EUGridPMA Status and Current Trends and some IGTF topics March 2014 Taipei, TW David Groep, Nikhef & EUGridPMA.

Slides:



Advertisements
Similar presentations
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Advertisements

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
EUGridPMA CAOPS-WG and IGTF Issues June 2012 Delft, NL David Groep, Nikhef, EUGridPMA, EGI and BiG Grid.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Updates from the EUGridPMA David Groep, July 16 st, 2007.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
Updates from the EUGridPMA David Groep, May 9 st, 2007.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF EUGridPMA status update SHA-2, OCSP, and more David.
David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Welcome to Amsterdam EUGridPMA35 September EUGridPMA Amsterdam 2015 meeting – 2 David Groep – Welcome back in Amsterdam.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Updates from the EUGridPMA David Groep, Oct 17 st, 2007.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.
WLCG Update Hannah Short, CERN Computer Security.
TOMS TRAINING Test Operations Management System 2017 PAWS
OGF PGI – EDGI Security Use Case and Requirements
Bring the WLCG federation Home
AEGIS Certification Authority
Classic X.509 AP updates (v4.1)
EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI.
LCG Security Status and Issues
Guidelines for auditing Grid CAs
HellasGrid CA & euGridPMA
EUGridPMA Status and Current Trends and some IGTF topics March 2016 Taipei, TW David Groep, Nikhef & EUGridPMA.
EUGridPMA Status and Current Trends and some IGTF topics October 2017 APGridPMA Autumn Meeting David Groep, Nikhef & EUGridPMA.
EUGridPMA Status and Current Trends and some technical topics November 2013 La Plata, AR David Groep, Nikhef & EUGridPMA.
Policy in harmony: our best practice
EUGridPMA Status and Current Trends and some IGTF topics June 2014 Lehi, UT, US David Groep, Nikhef & EUGridPMA.
USOAP Continuous Monitoring Approach (CMA) Workshop
Assessing Combined Assurance
Assessing Combined Assurance
The IGTF Charter Name uniqueness throughout the IGTF is anchored in the Charter Current Charter assigns a namespace to an Authority, implying that the.
EUGridPMA Status Review … and proposals February 28, 2012 Taipei, TW
Communications IGTF RAT Comms Challenge 3 Fall 2015
SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam
Update - Security Policies
Supporting communities with harmonized policy
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
OIDC Federation for Infrastructures
MaGrid CA Self audit and update
and the SHA-1 depreciation time line and status
Communications Ensuring a responsive IGTF community through periodic validation of communication co-supported by the Dutch National e-Infrastructure coordinated.
Mary Montoya, CIO Bogi Malecki, Project Manager
Emir Imamagić University Computing Centre (Srce)
BG.ACAD CA Self-audit report 2018
Presentation transcript:

EUGridPMA Status and Current Trends and some IGTF topics March 2014 Taipei, TW David Groep, Nikhef & EUGridPMA

EUGridPMA Topics EUGridPMA (membership) status Risk Assessment Team IPv6 readiness and fetch-crl SHA-2 time line CA readiness for SHA-2 and 2048+ bit keys OCSP support documents and guidelines GFD.125bis Private Key Protection Guidelines v1.2 IGTF Test Suite On on-line CAs and FIPS 140-2 level3 HSMs IOTA AP and RP Questionnaire

Geographical coverage of the EUGridPMA 25 of 27 EU member states (all except LU, MT) + AM, CH, DZ, EG, HR, IL, IR, IS, JO, MA, MD, ME, MK, NO, PK, RO, RS, RU, SY, TR, UA, CERN (int), DoEGrids(US)* + TCS (EU) Pending or in progress ZA, SN, TN, AE, GE

Membership and other changes Responsiveness challenges for some members JUNET CA – suspended HIAST CA – keeps running! (albeit with some connectivity issues) CA reduction More countries moved to TCS: IUCC IL, IE, … DoEGrids & Esnet decommissioned (as of 1.56 release) TCS tender ongoing, target start of overlap period summer 2014 New CA in Georgia (Tblisi), potentially a lot from Ubuntunet Self-audit review Kaspars Krampis as dedicated review process coordinator Self-audits progressing on schedule for most CAs biggest challenge in getting peer reviewers to actually review

