Updates from the European Side of the Pond David Groep, November 2006.

Slides:



Advertisements
Similar presentations
Usage of PGP in TACAR 19th OGF Meeting Chapel Hill, USA February 1, 2007 Licia Florio Project Development Officer
Advertisements

International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
10 th EUGridPMA Meeting graciously hosted by ULAKBIM Istanbul, TR.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Apr 20 th, 2009.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
4 th APGrid PMA F2F Meeting Academia Sinica, Taipei, Taiwan April 8, 2008 Agendahttp:// Call for note takers!
EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
The TERENA Academic CA Repository. eIRG Meeting. Dublin, 16/04/2004 Diego R. Lopez – TF-AACE  Task Force on Authentication and.
Updates from the EUGridPMA David Groep, Oct 11 th, 2011.
Updates from the EUGridPMA David Groep, Apr 8 nd, 2008.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
The CA Distribution Process David Groep, July 2007.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
NECTEC-GOC CA Self Audit 7 th APGrid PMA Face-to-Face meeting March 8 th, 2010 Large-Scale Simulation Research Laboratory Sornthep Vannarat Large-Scale.
TERENA TF-EMC2 Workshop David Groep,
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Updates from the EUGridPMA David Groep, July 16 st, 2007.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.
TAGPMA & the Bridge WG (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Activities and Applications Update - Chicago, IL.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
European Grid Policy Management Authority. Event - 2/total Speaker Name – Coverage of the EUGridPMA Green: Countries with an accredited.
White paper overview 2 nd eIRG meeting April, 16 th 2004 Fotis Karayannis, Editor GRNET - Greek Research & Technology Network
ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.
National Institute of Advanced Industrial Science and Technology Some topics from the OGF20 and the EUGrid PMA F2F Meeting Yoshio Tanaka Grid Technology.
International Grid Trust Federation Session GGF 20 Manchester, UK Wednesday, May CAOPS-WG session #2.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
Distribution Repository Structure David Groep,
Discussions on the Life Ray Portal and credential management David Groep, Oct 11 th, 2011.
Updates from the EUGridPMA David Groep, May 9 st, 2007.
NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.
NECTEC-GOC CA The 3 rd APGrid PMA face-to-face meeting. June, Suriya U-ruekolan National Electronics and Computer Technology Center, Thailand.
EUGridPMA status and updates David Groep, TAGPMA Ottawa Summit 2006.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
18-May-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) Barcelona 18 May 2004 David Kelsey CCLRC/RAL, UK
TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.
APGridPMA Update Eric Yen APGridPMA August, 2014.
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.
18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.
14 th EUGridPMA Meeting Update from TAGPMA Jim Basney Lisbon, Portugual October 6-8, 2008 The Americas Grid Policy Management Authority.
The Americas Grid Policy Management Authority TAGPMA Update Derek Simmel 27 th EUGridPMA Meeting Rome, Italy January 14-16, 2013.
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Updates from the EUGridPMA David Groep, Oct 17 st, 2007.
29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
AEGIS Certification Authority
Classic X.509 AP updates (v4.1)
EUGridPMA CAOPS-WG and IGTF Issues March 2013 Charlottesville, VA, USA David Groep, Nikhef, EUGridPMA, and EGI.
Grids & PKI: TAGPMA & Bridges (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Implementers Workshop - Chicago, IL.
LCG Security Status and Issues
HellasGrid CA & euGridPMA
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
MaGrid CA Self audit and update
Presentation transcript:

Updates from the European Side of the Pond David Groep, November 2006

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Outline  EUGridPMA constituency and status  Classic secured X.509 Authentication Profile  The TACAR Trusted Introducer  Distribution site, the RPM repository, and fetch-crl

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Green: EMEA countries with an Accredited Authority  23 of 25 EU member states (all except LU, MT)  + AM, CH, HR, IL, IS, NO, PK, RU, TR Other Accredited Authorities:  DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all EUGridPMA members and applicants

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – The story so far … Foundation of the IGTF allows migration of CAs to Regional PMA

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Membership by type  Under “Classic X.509 secured infrastructure” authorities  accredited: 38 (recent additions: CERN-IT/IS, SRCE)  active applicants: 4 (Serbia, Bulgaria, Romania, Morocco)  Under “SLCS”  accredited: 0  active applicants: 1 (SWITCH-aai)  Under MICS draft  none yet of course, but actually CERN-IS would be a good match for MICS as well  Major relying parties  EGEE, DEISA, SEE-GRID, LCG, TERENA

