1 / 12

International Grid Trust Federation Session GGF 20 Manchester, UK

International Grid Trust Federation Session GGF 20 Manchester, UK. Wednesday, May 9 2007 CAOPS-WG session #2. Agenda. Updates from regional PMAs (15”) APGrid PMA (Yoshio) EUGrid PMA (David) TAGPMA (Darcy) Problems in compliance with the new Authentication Profile (20”)

russ
Download Presentation

International Grid Trust Federation Session GGF 20 Manchester, UK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. International Grid Trust Federation SessionGGF 20Manchester, UK Wednesday, May 9 2007 CAOPS-WG session #2

  2. Agenda • Updates from regional PMAs (15”) • APGrid PMA (Yoshio) • EUGrid PMA (David) • TAGPMA (Darcy) • Problems in compliance with the new Authentication Profile (20”) • Authentication Profiles (20”) • Member Integrated Credential Services AP (Darcy?) • Portal-based Credential Services AP (Yoshio) • Hardware Tokens (20”) • Robots (Jens)

  3. Updates of the APGrid PMA Yoshio Tanaka OGF20 IGTF

  4. Updates • Audited KEK Grid CA • Date: April 13th • Used the new auditing document • Found the following five major problems (but easy to solve). • In some end entity certificates, the value of X509 v3 Certificate Policies extension is incorrect. It is 1.3.6.1.4.1.200.198.1.102 but it should be 1.3.6.1.4.1.200.198.1.10.2. • Inconsistency of the certificate profile and the profile document. • Neither exendedKeyUsage nor nsCertType is specified in end entity certificates. • Email address was used in the subject name of end entity certificates. • Inappropriate description about renew keys.

  5. Updates • Some CAs has modified / is modifying CP/CPS and/or profiles to comply with the new Classic AP. • Done • AIST Grid CA, APAC Grid CA, CNIC Grid CA, NAREGI CA • Ongoing • ASGC CA, IHEP CA, KEK Grid CA, NECTEC CA • Details will be reported in the next F2F. • APAC Grid CA will issue certificates for New Zealand.

  6. Members (13 + 4) • 1 CA under review • NGO (Singapore) • Will be re-accredited • KISTI (Korea) • Planning • PRAGMA (USA) • ThaiGrid (Thailand) • General membership • Osaka U. (Japan) • U. Hong Kong (China) • U. Hyderabad (India) • USM (Malaysia) • 9 Accredited CAs • In operation • AIST (Japan) • APAC (Australia) • ASGCC (Taiwan) • CNIC (China) • IHEP (China) • KEK (Japan) • NAREGI (Japan) • NECTEC (Thailand) • Will be in operation • NCHC (Taiwan)

  7. Next F2F Meeting • Date: June 4th (Mon) • Venue: Biopolis, Singapore • Co-located event: Grid Asia 2007 • Agenda (tentative): • Updates from CAs (esp. compliance with thew new Classic AP) • Review of MICS profile • Discussions on profile of Portal-based CS

  8. Problems in compliance with the new Authentication Profile

  9. AIST’s experiences A) User certificates - Added Extended Key Usage x509 Ext Key Usage: 1.3.6.1.5.5.7.3.2 = PKIX-IDKP-ClientAuth B) Host certificates - Added Extended Key Usage x509 Ext Key Usage: 1.3.6.1.5.5.7.3.1 = PKIX-IDKP-ServerAuth 1.3.6.1.5.5.7.3.2 = PKIX-IDKP-ClientAuth - Added Subject Alt Name x509 Subject Alt Name: [2] FQDN of the host - Changed Key Usage removed nonRepudiation x509 Key Usage:[critical] digitalSignature, keyEncipherment, dataEncipherment, (0xb0)

  10. Supposed problems • Some CAs need to modify profiles of the Root CA Certificate to comply with the new Classic AP and the proposed Grid Certificate Profile. • Marking keyUsage as critical was dropped from MUST to SHOULD, but some root CA certificates does not mark basicConstraints as critical. • Some CA embed an email address in the subject name of end entity certificates. • Probably more (as figured out through the auditing of KEK Grid CA).

  11. Portal-based Credential Services Profile Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST

  12. Schedule • 1st draft by EUGrid PMA F2F @ Istanbul • Will be reviewed at Istanbul followed by APGrid PMA at Singapore. • 2nd draft by TAGPMA F2F @ Banff • 3rd draft by EUGrid PMA F2f in fall or OGF21

More Related