News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

Slides:



Advertisements
Similar presentations
© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.
Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
IGTF and SHA-2 David Kelsey TAGPMA meeting, SDSC Feb 2012.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
National Institute of Advanced Industrial Science and Technology Brief status report of AIST GRID CA APGridPMA Singapore September 16 Yoshio.
Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.
TERENA TF-EMC2 Workshop David Groep,
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI Towards Differentiated Identity Assurance as a collaborative.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
Updates from the EUGridPMA David Groep, July 16 st, 2007.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.
KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.
APGridPMA Update Eric Yen APGridPMA August, 2014.
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Introduction of SHA-2 in the EGI Infrastructure David Groep, EGI-IGTF Liaison.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston )
IGTF Risk Assessment Team 5/11/091.
IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
Classic X.509 AP updates (v4.1)
EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI.
EUGridPMA Status and Current Trends and some IGTF topics March 2014 Taipei, TW David Groep, Nikhef & EUGridPMA.
SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
and the SHA-1 depreciation time line and status
Dr Linda Cornwall STFC/RAL EGI OMB 27th September 2013
Presentation transcript:

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News

Recent EUGridPMA meeting Jan 2013 hosted at GARR/CASPUR (Rome) Apart from routine business, topics discussed included – SHA-2 time line – CA readiness for SHA-2 and bit keys – OCSP support – MICS Profile and Kantara LoA-2 – Towards an LoA 1.x "light-weight" AP – Security Token Service profile – Private Key Protection Guidelines – IGTF Test Suite – On on-line CAs and FIPS level3 HSMs – Public Relations – IPv6 readiness – Risk Assessment Team 22/01/20132EUGridPMA News

Milan Sova (CESNET) - RIP 22/01/2013EUGridPMA News – 2012 A leader in global activities in Identity Management and many related areas An enormous loss to IGTF

SHA-2 timeline Was agreed at Sep 2012 EUGridPMA meeting – And subsequently discussed at OMB TAGPMA proposed some changes – Mainly clearer wording – But also extend the final sunset for SHA-1 by one month Now also approved by EUGridPMA 22/01/2013EUGridPMA News4

SHA-2 – Agreed IGTF timeline October 2012: CA certificates in the IGTF distribution and CRLs at official distribution points should use SHA-1. CAs should issue SHA-1 end entity certificates on request. CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs. August 2013: CAs should begin to phase out issuance of SHA-1 end entity certificates. CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default. April 2014: New CA certificates should use SHA-2 (SHA-512). Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-512). Existing root CA certificates may continue to use SHA-1. September 2014: CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points. October 2014: All issued SHA-1 end entity certificates should be expired or revoked. In case of new SHA-1 vulnerabilities, the above schedule may be revised. 22/01/2013EUGridPMA News5

Issue both SHA-1 and SHA-2 certs? Users and developers need to prepare for SHA-2 Could issue 2 certificates per request – Same key pair – But one signed with SHA-1 and one with SHA-2 Agreed that this would in general just confuse users – So NOT recommended, but is allowed If doing this dual issue – both certificates need to be revoked if the key pair is compromised – two different serial numbers MUST be used – it is more useful for intermediate certs if both are available – again with different serial numbers (for transition period) 22/01/2013EUGridPMA News6

SHA-2 CA readiness Still a few CAs not yet ready A few others can do either SHA-2 OR SHA-1 – but not both – they wait for their software to support SHA-2 Note: old Alladin eTokens (32k) do not support SHA-2 22/01/2013EUGridPMA News7

OCSP Online Certificate Status Protocol timely revocation information available to the RPs Moving towards deployment of this technology The way to deploy and use OCSP effectively is not always clear Two new discussion documents were prepared during the meeting – OCSP Profile For IGTF CAs – OCSP Deployment Guidelines 22/01/2013EUGridPMA News8

Towards LoA 1.x – “light weight” IGTF authn profile Some relying parties and communities – perform significant identity data collection themselves Recognise the need for an IGTF authentication profile – which does not duplicate the collection of that vetting data Core requirements on the CA stay the same – secured infrastructure – global uniqueness of naming across the IGTF – no re-use of issued identifiers some other elements of traceability and vetting can be supplied by other registration processes run by the relying parties themselves – E.g. PRACE where the sites do the registration of users anyway, and associate a cert with each vetted account Level of Assurance less than LoA level-2 (classic AP) but more than level-1 (e.g. OpenID) Work in progress 22/01/2013EUGridPMA News9

New Security Token Service profile More work in progress Generalise the SLCS profile – To include STS services like the one from EMI Convert credentials on the fly – E.g. SAML to X.509 WLCG Federated Identity Management pilot project (as part of FIM4R activity) relates 22/01/2013EUGridPMA News10

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.