Ongoing work items SHA-2 Guideline document revision IPv6, RAT IGTF – 10 years from now Ongoing work items

RAT challange Ursula Epting to conduct early June against all CAs Timeline taking into account time zones 4th June, Announcement of the test 18th June, 10.20 h, Start of the test 20th June, 14.50 h, Reminder for not replying CA's 21th June, 10.20 h, End of the test Request for Acknowledge receipt for each trust anchor

Furthermore 4 CA's replied later, after the official deadline Results (2) Furthermore 4 CA's replied later, after the official deadline So in the very end 13 % did not reply at all. This comes down to 11 CA's (with 'one CA' as 'one structure') 14.11.2018 Ursula.Epting@kit.edu

Resulting actions proposed 24% late (longer than 24hr), 13% non-response Some non-response reasons clarified quickly Incorrect email address in distribution – fixed Already in decommissioning mode Being located in conflict areas, at times near FEBA For others, it correlates with known behaviour  Re-challenge non- and late-responders again After 1.55 distribution release fixing mail contacts ~ December 2013 For some require in-person self-audit remediation

IPv6 status FZU runs a continuous v6 CRL monitor http://www.particle.cz/farm/admin/IPv6EuGridPMACrlChecker/ 23 CAs offer working v6 CRL but there are also 4 CAs that give an AAAA record but where the GET fails … Still 71 endpoints to go (but they go in bulk) dist.eugridpma.info can act as v6 source-of-last-resort fetch-crlv3 v3.0.10+ has an explicit mode to force-enable IPv6 also for older perl versions Added option "--inet6glue" and "inet6glue" config setting to load the Net::INET6Glue perl module (if it is available) to use IPv6 connections in LWP to download CRLs

http://www.particle.cz/farm/admin/IPv6EuGridPMACrlChecker/

SHA-2 readiness For SHA-2 there are still a few CAs not ready a few can do either SHA-2 OR SHA-1 but not both so they need to wait for software to be SHA-2-ready and then change everything at once A select few can do SHA-2 but their time line is not driven solely by us (i.e. some commercials) Their time line is driven by the largest customer base All can so SHA-2 (since non-grid customers do request SHA-2-only PKIs) it is because of these that RPs have to be ready, because when directives come from CABforum they will change, and do it irrespective of our time table! Keep in mind hardware issues, e.g. the old Alladin eTokens (32k) do not support SHA-2

SHA-2 time line https://www. eugridpma Now CA certificates in the IGTF distribution and CRLs at official distribution points should use SHA-1 CAs should issue SHA-1 end entity certificates on request CAs may issue SHA-2 (SHA-256 or SHA-512) end entity certificates on request. CAs may publish SHA-2 (SHA-256 or SHA-512) CRLs at alternate distribution point URLs 1st DECEMBER 2013 CAs should begin to phase out issuance of SHA-1 end entity certificates CAs should issue SHA-2 (SHA-256 or SHA-512) end entity certificates by default 1st April 2014 New CA certificates should use SHA-2 (SHA-512) Existing intermediate CA certificates should be re-issued using SHA-2 (SHA-512) Existing root CA certificates may continue to use SHA-1 1st October 2014 CAs may begin to publish SHA-2 (SHA-256 or SHA-512) CRLs at their official distribution points. 1st February 2015 (‘sunset date’) All issued SHA-1 end entity certificates should be expired or revoked. In case of new SHA-1 vulnerabilities, the above schedule may be revised.

On-line CA architecture - guidelines EUGridPMA will (finally) draft the "On line CA Guidelines” based on current wording in the Classic profile keep the network separation (models A or B, where A with a private link between RA and signing system preferred) Allow import of a key pair into a token (taking it out of FIPS L3 mode) as long as there is a well-documented key generation and import ceremony L2 HSMs allowed if compensatory controls are in place Keeping tokens and their systems in a solid safe-box and in a closed and locked cabinet in a monitored machine room is considered adequate Keys are permanently activated anyway, so L3 mode (separate usage functions like generation or use) is not used for our purposes Activation on boot should be manual (so the operator must be required to be present)

