EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa 2006 - 2 David Groep – Items  EUGridPMA.

Slides:



Advertisements
Similar presentations
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
Advertisements

1 ASGCCA Self-Audit Report APGridPMA Jinny Chien March
CNIC Grid CA/SDG CA Self Audit Kejun (Kevin) Dong Computer Network Information Center (CNIC) Chinese Academy of Sciences APGridPMA F2F.
1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
Large-scale issuing of host certs in a member-integrated or institutional CA environment.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
The CA Distribution Process David Groep, July 2007.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.
TERENA TF-EMC2 Workshop David Groep,
Updates from the EUGridPMA David Groep, July 16 st, 2007.
EUGridPMA Status, current trends and some technical topics March 2013 Boulder, CO, USA David Groep, Nikhef & EUGridPMA.
IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.
User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.
Profile for Portal-based Credential Services (POCS) Yoshio Tanaka International Grid Trust Federation APGrid PMA AIST.
Sam Morrison APAC CA – APGridPMA - ISGC2010 APAC CA Self Audit and status update Sam Morrison ARCS.
KFKI RMKI CA Review EUGridPMA May 26-28, Copenhagen Szabolcs Hernáth MTA KFKI RMKI pki.kfki.hu.
European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.
ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.
SHA-2, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
EUGridPMA Status, current trends and some technical topics March 2013 Taipei, TW David Groep, Nikhef & EUGridPMA.
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
Discussions on the Life Ray Portal and credential management David Groep, Oct 11 th, 2011.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
Updates from the EUGridPMA David Groep, May 9 st, 2007.
Updates from the European Side of the Pond David Groep, November 2006.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
EUGridPMA status and updates David Groep, TAGPMA Ottawa Summit 2006.
APGrid PMA face-to-face meeting, 9/16/2008 PRAGMA-UCSD CA Team Pacific Rim Application and Grid Middleware Assembly
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA
0 NAREGI CA Status Report APGrid F2F meeting in Singapore June 4, 2007 Rumiko Masuko.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America The Latin American Catch-all Grid Certification.
NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.
APGridPMA Update Eric Yen APGridPMA August, 2014.
Baltic Grid Certification Authority 15th EUGridPMA, January 28th 2009, Nicosia1 Self-audit Hardi Teder EENet.
TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM
FP6−2004−Infrastructures−6-SSA [ Empowering e Science across the Mediterranean ] Rome, Tutorial for Certification Authority Managers,
BG.ACAD CA HTTP :// CA. ACAD. BG S ELF - AUDIT REPORT 2014 Vladimir Dimitrov IICT-BAS ( 32 nd EUGridPMA Meeting Poznan, 8-10.
QuoVadis accreditation with EuGridPMA Alessandro Usai
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
HellasGrid CA self Audit. In general We do operations well Our policy documents need work (mostly to make the text clearer in a few sections) 2.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Updates of APGrid PMA 18 th EUGridPMA Meeting 18 th EUGridPMA Meeting 18 January, 2010 Eric Yen ASGCCA Taiwan.
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Updates from the EUGridPMA David Groep, Oct 17 st, 2007.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
PKGrid CA Self-Audit 2012 Adeel-ur-Rehman Mansoor Sheikh.
AEGIS Certification Authority
Classic X.509 AP updates (v4.1)
EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI.
MaGrid CA Self audit and update
Emir Imamagić University Computing Centre (Srce)
Bill Yau HKU Grid Certificate Authority (HKU Grid CA) Self Audit & Status Report Bill Yau
BG.ACAD CA Self-audit report 2018
Presentation transcript:

EUGridPMA status and updates David Groep, GGF18

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA latest overview  New CAs and issues emanating from them  Classic AP Update proposals

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Coverage of the EUGridPMA Green: Countries with an accredited CA  23 of 25 EU member states (all except LU, MT)  + AM,CH,HR,IL,IS,NO,PK,RU,TR,“SEE-catch-all” Other Accredited CAs:  DoEGrids (.us)  GridCanada (.ca)  CERN find-your-CA clickable map at

EUGridPMA Status Update, TAGPMA Ottawa David Groep – New applicants and updates Recently approved CAs:  SRCE Croatia  traditional classic CA Almost there  CERN-IS Upcoming:  Romania (ROSA) CA  EAGIS (Serbia)  ACAD.BG (Bulgaria) Modifications:  General trend: move to on-line CA with an off-line root  UKeScience CA  HellasGrid CA  AustrianGrid CA

