4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
Updates of the APGrid PMA and recap of the IGTF Yoshio Tanaka Chair,APGrid PMA / AIST
Asia Pacific Grid PMA General Policy Management Authority in Asia Pacific Not specific for ApGrid, Not specific for PRAGMA … Launched on June 1 st, 2004 Defines minimum CA requirements Based on IGTF Classic AP maintained by EUGridPMA APGrid PMA approved that we accept two levels of CA: Experimental-level CA Alternative of the Globus CA Can be trusted within A-P communities Production-level CA Strict management is necessary Expected to be trusted by international communitiesMeetings Regular VTC (every 3~4 months) F2F meeting (once or twice a year)
Members (13 + 4) 9 Accredited CAs In operation AIST (Japan) APAC (Australia) ASGCC (Taiwan) CNIC (China) IHEP (China) KEK (Japan) KISTI (Korea) NAREGI (Japan) NECTEC (Thailand) 3 CAs under review NGO (Singapore) PRAGMA (USA) NCHC (Taiwan)Planning ThaiGrid (Thailand) CDAC (India) General membership Osaka U. (Japan) U. Hong Kong (China) U. Hyderabad (India) USM (Malaysia)
Scope of the APGrid PMA Manage the PMA membership Define charter and minimum CA requirements Publish related documents Maintain and revise the documents Accredit authorities with respect to the minimum CA requirements Coordinate auditing and re-certification of accredited authorities Monitor member CA signing namespaces Operate a secure collection point for information about accredited CAs Be primarily concerned with Grid communities in Asia Pacific, and their external partners
APGrid PMA responsibilities CP/CPS Responsible for supporting and auditing the development and maintenance of the CP/CPS for CAs in Asia Pacific. Other documents Charter Minimum CA requirements Authentication Profiles
APGrid PMA responsibilities (cont ’ d) Accreditation Accredit authorities according to the procedure defined in the charter.Audit APGrid PMA is doing external auditingOperation Every CA must be responsible for its operation. The PMA is NOT an operation unit but a policy management authority.Obligation All PMA members are understood to represent the best interest of their national/regional communities and expected active participation to activities of the PMA.
General Architecture of the IGTF Member PMAs are responsible for accrediting authorities The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers. Each AP is assigned by the IGTF to a specific member PMA. Classic AP (EUGrid PMA) Short Lived Credential Services (SLCS) AP (TAGPMA) Member Integrated Credential Services (MICS) AP (TAGPMA)
General Architecture of the IGTF (cont ’ d) Proposed changes to an AP will be circulated to all chairs of the IGTF member PMAs. All of the PMA chairs, after approval by their PMA, are required to endorse the proposed changes before the modified AP will come into effect. Authorities accredited by a PMA are always subject to the policies and practices of a specific AP as decided by the accrediting PMA. Any changes to the policy and practices of a authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.
Requirements for accredited authorities Maintain at least one contact mechanism which must allow for un-moderated access to report problems and faults regarding the authority by the relying parties and genral public. This point of contact shall be made known to the accrediting PMA and the IGTF for subsequent re-publishing. Must disclose to the accrediting PMA and to the general public its documented policies and practices.
Implementation of the federation Each PMA maintains information of all accredited CAs. Root certificate CRL Distribution Point Point of contact Signing policy file Point to the CP/CPS Information of the all PMA is packed into a single tarball/RPM and distributed as an IGTF CA distribution No hierarchies. All accredited CAs are included in a flat structure Once you will be accredited by the APGrid PMA, you will be an IGTF- accredited CA IGTF CA distribution is released in every few weeks David Groep will notify all member CAs the plan of the new release to ask reports of any updates. Distribution frequency is flexible. The information is stored in the CVS repository maintained by the EUGrid PMA Yoshio, Mason, and Darcy have accounts on the CVS server If you have modified CA cert, etc., please let me know. IGTF CA distribution is available from the EUGrid PMA web site and the APGrid PMA web site. APGrid PMA is planning to mirror the CVS server as wel.
Chair’s role A Point of Contact for the PMA Running the PMA meetings Ensuring that all voting is recorded and published Leads discussions Contributes to the IGTF Attend meetings of EUGridPMA and TAGPMA Attend OGF Best effort basis Maintains the IGTF CA Distribution Commit/delete/update files of APGridPMA- accredited CA Maintains web site Maintains ML
Businesses Chair election Next F2F meeting September 2008, Singapore How to protect the ML from SPAMS TACAR and PGP/Thawte key signing
7 th TAGPMA Face-to-Face Meeting TACAR Registration and Accreditation Vinod Rebello and Mike helm NERSC, Oakland, CA, USA April 2 – 4, 2008 The Americas Grid Policy Management Authority
15 7th TAGPMA F2F, April 2008Vinod Rebello – TACAR The TERENA Academic CA Repository (TACAR) offers a trusted and centralized place where root CA certificates can be stored and safely downloaded. The only requirement to be part of TACAR is that the applying CA operates for the research and academic community IGTF and TAGPMA approved third party repository
16 7th TAGPMA F2F, April 2008Vinod Rebello – Joining TACAR Read Policy – currently version CA Manager should fill in the Letter of Registration (Annex I) –Contain info on the CA, Root certificate, location of CP/CPS and its PDF fingerprint The Letter of Accreditation needs to be signed by the head of the institution to which the CA is affiliated. Letters which are being provided for the first time must be validated via a face-to-face meeting between the representative(s) of the applying CA and a TACAR representative
17 7th TAGPMA F2F, April 2008Vinod Rebello – Required files Letters to be presented on paper (two copies of each) and in electronic (PDF) form on CD Also on CD –The detached PGP signatures of the two letters –PDF version of the CP/CPS –Root Certificate in PEM format –And their respective detached PGP signatures –Also the PGP Key
18 7th TAGPMA F2F, April 2008Vinod Rebello – Trusted Introducer If you cant meet with Licia Fiorio in person then talk to Mike Helm Yoshio Tanaka The TI is basically the TERENA RA. The TI will deliver all material collected to TERENA by using signed for the electronic information and postal mail or face-to-face meeting for the paper material.