EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep, Nikhef) David Groep, Nikhef and NL-NGI for EGI global task O-E-15 This work is supported by EGI-InSPIRE under NA2 and SA1.2
EGI-InSPIRE RI IGTF developments From Recent IGTF meetings Slightly revised SHA-2 time line IOTA Authentication Profile: what do you, the Relying Parties, actually need? Credential Repositories Link to complete list of topics and discussions EUGridPMA for EGI-TF
EGI-InSPIRE RI SHA-2 time line agreed Now –CA certificates in IGTF distribution & CRLs at official distribution points should use SHA-1 –CAs should issue SHA-1 end entity certificates by default –CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs 1 st December st October 2013 –CAs should begin to phase out issuance of SHA-1 end entity certificates –CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default –Some Cas will defer transition till after New Year for helpdesk/support issues 1 st April 2014 –New CA certificates should use SHA-2 (SHA-512) –Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-512) –Existing root CA certificates may continue to use SHA-1 1 st October 2014 –CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points. 1 st February 2015 (‘sunset date’) –All issued SHA-1 end entity certificates should (not: must!) be expired or revoked. In case of new SHA-1 vulnerabilities, the above schedule may be revised. EUGridPMA for EGI-TF
EGI-InSPIRE RI SHA-2 readiness Introduction of SHA-2 will be gradual Newly issued certificates will be mostly SHA-2 –Takes up to 13 months to roll over –Some subscribers will continue to request SHA-1 for a while Some CAs are SHA-2 capable, but their migration time line is not driven solely by us (i.e. some commercials) –Their time line is driven by the largest customer base –All can do SHA-2 already – some do on request (since non-grid customers do request SHA-2-only PKIs) –it is because of these that RPs have to be ready, because when directives come from CABForum they will change, and do it quite irrespective of our time table! EUGridPMA for EGI-TF
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI Differentiated Assurance IOTA Authentication Profile
EGI-InSPIRE RI IOTA profile New IGTF Authentication Profile IOTA: Identifier-Only Trust Assurance with Secured Infrastructure Lower level of assurance in Identity Vetting –Compensated by more ID vetting by VO or RP Questionnaire has been produced –To gather stakeholder requirements See AAI session that happened here at the EGI TF on Tuesday morning at 11:00 CEST. EUGridPMA for EGI-TF
EGI-InSPIRE RI Moving the bar towards differentiated assurance IOTA AP assurance level is different, and rest must be taken up by somebody else Consider questions about –Real names and pseudonyms –Enrolling users in a community –Keeping audit records in the VO –Auditability and tracing –Incident response See session on Identity Management! EUGridPMA for EGI-TF13 Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications ‘rich’ attribute assertions correlating identifiers access control 7
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI Credential Repositories
EGI-InSPIRE RI Credential Repository plug Did you know … –… that the IGTF Private Key Protection guidelines allow for institutional and national credential repositories, to manage user keys? –… the Credential Store Operations Guidelines gives best current practice for running a trusted store? –… software to build (federated) credential repos is there, such as MyProxy? –… there are easy ways to get (PKI) certificates through on- line CAs or the TERENA TCS in many countries? EUGridPMA for EGI-TF
EGI-InSPIRE RI Summary Review detailed summary at Questions? EUGridPMA for EGI-TF