Identifier Only Profile IOTA AP background Guideline document Distribution Identifier Only Profile

Why? New use cases Data read-only access Portals Sharing between pre-trusted individuals or small groups Pre-vetted infrastructures (XSEDE, wLCG) The level is technology agnostic, and can be applied to X509, OIC, WebSSO federations, &c X509 specific stuff is minimal

Differentiated LoA - Collaborative identity vetting Cater for those use cases where the relying parties (VOs) already collect identity data this relying party data is authoritative and provides traceability the ‘identity’ component of the credential is not used through an authentication service that provides only persistent, non-reused identifiers traceability only at time of issuance naming be real, pseudonymous, or set by-the-user-and-usually-OK retains good security for issuance processes and systems and where the RP will have to take care of all ‘named’ identity vetting, naming and contact details

Shifting responsibilities: A new Identity Assurance Level Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications ‘rich’ attribute assertions correlating identifiers access control

IGTF and other assurance levels my own personal classification of identity LoAs

IOTA, a new Authentication Profile The Identifier-Only TA endorsed at IGTF All Hands https://www.eugridpma.org/guidelines/IOTA/ Unique persistent subjects, but naming can be a pseudonym or non-verified name Targets federations: so home organisation is well known, verified and traceable, some traceability to the end-user For human people and robots, not hosts or services Distinct naming of entities (no ‘auto-upgrade’ to higher LoA unless the original LoA was already high) IOTA is the new name for the Light-weight ID Vetting profile

More end-user explanations on Wednesday in ISGC Ops & security track IGTF Distribution Distribution would be through separate ‘bundle’ Next to ‘classic’, ‘mics’, ‘slcs’, and ‘experimental’ Note there never was an ‘all’ bundle for this very reason RPs will have to make an explicit choice to accept this but unclear how to distinguish users on resources based on the incoming identity LoA level Starts in 1.56 with an empty bundle Subject naming of IOTA must be different from your other CAs More end-user explanations on Wednesday in ISGC Ops & security track

IGTF Byline

IGTF in 10 years from now … Attributes and authorization becoming more important mere identity authentication is likely to become commonplace in the years to come (academic federations, commercial ID providers, etc.) But authorization, (community) assured attributes, and attribute composition are unsolved for research: the IGTF can reposition itself to address these new challenges anyway consolidation of federations in the research and academic space means that there need be less emphasis on the classical CA work

Already ongoing … AA Operations Guideline Guideline on Trusted Credential Stores IOTA as a basis for community-provided assurance

Beyond the current framing: IGTF as a brand, not an acronym Proposal IGTF be no longer considered an acronym, but be treated as a word where we can associate it with a more appropriate byline. Based on an extensive discussion by those present, it was concluded that a proposal be circulated to the other PMAs with a new 'byline': IGTF: Interoperable Global Trust Federation supporting distributed IT infrastructures for research

If you concur … Revise IGTF logo and its use on website and docs Revise the IGTF web site – already scheduled Encourage wider participation in the IGTF, in particular by relying parties and infrastructures, with an emphasis on those having operational (security) aspects and/or representing relying user communities role to play for 'catch-all' cases as well? – many of the current organisations and authorities also work 'bottom-up’ serving limited numbers of researchers across a large number of institutions (with a few people each) – this is not traditional use case for Refederations … but it is for commercial IdPs

IGTF Web Site Ongoing, some changes already done. Proposed public-facing (RP, general public) function should be separated from any internal use primary audience is RPs and 'general' public it should include a section for 'our own' integral IGTF use with links, agenda, &c add an introduction for 'humans' links to interviews and (iSGTW-like) articles about IGTF everyone to send these to <webmaster@igtf.net> add a 'news' box with current information (to change monthly or so). Make map more prominent The mini-map should link to a PMA page with a click-able map or membership list encourage TAGPMA and APGridPMA to maintain a list of their meeting that can be linked to

Upcoming meetings

EUGridPMA Agenda 31th PMA meeting Tartu, EE, 14-15 May 2014 TNC2014: 19-23 May 2014, Dublin, IE 32nd PMA meeting 8-10 September 2014 (location tbd) 33rd PMA meeting 12-14 January 2015, Berlin, DE (offered by DFN)