2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Wireless LAN SSID: PRAGMA11 Wep key: PRAGMA11JAPAN

Notes This room is basically NO FOOD and NO DRINK. But drink can be overlooked We will have two coffee/tea breaks and a lunch break. Coffee/tea will be served in front of this room Lunch will be served in the different building PRAGMA Welcome Reception will start at 6:30pm at Senri-Hankyu Hotel. Bus will depart here at 17:18 Agenda and materials available on the web site at: Call for volunteers for taking minutes Native speakers are appreciated

Recap of CA, PMA, and IGTF 2 nd APGrid PMA F2F Meeting Osaka University Convention Center October 15 Yoshio Tanaka APGrid PMA / IGTF Chair AIST, Japan

Outline History and status of the PMA and IGTF Introduction of the APGrid PMA Activity Responsibility Obligation Introduction of the IGTF Activity Responsibility Obligation Relationship with the PMA Some notes for operating a certificate authority

Grid Security GSI is based on X.509 certificates and PKI. Most organizations are launching their own Certificate Authorities (CA) for issuing end-entity certificates for users, hosts, services. Proxy Certificates (RFC3820) for single sign on and delegation A Virtual Organization (VO) is implemented by federations of multiple security domains.

Grid Security (cont ’ d) The most popular multi- domain PKI architecture (in Grid) is cross- recognition Independent CAs would somehow be licensed or audited by a mutually recognized trusted authority. e.g. AIST trusts KISTI CA operated by KISTI, Korea. KISTI trusts AIST GRID CA operated by AIST. CA globus CA CA CA CA CA CA CA CA

Status and challenges Need AuthN and AuthZ federation within a VO, and between VOs AuthN federation foundation for building/experimenting with Grids need to coordinate security (CA) policies AuthZ federation still a grand challenge CA CA CA CA EUGrid PMA CA CA CA CA CA CA APGrid PMA CA CA CA CA TAG PMA Regional PMA is responsible for coordination of security policies within the region Three PMAs compose IGTF

Target: AuthN federation Problems of authentication federations All CAs should keep the same level of operation. How the CA is securely operated? Use HSM? Dedicated CA room? … All CAs should have no conflict in policy How the CA identifies end entities? Use face-to-face meeting? Telephone? ? etc. … Policy Management Authority (PMA) is a coordination body of CA policies and operations.

EUDG CACG was the pioneer The EU DataGrid in 2000 needed a PKI for the test bed Both end-user and service/host PKI CACG (actually David Kelsey) had the task of creating this PKI for Grid Authentication only no support for long-term encryption or digital signatures Single CA was not considered acceptable Single point of attack or failure One CA per country, large region or international organization CA must have strong relationship with RAs Some pre-existing CAs A single hierarchy would have excluded existing CAs and was not convenient to support with existing software Coordinated group of peer CAs was most suitable choice

EUDG CACG was the pioneer (cont ’ d) December 2000: First CA coordination meeting for the DataGrid project March 2001: First version of the minimum requirements 5 CAs: France (CNRS), Portugal (LIP), Netherlands (NIKHEF), CERN, Italy (INFN), UK (UK eScience) December 2002: Extension to other projects: EU-CrossGrid

March 2003: The Tokyo Accord … meet at GGF conferences. … … work on … Grid Policy Management Authority: GRIDPMA.org develop Minimum requirements – based on EDG work develop a Grid Policy Management Authority Charter [with] representatives from major Grid PMAs: European Data Grid and Cross Grid PMA: 16 countries, 19 organizations NCSA Alliance Grid Canada DOEGrids PMA NASA Information Power Grid TERENA Asian Pacific PMA: AIST, Japan; ASCC, Taiwan

Status of PMAs Currently, there are three regional PMAs EUGrid PMA (established May 2004) Former: EUDG WP6 CA Coordination Group (started in 2002) TAG PMA Former: DOEGrid PMA (started in 2002) APGrid PMA (established June 2004) Unofficially started in 2003 Each regional PMA is responsible for coordination of CA policy within the region coordination of CA policy with the other regional PMAs Three PMAs are the founders of the International Grid Trust Federation (IGTF)