EUGridPMA Status Update, TAGPMA Ottawa David Groep – CERN-IS CA Accreditation discussion  The CERN-IS CA is a stretch for the Classic Profile, but with appropriate interpretation of “should”s still ‘kind-of’ fits  issues long-term certs & host certs, so does not make SLCS either  new MICS profile seems a good fit  see Tony’s upcoming presentation  technical changes have been implemented to make the process secure and auditable  highly protected online-CA architecture was a hard requirement:  either a dedicated link between web front-end and HSM hosting system  or on the same but, but behind a two-layered firewall with a (monitored!) IDS on the segment  aim was to make sure that, in case of compromise, at least a list of ‘bad’ certs can be made in a reasonably tamper-proof way  specifics proposed in new draft of the Classic Profile  the EUGridPMA agreed in its F2F not to stall the accreditation of this particular CA while we are discussing new profiles

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Proposed Changes to the Classic AP  clarify process needed for violating a ‘ SHOULD ’  FQDN ownership  add the need to describe how subscriber status changes are communicated to CA/RA  time-separated identity-vetting info. protection/use **  list approve on-line CA architectures  the ‘tamper-proof log’ may be still impossible to implement, but a near-tamper proof log may be possible  refer to cert profile guidelines  clarify due-diligence for end-entities  take a string password  initiating revocation in a timely fashion see for the drafts

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: SHOULD  Latest proposed text (1 Introduction)

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: FQDN ownership  Latest proposed text (3.1 Identity Vetting)  Move the burden of description to the CP/CPS  per-CA implementation should be reviewed for adequacy by the PMA at accreditation time

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: subscriber status changes  Latest proposed text (3.1 Identity Vetting)  Intended to address periodic (yearly) checking by the RA whether the subscriber data are still correct. In case of SLCS or MICS this is likely done anyway, but in the classic case, contact between subscriber and CA/RA may be scarce  Leave precise definition out, but require description of the process in the CP/CPS  e.g. asking the RA at the yearly re-keying time whether he/she still knows about the subscriber…

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: identity magament systems for time-shifted vetting operation **  Latest proposed text (3.1 Identity Vetting)  text may be (more!) relevant to the proposed MICS profile  key element: IdM should be a highly trusted one at the organisation, and appropriately managed and kept up-to- date  face-to-face requirement is there, and for a reason! MOVE TO MICS

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: CSR linkage  Latest proposed text (3.1 Identity Vetting)  this text might have prevent the repeated discussion regarding ‘weakly-linked’ CSRs, where no shared data links the electronic CSR to the actual identity vetting

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: CA Architectures  Latest proposed text (4 Operational Requirements)  distinguish clearly between on- and off-line CAs, and make clear that both are allowed, definition of terms  needed to then describe pre-validated on-line architectures …

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: on-line CAs  Latest proposed text (4 Operational Requirements)  HSM FIPS level 3 operation (but certification statement accompanying the HSM may be level-2)  make clear that the highly-monitored environment must be reviewed and approved by the PMA  two pre-selected environments mentioned explicitly

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: on-line CA architectures  Latest proposed text (4 Operational Requirements)  Model A: HSM on a separate machine, not the (web) front- end, linked via a dedicated monitored network that only carries the signing requests (NIIF, CERN-IS)  Model B: HSM on the front-end, but the front-end isolated from the non-exclusive network by two firewalls, and the intermediate network link actively monitored with IDS capability (DoEGrids)  or come up with a new architecture, but you have some convincing of a PMA to do for the coming time …

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: tamper-proof log?  Latest proposed text (4 Operational Requirements)  intent of this proposal  there may (and likely will be) a compromise  if you log directly from the HSM to paper or WORM, at least you know which of the issued EE certs were involved in the compromise  this is also the reason for the complicated on-line architectures  (invisible) monitoring of the link between web front-end and signing system with HSM, capturing all signing requests sent across accomplished the same thing (i.e. using a fibre splitter at layer-1 and capturing all traffic)  that’s why the signing box should not be directly on a user- accessible network

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: Certificate Profile  Latest proposed text (4.3 Certificate and CRL Profile)  as we learned more about certs and our middleware, we now know better what to do and what to avoid  making ‘useless’ EE certs  does no good to no-one  causes problems in the CA distribution  overloads the support channels for both (grid) projects and the PMAs  guidance document draft available (target audience: IGTF and CAOPS-WG)

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Classic AP Update: Subscribers  Latest proposed text (9.1 Due diligence for EE)  incorporates some text moved from 4.4 (Revocation)  is not enforcible, but it’s also a pity to loose this guidance text

EUGridPMA Status Update, TAGPMA Ottawa David Groep – Profile Cleanup  Classic  MICS  SLCS  Aesthetically, a ‘matrix’ of 1.identity vetting requirements 2.physical

Q?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.