1 / 10

IGTF EUGridPMA status update

IGTF EUGridPMA status update. SHA-2, OCSP, and more. David Groep, Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2 and SA1.2. davidg@nikhef.nl, orcid.org/0000-0003-1026-6606 . IGTF ongoing work.

tannar
Download Presentation

IGTF EUGridPMA status update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IGTF EUGridPMAstatus update SHA-2, OCSP, and more David Groep, Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2 and SA1.2 davidg@nikhef.nl, orcid.org/0000-0003-1026-6606

  2. IGTF ongoing work From Recent IGTF meetings (AP: March, TAG&EU: May) • Slightly revised SHA-2 time line • Update to OCSP deployment planning and review of • IPv6 deployment • IGTF ‘Test Suite’ for software providers • Guidelines on operation trusted credential stores (draft) • Progress on move towards differentiated ID assurance IGTF Summary OMB May 2013

  3. SHA-2 time line agreed • Now • CA certificates in the IGTF distribution and CRLs at official distribution points should use SHA-1 • CAs should issue SHA-1 end entity certificates by default • CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs • 1st October 2013 • CAs should begin to phase out issuance of SHA-1 end entity certificates • CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default • 1st April 2014 • New CA certificates should use SHA-2 (SHA-512) • Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-512) • Existing root CA certificates may continue to use SHA-1 • 1st October 2014 • CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points. • 1st December 2014 (‘sunset date’) • All issued SHA-1 end entity certificates should be expired or revoked. In case of new SHA-1 vulnerabilities, the above schedule may be revised. IGTF Summary OMB May 2013

  4. SHA-2 readiness For SHA-2 there are still a few CAs not ready • a few can do either SHA-2 OR SHA-1 but not both • so they need to wait for software to be SHA-2-ready and then change everything at once • A select few can do SHA-2 but their time line is not driven solely by us (i.e. some commercials) • Their time line is driven by the largest customer base • All can do SHA-2 already – some do on request(since non-grid customers do request SHA-2-only PKIs) • it is because of these that RPs have to be ready, because when directives come from CABF they will change, and do it quite irrespective of our time table! • Keep in mind issues for HSMs (robot tokens) IGTF Summary OMB May 2013

  5. A forward look: sudden end of MD5? • Some software stacks (Mozilla NSS 3.14+distributed as part of e.g. RHEL6U4) are now disabling the MD5 hash for crypto • May create a nice mess, with several large CA roots still MD5 (even in EL6U4) • Don’t want that to happen prematurely with SHA-1 when still in active use … http://www.eugridpma.org/documentation/hashrat/sha2-timeline IGTF Summary OMB May 2013

  6. OCSP, IPv6, test suite,new guideline (profile) docs IGTF Summary OMB May 2013

  7. OCSP status • Some CAs provice OCSP services • RFC5019 lightweight: public trust CAs, CESNET • RFC2560 full: MSCA, few OpenCA onces • Most don’t advertise yet, since operational impact is uncertain: • Which software components will use OCSP? • What is the expected load? • Have RPs installed their HTTP caching services correctly? • Has software implemented caching correctly? IGTF Summary OMB May 2013

  8. OCSP time line (contd) Planning • Given the current pressure and focus on SHA-2, it is decided not to actively push for OCSP as long as the SHA-2 campaign is running Questions • will inclusion of relevant AIA extensions automatically result in the use of OCSP? • Is this software configurable? Does it cache? • Are RPs (EGI: RC) setups expecting this? Have caches been deployed? • Should we wait for TLS OCSP stapling RFC 6066 to be configured and used widely? IGTF Summary OMB May 2013

  9. Other work items • IPv6 deploymenthttp://www.particle.cz/farm/admin/IPv6EuGridPMACrlChecker/ • expect RPs with v6-only systems to setup 6-to-4 NAT/proxy • IGTF ‘Test Suite’ for software providers • Guidelines on operation trusted credential stores (draft)http://wiki.eugridpma.org/Main/CredStoreOperationsGuideline • matches with the Private Key Protection guidelines • guidance for MyProxy setups, portals, credential mngt systems • intended to be ‘good advice’ for RPs – things to consider • Progress on move towards differentiated ID assurancehttp://wiki.eugridpma.org/Main/IOTASecuredInfraAP • provides only unique opaque identifier: no identity, no tracability • needs tuning of LoA with our RPs, current version may be too much XSEDE and does not even work yet for PRACE-T1s… IGTF Summary OMB May 2013

  10. Summary • Review detailed summary athttps://www.eugridpma.org/meetings/2013-05/ • Questions? IGTF Summary OMB May 2013

More Related