European Grid PMA Green: Countries with an accredited CA  23 of 25 EU member states (all except LU, MT)  + AM, CH, IL, IS, NO, PK, RU, TR, “SEE-catch-all” Other Accredited CAs:  DoEGrids (.us)  GridCanada (.ca)  CERN  ASGCC (.tw)*  IHEP (.cn)* * Migrated to APGridPMA per Oct 5 th, 2005 Slide by courtesy of David Groep (EUGrid PMA chair)

The America ’ s Grid PMA Argentina UNLP Brazilian Grid CA CANARIEDOEGrids EELA LA Catch all ESnet/DOE Office Science FNAL Mexico UNAM NCSA Classic SLCS Purdue Univ. TeraGrid REUNA Chilearn CA TACC Root Classic SLCSVenezuela Univ. of Virginia USHER Dartmouth HEBCA EELAOSGSDSCSLCSTeraGridTHEGrid 14 CAs, 7 Relying Parties CA RP

Asia Pacific Grid PMA General Policy Management Authority in Asia Pacific Not specific for ApGrid, Not specific for PRAGMA … Launched on June 1 st, 2004 Defines minimum CA requirements APGrid PMA approved that we accept two levels of CA: Experimental-level CA Alternative of the Globus CA Can be trusted within A-P communities Production-level CA Strict management is necessary Expected to be trusted by international communities Two memberships 13 Ex officio membership 4 General membership

Members (13 + 4) 9 Accredited CAs In operation AIST (Japan) APAC (Australia) ASGCC (Taiwan) CNIC (China) IHEP (China) KEK (Japan) KISTI (Korea) NAREGI (Japan) Will be in operation NCHC (Taiwan) 2 CA under review NECTEC (Thailand) NGO (Singapore) 1 CA will be ready for review soon PRAGMA (USA)Planning ThaiGrid (Thailand) General membership Osaka U. (Japan) U. of Hong Kong (China) U. of Hyderabad (India) U. of Sains Malaysia (Malaysia)

History of IGTF activities Continuous discussions between AP, EU, and TAG PMA for International Grid Trust Federation. GGF12 and EUGrid PMA September 2004 March 2005 EUGridPMA May 2005 June 2005 Oct IGTF was officially launched APGrid PMA F2F Dec Feb TAGPMA March 2006 May 2006 EUGridPMA May 2006 July 2006 September 2006 EUGridPMA September 2006 APGridPMA October 2006

Timeline March 2005: IGTF Draft Federation Document GGF13 July 27 th : APGridPMA approved version 0.7 September 28 th : EUGridPMA approval version 0.9 October 5 th : TAGPMA approved version 1.0 October 5 th : formal foundation of the IGTF Slide by courtesy of David Groep (EUGrid PMA chair)

Agenda IGTF Logo and style –Tony Genovese, LBNL/ESnet Updates from regional PMAs (5”) –APGrid PMA (Yoshio) –EUGrid PMA (David) –TAGPMA (Darcy) Authentication Profiles –Member Integrated Credential Services AP (Tony) (10”) –Classic AP Updates (David) (10”) –Root Certificate AP (Yoshio) (5”) Profile change process (Yoshio) (5”) Business issues (Yoshio) (5”) –Review of the mailing list –Distribution frequency AOB

Scope of the APGrid PMA Manage the PMA membership Define charter and minimum CA requirements Publish related documents Maintain and revise the documents Accredit authorities with respect to the minimum CA requirements Coordinate auditing and re-certification of accredited authorities Monitor member CA signing namespaces Operate a secure collection point for information about accredited CAs Be primarily concerned with Grid communities in Asia Pacific, and their external partners

APGrid PMA membership General membership Osaka U., U. HongKong, U. Hyderabad, USM No voting rights, no obligation Ex officio membership AIST, APAC, ASGCC, CNIC/SDG, IHEP KEK, KISTI, NAREGI, NCHC, NECTEC NGO, SDSC, Thai Grid Voting right, and obligation to vote

APGrid PMA responsibilities CP/CPS Responsible for supporting and auditing the development and maintenance of the CP/CPS for CAs in Asia Pacific. Other documents Charter Minimum CA requirements Authentication Profiles

APGrid PMA responsibilities (cont ’ d) Accreditation Procedures 1. 1.A prospective authority requests the PMA to be approved as a production-level CA The prospective authority sends the CP/CPS and the other related documents to the PMA 3. 3.The chair will ask two PMA members to review the CP/CPS in details. All the other PMA members must review the CP/CPS as well If the first version has obvious inconsistencies, the chair may defer appointing the referees until the appropriate changes have been implemented After sufficient iteration the CP/CPS is considered ready for presentation at the meeting At the meeting, it should be presented in person to the PMA Based on the comments by the assigned reviewers and the discussion in the meeting, the prospective authority may either be approved immediately by the PMA, or this may be deferred until the recommended changes are implemented.

