EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI.

Slides:



Advertisements
Similar presentations
Status of Auditing Guidelines Document Oct. 15 Yoshio Tanaka, AIST.
Advertisements

© 2007 Open Grid Forum CAOPS-WG Christos Kanellopoulos - Yoshio Tanaka Security Area coordination & outreach OGF25, Catania March 2 nd – 3 rd, 2009.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.
CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
Updates from the EUGridPMA David Groep, July 16 st, 2007.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
Updates from the EUGridPMA David Groep, Nov 7 nd, 2008.
EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
Discussions on the Life Ray Portal and credential management David Groep, Oct 11 th, 2011.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
Updates from the EUGridPMA David Groep, May 9 st, 2007.
Status review and pending issues March 13, 2012 Oxford, UK David Groep, Nikhef, EUGridPMA, EGI and BiG Grid participation supported by IGE, the Initiative.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
EUGridPMA status and updates David Groep, TAGPMA Ottawa Summit 2006.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.
EUGridPMA Status Review … and proposals February 28, 2012 Taipei, TW David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
APGridPMA Update Eric Yen APGridPMA August, 2014.
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Welcome to Amsterdam EUGridPMA35 September EUGridPMA Amsterdam 2015 meeting – 2 David Groep – Welcome back in Amsterdam.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Updates from the EUGridPMA David Groep, Oct 17 st, 2007.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012.
TAGPMA Update Riga, 19 April 2010 David Kelsey Input from Roger Impey & Scott Rea.
EUGridPMA Status and Current Trends and some IGTF topics March 2015 Taipei, TW David Groep, Nikhef & EUGridPMA.
IGTF Generalised Assurance comments by federation operators with a SAML background September 19-21, 2016 CERN, Geneva, CH.
IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.
EUGridPMA Status and Current Trends and some IGTF topics March 2016 Miami, FL, USA David Groep, Nikhef & EUGridPMA.
Extending host credential validity in presence of DCV & OV controls October 2016 TAGPMA24 meeting David Groep, Nikhef & EUGridPMA.
AEGIS Certification Authority
Classic X.509 AP updates (v4.1)
Grids & PKI: TAGPMA & Bridges (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Implementers Workshop - Chicago, IL.
EUGridPMA Status and Current Trends and some IGTF topics October 2016 TAGPMA24 meeting David Groep, Nikhef & EUGridPMA.
EUGridPMA Status and Current Trends and some IGTF topics March 2016 Taipei, TW David Groep, Nikhef & EUGridPMA.
Secure Enterprise Technology Initiatives e-Provisioning Group
EUGridPMA Status and Current Trends and some IGTF topics October 2017 APGridPMA Autumn Meeting David Groep, Nikhef & EUGridPMA.
EUGridPMA Status and Current Trends and some technical topics November 2013 La Plata, AR David Groep, Nikhef & EUGridPMA.
Policy in harmony: our best practice
EUGridPMA Status and Current Trends and some IGTF topics June 2014 Lehi, UT, US David Groep, Nikhef & EUGridPMA.
EUGridPMA Status and Current Trends and some IGTF topics March 2014 Taipei, TW David Groep, Nikhef & EUGridPMA.
Assessing Combined Assurance
Assessing Combined Assurance
Leveraging the IGTF authentication fabric for research
Leveraging the IGTF authentication fabric for research
The IGTF Charter Name uniqueness throughout the IGTF is anchored in the Charter Current Charter assigns a namespace to an Authority, implying that the.
EUGridPMA Status Review … and proposals February 28, 2012 Taipei, TW
SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
MaGrid CA Self audit and update
and the SHA-1 depreciation time line and status
Emir Imamagić University Computing Centre (Srce)
BG.ACAD CA Self-audit report 2018
Presentation transcript:

EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI

Geographical coverage of the EUGridPMA 25 of 27 EU member states (all except LU, MT) + AM, CH, DZ, HR, IL, IR, IS, JO, MA, MD, ME, MK, NO, PK, RO, RS, RU, SY, TR, UA, CERN (int), DoEGrids(US)* + TCS (EU) Pending or in progress ZA, SN, TN, EG, AE