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Developments in Europe  SWITCH-aai  interfacing the national academic federation, based on Shibboleth, to the Grid world  the SLCS CA is part of this effort (but just phase 1) is planned to be in production by Q  Confederation at the national level  national federations are being, or have been, implemented  codenamed EDUgain, confederation uses ‘federation adapters’ to translate identities when crossing federation boundaries  policy coordination is now starting  eduroam has by now an (almost) agreed policy  Implements key e-IRG recommendations in AA area

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Classic X.509 AP updates (v4.1 β 5) Major points addressed  explicit definition of what we mean with “should”  FQDN “ownership”  time-shifted identity vetting migrated to MICS draft AP  maximum 5 years without a form of identity verification  reformulated on-line CA architectures  includes explicitly the two pre-vetted architectures  keyUsage SHOULD (was MUST) be critical in CA certs  compliance with Grid Certificate Profile draft (in OGF)  due diligence for subscribers made explicit and many grammar and spelling improvements

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Classic v4.1b5 Updates (1)  clearer definition of what we mean by should  FQDN ‘ownership’  A form of validation after at most five years this has been buried in very old minutes and has now been made explicit

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Classic v4.1b5 Updates (2)  On-line CA architectures

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Classic v4.1b5 Updates (3)  On-line CA models

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Classic v4.1b5 Updates (4)  keyUsage extensions SHOULD be critical in a CA cert  this used to be a MUST, but that would unnecessarily exclude some commercial top-level CAs (e.g., NetTrust)  Compliance with Grid Certificate Profile document  document is now in draft in the OGF CAOPS-WG  almost finished  embodies lots and lots of community knowledge on what a certificate ought to look like  read it before you setup a new CA, or regenerate a root cert, or think about an end-entity certificate profile  Auditing: if you re-issue without a new identity vetting, you MUST keep the original records for at least as long as there are certs based on this vetting plus the default grace period

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Classic v4.1b5 Updates (5)  Due diligence for subscribers  Still pending for a next version  some real insights in the necessary site security measures  certificate/crl profile to be revised once the OGF document thereon is formally published  move of section 3.3 on removal of a CA to architecture (sec 2)

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Classic AP v4.1 status  version 4.1 beta-4 approved by AP and EU GridPMAs  version beta-5 expected to be accepted by both as well  beta-5 had quite a few clarity improvements  real content changes deferred to new version 4.2 later  It’s ready and on the web, waiting for your go- ahead

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – TACAR the TERENA Academic CA Repository  trusted and centralized place  where root CA certs can be stored and safely retrieved  which is policy-neutral (but ‘IGTF-ready’) for CAs  directly managed by TERENA members  belonging to a national academic PKI in member states  for all CAs set-up to support not-for-profit research, in which the academic community is directly involved

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – TACAR Policy and Update  TACAR has been operational since early 2004  registration process is, rightfully, rigorous  updates via signed electronic messages  the new registration policy (v1.4.3) adds concept of Trusted Introducers  this should enable smoother and faster registration with TACAR  proposed: one per PMA or similar body  Also new web site for an extended audience  better support for end-users  ‘IGTF-ready’  download of PKCS#7 bundles on a per-Profile basis  Policy currently in last call in TF-EMC2 and IGTF

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – IGTF Distribution in Other Formats  Apart from validation via TACAR, the IGTF manages a distribution of all accredited authorities  formerly known as Anders’ RPM set, today also available as: JKS, tar-gz, configure && make, …  usually built by the EUGridPMA (me, actually)  mirrored twice-daily to the apgridpma.org site  copied and re-distributed by downstream software vendors (EGEE/LCG, VDT, …)  also contains the fetch-crl utility (now at version 2.6.3)  up till now, has available from

3 rd TAGPMA ‘Austin’ meeting – Nov David Groep – Planned Changes to the Repository  migration to a separate (virtual) server and domain  better resilience against download (better redundant hardware)  separate it from more ‘complex’ parts of the web site, like the CDS agenda, using dedicated (virtual) machines  better resilience against registrar and TLD operator faults  New planned location  plus of course the mirror location at  more supported download interfaces: rsync  is operational already, but not yet announced  will keep backward compatibility by deep redirection

Some dates for you to remember and schedule  December 13, 2006 ‘Coseners’ accommodation deadline 9 th EUGridPMA meeting  January 15-17, th EUGridPMA meeting, Abingdon, UK (hosted by RAL)  January 29 – Feb 2, 2007 – OGF 19 CAOPS, IGTF, OGSA-AuthN-BoF, …, Chapel Hill, NC, USA  March 28-29, 2007: TF-EMC2, Florence, IT  May and June 1, th EUGridPMA meeting, Istanbul, TR (hosted by ULAKBIM)