IGTF All-Hands Meeting APGridPMA Update Eric Yen IGTF All-Hands Meeting ISGC2019, Taiwan 1 April 2019
General Status Chair and Vice Chair (2018.01-2019.12): Reelected at 20th APGridPMA F2F Meeting in Oct. 2017 Chair: Eric Yen (ASGCCA, Taiwan) Vice Chair: Eisaku Sakane (HPCI CA, Japan) Next Chair election will take place in the APGridPMA Fall 2019 meeting Routine Gathering Spring: Together with ISGC in Taiwan Fall: Collocated with e-Science or Networking events Virtual meeting will be arranged upon request or whenever there is any issue in-between F2F meetings Self Auditing Report: Once a year for each member CA Regional Catch-All CA: ASGCCA, now supporting users through local RAs in PH, TH, ID, IN, MN, LK
CA ccTLD Self Audit #valid Cert IPv6 Remarks AIST CA JP APAC CA AU Withdrawn from Nov. 2013 APAC CA AU Services ended in Dec 31, 2012 ASGC CA TW Mar. 2018 153, 278, 14 Y Regional Catch-All CA; x.509 based SSO in AS AusCert New national certificate services of AU (+NZ, FJ, PG) CNIC CA CN Aug. 2015 21 SDG CA 2 HKU CA 5, 26, 1 HPCI CA Mar. 2017 206, 273 MICS; OCSP enabled; SSO IGCA IN 134, 23 IHEP CA Aug. 2018 67, 41, 16 KEK CA Oct. 2017 167, 145 Support robot Cert and OCSP is Ready KISTI CA KR 33, 28, 3 Renewed and back to service from June 2017 MYIFAM MY 11 National Fed IdM and Fed CA are ongoing; Eduroam, Shib NCHC CA Withdrawn from Feb. 2015 NECTEC CA TH March, 2014 4, 13 Decommissioned from Jan 2017 NAREGI CA NAREGI CA 2.4, ended EEC issuance from Dec. 2014 PRAGMA-UCSD US Withdrawn from July 2014 11 Production CAs in 7 countries v6 plan and CRL status
From Previous Meetings (Aug 2018) Federated Identity Management Activities Introduction Federated Identity Management in SIFULAN Malaysian Access Federation, Hong Kong Access Federation and NZ Federated Identity Management service (TUAKIRI) were introduced CA Operation Proposal for Remote Initial Identity Vetting with PKI credential approved at 21st APGridPMA meeting in ISGC2018 NAREGI-CA 2018 Autumn release, version 3.2.2, has been released on 21 Sep. 2018 (version 3.2.1 was released on 25 Dec. 2017) MICS CA Audit Checklist: NII (HPCI CA, JP) draft is reviewed based on IGTF LoA and PKI technology (ongoing) CA Manager changed of KISTI CA and KEK CA IPv6 CRL Distribution Point: Keep tracking IPv4 Only: CNIC, IGCA, MyIFM, SDG Reorganising APGridPMA Website (in progress) Improve the monitoring and warning services of CAs CP/CPS changes: HKGridCA, IGCA GARUDAINDIA2 root key roll-over in release 1.90 (March 2018) HKU Grid CA will be included in release 1.92 (May 2018)
Remote ID Vetting and NAREGI-CA Proposal for Remote Initial Identity Vetting with PKI Credential PoS(ISGC2017)009 Approved at 21st APGridPMA meeting in ISGC2018 NII (HPCI CA, JP) is considering the procedure for putting the proposal into practice: Changes in CP/CPS Manuals for IdM and CA NAREGI-CA 3.2.2 KEK CA and HPCI CA use the software package Support ChaCha20 stream cipher, Poly1305 authenticator, RSASSA-PSS signature algorithm, and HMAC-based KDF Conform to RFC 5915 that defines the syntax for an EC private key Version 3.2.3 will be released soon and fixes EC private key handling in PKCS#8 Will support TLS 1.3 in the future release
About AusCERT CA What are grid certificates? Through the AusCERT CS, we are able to supply IGTF accredited grid server and grid end user certificates which are publicly trusted. QuoVadis is accredited through the EUGridPMA to supply grid certificates which have special fields that are relevant to grid resources. They are not for general use How do I order grid host (server) certificates? Grid host certificates are just another type of SSL certificate. The process for ordering a grid host server certificate is the same for other SSL certificates. Administrators can invite Subscribers to apply for grid server certificates. The certificate request must then be approved by one of the Sub-LRA Administrators from the Subscriber's organisation before the certificate will be issued. Grid server certificates are only available to organisations that have advised