 4, 2008

  15. TACAR • http://www.tacar.org • The TERENA Academic CA Repository (TACAR) offers a trusted and centralized place where root CA certificates can be stored and safely downloaded. • The only requirement to be part of TACAR is that the applying CA operates for the research and academic community • IGTF and TAGPMA approved third party repository Vinod Rebello – vinod@ic.uff.br

  16. Joining TACAR • Read Policy – currently version 1.4.3 • CA Manager should fill in the Letter of Registration (Annex I) • Contain info on the CA, Root certificate, location of CP/CPS and its PDF fingerprint • The Letter of Accreditation needs to be signed by the head of the institution to which the CA is affiliated. • Letters which are being provided for the first time must be validated via a face-to-face meeting between the representative(s) of the applying CA and a TACAR representative Vinod Rebello – vinod@ic.uff.br

  17. Required files • Letters to be presented on paper (two copies of each) and in electronic (PDF) form on CD • Also on CD • The detached PGP signatures of the two letters • PDF version of the CP/CPS • Root Certificate in PEM format • And their respective detached PGP signatures • Also the PGP Key Vinod Rebello – vinod@ic.uff.br

  18. Trusted Introducer • If you cant meet with Licia Fiorio in person then talk to Mike Helm Yoshio Tanaka • The TI is basically the TERENA RA. • The TI will deliver all material collected to TERENA by using signed email for the electronic information and postal mail or face-to-face meeting for the paper material. Vinod Rebello – vinod@ic.uff.br

More Related