Rome meeting results and issues https://www.eugridpma.org/meetings/2013-01/ SHA-2 time line (sunset date is now October 2014) CA readiness for SHA-2 and 2048+ bit keys OCSP support MICS Profile and Kantara LoA-2 Towards an LoA 1.x "light-weight" AP Security Token Service profile Private Key Protection Guidelines IGTF Test Suite On on-line CAs and FIPS 140-2 level3 HSMs Public Relations IPv6 readiness Risk Assessment Team

SHA-2 readiness For SHA-2 there are still a few CAs not ready: a few can do either SHA-2 OR SHA-1 but not both so they need to wait for software to be SHA-2-ready and then change everything at once A select few can do SHA-2 but their time line is not driven solely by us (i.e. the commercials). Their time line is driven by the largest customer base All can so SHA-2 (since non-grid customers do request SHA-2-only PKIs) it is because of these that RPs have to be ready, because when directives come from CABforum they will change, and do it irrespective of our time table! It should be kept in mind that old Alladin eTokens (32k) do not support SHA-2.

End of MD5 Some software stacks (NSS 3.14+, in RHEL6.4) are now disabling MD5! Will create a nice mess, with several large CA roots still MD5

OCSP support Two documents to guide its introduction profile and guidance of RFC5019 light-weight OCSP for CAs CAs already deploying full RFC 2560 are not the audience https://wiki.eugridpma.org/Main/OCSPProfileForIGTFCAs 'best practices' guide for RPs and their software developers in using OCSP information https://wiki.eugridpma.org/Main/OCSPDeploymentGuidelines Trade-off between pre-computation or on-demand signing depends on number of certs issues and number of requests (choice it not trivial ;-)

MICS and Kantara LoA2 "A primary authentication system that complies with the Kantara Identity Assurance Accreditation and Approval Program at at least assurance level 2 as defined in the Kantara IAF-1400-Service Assessment Criteria qualifies as adequate for the identity vetting requirements of this Authentication Profile.“ This clarifies the "should" mentioned several times in the second line of paragraph 3.1, as we have now interpreted it several times in this particular way (TCS eScience Personal, CILogon Silver).

PKP Guidelines v1.2 New text is now available at https://wiki.eugridpma.org/Main/PrivateKeyProtectionLifeCycle https://wiki.eugridpma.org/Main/PrivateKeyProtectionRevised structure is different, but the currently allowed use cases are covered by the new text companion document on how to secure key stores (be they run by NGIs, CAs, home organisations, or anyone) should also be written. We expect the key stores to be run securely!

IGTF Test Suite Actions decided each CA to send a URL to or a sample of end-entity certs, at least personal cert and server cert, and depending on the CA also a robot cert and/or a 'service' ("blah/") cert each CA to indicate some edge cases for their CA (use of colons, dashes, weird characters) and parameter space of the subject naming known troublesome certs should be included developed on the Wiki https://wiki.eugridpma.org/Main/IGTFTestSuite now has some samples and conditions

HSMs at level 3 for on-line CAs “Inspired by the idea of NIIF for buidling an on-line CA based on a low-power Raspberry Pi and a level-3 HSM in USB format, a discussion emerged on whether it is possible to have enough compensatory controls around a level-2 HSM to make the risk comparable to the current off-line CA or level-3. It is not entirely clear which elements of level-3 improve the risk resilience when compared to an off-line classic CA.” We think it is worthwhile doing the risk analysis compared to the off-line classic CA, and if the risk is comparable allow the use of L2 HSM or eTokens in conjunction with compensatory controls like a safe. We propose to discuss this with the TAGPMA and APGridPMA and have a discussion at the IGTF All Hands in La Plata (October 2013).

PR! For the world at large our work and progress are not necessarily clear. The article in ResearchMedia is not enough. In particular the wider scope and new direction should be emphasized. Papers (academic and PR) are encouraged so that we more clearly demonstrate usefulness and relevance -- and thus may get fewer questions on this issue!

IGTF RAT Ursula will be coordinating the communications challenges to the CAs and the internal (encrypted) mailing list

Live AP Dedicated discussion!

Agenda 28th PMA meeting Kyiv, UA, 13-15 May 2013 29th PMA meeting Bucharest, RO, 9-11 Sept 2013

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.