AusCERT that they require grid server certificates; and can see the Grid Policy Template called "AusCERT Grid Server" from the list of available SSL policy templates. If this policy template is not available in your TrustLink account and you need it, please contact AusCERT CS For further details of the process to obtain grid server (SSL) certificates refer to Appendix 1, page 22 of the QV Subscriber Guide. How do I order grid personal (end user) certificates? Before a grid-end user certificate can be issued, the applicant must have a face-to-face meeting with the Agent Administrator for their organisation (the SubLRA). The purpose of the face-to-face meeting is to enable the Agent Administrator to verify the applicant's identity documents match the person applying for the grid end user certificate. Specific details of the steps are outlined in the Handling Instructions on the Grid End User Certificate Application Form, which must also be completed, before the Agent Administrator facilitates access to the end user certificate. Once the Agent Administrator and applicant have completed the form and had their face to face meeting, the Agent Administrator then logs into TrustLink and then clicks on the "Invite End User" link; and creates an invitation that is sent to the end- user which will allow them to apply for a grid-end user certificate. Once this invitation has been sent, no further approval is required by the Administrator; and the end-user will be issued the certificate once they have completed a few more details in TrustLink. Source: https://cs.auscert.org.au/resources/faq/grid-certificates
From RA of New Zealand Initially (~ 10 years ago, during the BeSTGRID project), we were rolling out Computational Grid with certificates issued by the Australian APAC Grid CA. When APAC (and ARCS) wrapped up, we switched to using ASGCCA certs - thank for that. From about 2014, universities subscribing to the AusCERT certificate service offering started getting their Grid Certificates also via AusCERT - so from QuoVadis. However, institutions not subscribing to AusCERT still need other avenues - so they still use ASGCCA (this was the certificate for Plant and Food Research I was requesting recently). Also, about in 2014, the computational grid was decommissioned and the only use of grid certificates is for Data Transfer Services (GridFTP, primarily via globus.org) Most of these services are operated via NeSI, where the primary host, The University of Auckland, subscribes to AusCERT, so all of NeSI services can use QuoVadis grid certs. Plant and Food Research is almost the only exception to that.
Research & Application Support Support AAI for research and e-Infrastructure Integration with local SSO and move to SAML-based authN inclusion/federation with OIDC APAN IAM: from EduRoam to eduGAIN Attribute and Metadata Sharing HPCI CA Use Case Collection and Study Will be included in the future APGridPMA meeting User Community Engagement Experiences learned from large-scale international HEP communities: LHC, Belle, AMS, KAGRA, etc. Extending to regional communities such as life science, astronomy, disaster mitigation, ecological/biodiversity monitoring, e-Culture, etc. Most APGridPMA members are interested in OIDC federation and AARC
Regional Identity Federation Activities Supported by APAN IAM Supporting Asian countries to develop their identity federations by knowledge/experiences sharing in federation technologies, practices, tools, resources and policies Establish local FedIdM and join eduGAIN is supported by APAN Internet2: INCOMMONS, TIER JISC: LIBERATE Uptake of ORCID Collect Requirements and Enhance the Practices Series of trainings and webinars have been implemented Primary advisors: AAF, REFEDS/Geant, JISC, etc. (APAN43, 2017) (APAN45, 2018)
Future Meetings 46th EUGridPMA: 20-22 May, 2019, Utrecht, NL TNC19: 16-20 June 2019, Tallinn, Estonia 24th APGridPMA: Option1: APAN48 Meeting is a candidate: 22-26 July 2019, Putrajaya, Malaysia Any other option ? 25th APGridPMA: March 2020, Academia Sinica, TW