APGrid PMA responsibilities (cont ’ d) Audit APGrid PMA is doing external auditing This is an unique activity, but the other two PMAs are interested in auditing.Operation Every CA must be responsible for its operation. The PMA is NOT an operation unit byt a policy management authority.Obligation All PMA members are understood to represent the best interest of their national/regional communities and expected active participation to activities of the PMA.

General Architecture of the IGTF Member PMAs are responsible for accrediting authorities The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers. Each AP is assigned by the IGTF to a specific member PMA. Classic AP (EUGrid PMA) Short Lived Credential Services (SLCS) AP (TAGPMA) Member Integrated Credential Services (MICS) AP (TAGPMA)

General Architecture of the IGTF (cont ’ d) Proposed changes to an AP will be circulated to all chairs of the IGTF member PMAs. All of the PMA chairs, after approval by their PMA, are required to endorse the proposed changes before the modified AP will come into effect. Example: EUGridPMA proposed to change Classic AP and they approved at the last meeting. APGird PMA will review the proposed new Classic AP at this meeting.

General Architecture of the IGTF (cont ’ d) Authorities accredited by a PMA are always subject to the policies and practices of a specific AP as decided by the accrediting PMA. Any changes to the policy and practices of a authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.

Requirements for accredited authorities Maintain at least one contact mechanism which must allow for un-moderated access to report problems and faults regarding the authority by the relying parties and genral public. This point of contact shall be made known to the accrediting PMA and the IGTF for subsequent re-publishing. Must disclose to the accrediting PMA and to the general public its documented policies and practices.

Implementation of the federation Each PMA maintains information of all accredited CAs. Root certificate CRL Distribution Point Point of contact Signing policy file Point to the CP/CPS Information of the all PMA is packed into a single tarball/RPM and distributed as an IGTF CA distribution No hierarchies. All accredited CAs are included in a flat structure Once you will be accredited by the APGrid PMA, you will be an IGTF- accredited CA IGTF CA distribution is released in every three weeks David Groep will notify all member CAs the plan of the new release to ask reports of any updates. Distribution frequency is flexible. The information is stored in the CVS repository maintained by the EUGrid PMA Yoshio, Mason, and Darcy have accounts on the CVS server If you have modified CA cert, etc., please let me know. IGTF CA distribution is available from the EUGrid PMA web site and the APGrid PMA web site. APGrid PMA is planning to mirror the CVS server as wel.

Implementation of the federation (cont ’ d) IGTF maintains an ML for announcement IGTF: APGrid PMA: EUGrid PMA: TAGPMA:

Appendix: Issues to be considered for operating authorities Read authentication profile and minimum CA requirements carefully Design your CA (some of the issues need to be considered) Applicability of issued certificates CA/RA responsibilities Identity validation process of end entities Implementation Structure of CA: online or offline? Structure of RAs network Secure communication of RAs and CA Web repository Archived logs Properties of CA, user, host and service certificates and private keys: Certificate DNs Certificate extensions

Appendix: Issues to be considered for operating authorities (cont ’ d) Draft CP/CPS Implement and operate the CA MUST COMPLY with the CP/CPS Auditor is especially interested in How the lifecycle of certificates is kept secure. How a CSR is sent to RA/CA Identity vetting (F2F) How the RA communicate with the CA How the CA signing machine is securely administrated. Hardware Operation CA private key How the issued certificate will be sent to the end entity Are archived logs enough to trace anything if something wrong would happen?

Summary You are a member of the APGrid PMA as well as the IGTF You have responsibility for being a member of the APGrid PMA and the IGTF Your CA must appropriately be operated and comply with the CP/CPS PMA was developed based on grass-root approach, but it has become globally- recognized organization. Your contribution is necessary for further development of PMA and IGTF.